feat(ci): add zizmor

.github/dependabot.yml

@@ -9,7 +9,7 @@ updates:
     commit-message:
       prefix: meta
     cooldown:
-      default-days: 3
+      default-days: 7
     open-pull-requests-limit: 10
 
   - package-ecosystem: npm
@@ -22,7 +22,7 @@ updates:
     commit-message:
       prefix: meta
     cooldown:
-      default-days: 3
+      default-days: 7
     groups:
       lint:
         patterns:

.github/workflows/auto-merge.yml

@@ -5,14 +5,22 @@ on:
     - cron: '*/15 * * * *'
   workflow_dispatch:
 
-permissions:
-  pull-requests: write
-  contents: write
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+permissions: {}
 
 jobs:
   auto-merge:
+    name: Auto-merge
     if: github.repository == 'nodejs/nodejs.org'
     runs-on: ubuntu-latest
+    permissions:
+      # Required to approve and merge pull requests
+      pull-requests: write
+      # Required to merge pull requests via merge queue
+      contents: write
 
     steps:
       - name: Harden Runner

.github/workflows/build.yml

@@ -25,9 +25,9 @@ permissions:
   contents: read
   actions: read
 
-env:
-  # See https://turbo.build/repo/docs/reference/command-line-reference/run#--cache-dir
-  TURBO_ARGS: --cache-dir=.turbo/cache
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
   build:
@@ -61,7 +61,7 @@ jobs:
 
       - name: Build Next.js
         # We want a ISR build on CI to ensure that regular Next.js builds work as expected.
-        run: node_modules/.bin/turbo build ${{ env.TURBO_ARGS }}
+        run: node_modules/.bin/turbo build --cache-dir=.turbo/cache
         env:
           # We want to ensure we have enough RAM allocated to the Node.js process
           # this should be a last resort in case by any chances the build memory gets too high
@@ -78,7 +78,7 @@ jobs:
 
       - name: Build Next.js (Static Export)
         # We want to generate a static build, as it is a requirement of our website.
-        run: node_modules/.bin/turbo deploy ${{ env.TURBO_ARGS }}
+        run: node_modules/.bin/turbo deploy --cache-dir=.turbo/cache
         env:
           # We want to ensure we have enough RAM allocated to the Node.js process
           # this should be a last resort in case by any chances the build memory gets too high

.github/workflows/bundle-compare.yml

@@ -8,13 +8,18 @@ on:
 permissions:
   contents: read
   actions: read
-  # To create the comment
-  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.id }}
+  cancel-in-progress: true
 
 jobs:
   compare:
     name: Compare Bundle Stats
     runs-on: ubuntu-latest
+    permissions:
+      # Required to comment on pull requests
+      pull-requests: write
     if: github.event.workflow_run.event == 'pull_request'
 
     steps:
@@ -25,6 +30,8 @@ jobs:
 
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Download Stats (HEAD)
         uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0

.github/workflows/chromatic.yml

@@ -29,6 +29,10 @@ defaults:
     # This ensures that the working directory is the root of the repository
     working-directory: ./
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name != 'push' }}
+
 permissions:
   contents: read
   actions: read

.github/workflows/create-release-post.yml

@@ -19,13 +19,21 @@ defaults:
     # This ensures that the working directory is the root of the repository
     working-directory: ./
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ inputs.version }}
+  cancel-in-progress: false
 
 jobs:
   create-post:
+    name: Create Release Blog Post
     runs-on: ubuntu-latest
+    permissions:
+      # Required to push the release branch
+      contents: write
+      # Required to create the pull request
+      pull-requests: write
 
     steps:
       - uses: nodejs/web-team/actions/setup-environment@9f3c83af227d721768d9dbb63009a47ed4f4282f

.github/workflows/lighthouse.yml

@@ -23,57 +23,43 @@ defaults:
 permissions:
   contents: read
   actions: read
-  # This permission is required by `thollander/actions-comment-pull-request`
-  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
 
 jobs:
-  get-vercel-preview:
+  lighthouse-ci:
     # We want to skip our lighthouse analysis on Dependabot PRs
     if: |
       startsWith(github.event.pull_request.head.ref, 'dependabot/') == false &&
       github.event.label.name == 'github_actions:pull-request'
-    name: Get Vercel Preview
-    runs-on: ubuntu-latest
-    outputs:
-      deployment_found: ${{ steps.set_outputs.outputs.deployment_found }}
-      url: ${{ steps.set_outputs.outputs.url }}
-    steps:
-      - name: Capture Vercel Preview
-        id: check_deployment
-        uses: patrickedqvist/wait-for-vercel-preview@d7982701e6fcd3ae073bff929e408e004404d38d # v1.3.3
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          max_timeout: 300 # timeout after 5 minutes
-          check_interval: 10 # check every 10 seconds
-        continue-on-error: true
-      - name: Set Outputs
-        if: always()
-        id: set_outputs
-        run: |
-          if [[ -z "${{ steps.check_deployment.outputs.url }}" ]]; then
-            echo "deployment_found=false" >> $GITHUB_OUTPUT
-          else
-            echo "deployment_found=true" >> $GITHUB_OUTPUT
-            echo "url=${{ steps.check_deployment.outputs.url }}" >> $GITHUB_OUTPUT
-          fi
-
-  lighthouse-ci:
-    needs: get-vercel-preview
-    if: needs.get-vercel-preview.outputs.deployment_found == 'true'
     name: Lighthouse Report
     runs-on: ubuntu-latest
+    permissions:
+      # Required by `thollander/actions-comment-pull-request`
+      pull-requests: write
 
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
         with:
           egress-policy: audit
 
+      - name: Capture Vercel Preview
+        id: deployment
+        uses: patrickedqvist/wait-for-vercel-preview@d7982701e6fcd3ae073bff929e408e004404d38d # v1.3.3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          max_timeout: 300 # timeout after 5 minutes
+          check_interval: 10 # check every 10 seconds
+
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # Provides the Pull Request commit SHA or the GitHub merge group ref
           ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }}
+          persist-credentials: false
 
       - name: Add Comment to PR
         # Signal that a lighthouse run is about to start
@@ -93,12 +79,12 @@ jobs:
           configPath: './.lighthouserc.json'
           # These URLS capture critical pages / site functionality.
           urls: |
-            ${{ needs.get-vercel-preview.outputs.url }}/en
-            ${{ needs.get-vercel-preview.outputs.url }}/en/about
-            ${{ needs.get-vercel-preview.outputs.url }}/en/about/previous-releases
-            ${{ needs.get-vercel-preview.outputs.url }}/en/download
-            ${{ needs.get-vercel-preview.outputs.url }}/en/download/archive/current
-            ${{ needs.get-vercel-preview.outputs.url }}/en/blog
+            ${{ steps.deployment.outputs.url }}/en
+            ${{ steps.deployment.outputs.url }}/en/about
+            ${{ steps.deployment.outputs.url }}/en/about/previous-releases
+            ${{ steps.deployment.outputs.url }}/en/download
+            ${{ steps.deployment.outputs.url }}/en/download/archive/current
+            ${{ steps.deployment.outputs.url }}/en/blog
           uploadArtifacts: true # save results as a action artifacts
           temporaryPublicStorage: true # upload lighthouse report to the temporary storage
 
@@ -111,7 +97,7 @@ jobs:
           # see https://github.com/actions/github-script#use-env-as-input
           LIGHTHOUSE_RESULT: ${{ steps.lighthouse_audit.outputs.manifest }}
           LIGHTHOUSE_LINKS: ${{ steps.lighthouse_audit.outputs.links }}
-          VERCEL_PREVIEW_URL: ${{ needs.get-vercel-preview.outputs.url }}
+          VERCEL_PREVIEW_URL: ${{ steps.deployment.outputs.url }}
         with:
           # Run as a separate file so we do not have to inline all of our formatting logic.
           # See https://github.com/actions/github-script#run-a-separate-file for more info.

.github/workflows/lint-and-tests.yml

@@ -33,9 +33,9 @@ permissions:
   contents: read
   actions: read
 
-env:
-  # See https://turbo.build/repo/docs/reference/command-line-reference/run#--cache-dir
-  TURBO_ARGS: --cache-dir=.turbo/cache
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
   lint:
@@ -73,7 +73,7 @@ jobs:
         if: |
           (github.event_name == 'push' || github.event_name == 'merge_group') ||
           (github.event_name == 'pull_request' && github.event.pull_request.head.ref != 'chore/crowdin')
-        run: node_modules/.bin/turbo lint lint:types prettier ${{ env.TURBO_ARGS }}
+        run: node_modules/.bin/turbo lint lint:types prettier --cache-dir=.turbo/cache
 
       - name: Save Lint Cache
         # We only want to save caches on `push` events or `pull_request_target` events
@@ -108,7 +108,7 @@ jobs:
       - name: Run Unit Tests
         # We want to run Unit Tests in every circumstance, including Crowdin PRs and Dependabot PRs to ensure
         # that changes to dependencies or translations don't break the Unit Tests
-        run: node --run test:ci -- ${{ env.TURBO_ARGS }}
+        run: node --run test:ci -- --cache-dir=.turbo/cache
 
       - name: Upload test coverage to Codecov
         if: ${{ !cancelled() && github.event_name != 'merge_group' }}

.github/workflows/notify-on-push.yml

@@ -7,6 +7,10 @@ name: Notify on Push
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.sha }}
+  cancel-in-progress: false
+
 jobs:
   notify_on_push:
     name: Notify on any direct push to `main`

.github/workflows/playwright.yml

@@ -21,35 +21,7 @@ permissions:
   actions: read
 
 jobs:
-  get-vercel-preview:
-    name: Get Vercel Preview
-    runs-on: ubuntu-latest
-    outputs:
-      deployment_found: ${{ steps.set_outputs.outputs.deployment_found }}
-      url: ${{ steps.set_outputs.outputs.url }}
-    steps:
-      - name: Capture Vercel Preview
-        id: check_deployment
-        uses: patrickedqvist/wait-for-vercel-preview@d7982701e6fcd3ae073bff929e408e004404d38d # v1.3.3
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          max_timeout: 300 # timeout after 5 minutes
-          check_interval: 10 # check every 10 seconds
-        continue-on-error: true
-      - name: Set Outputs
-        if: always()
-        id: set_outputs
-        run: |
-          if [[ -z "${{ steps.check_deployment.outputs.url }}" ]]; then
-            echo "deployment_found=false" >> $GITHUB_OUTPUT
-          else
-            echo "deployment_found=true" >> $GITHUB_OUTPUT
-            echo "url=${{ steps.check_deployment.outputs.url }}" >> $GITHUB_OUTPUT
-          fi
-
   playwright:
-    needs: get-vercel-preview
-    if: needs.get-vercel-preview.outputs.deployment_found == 'true'
     name: Playwright Tests
     runs-on: ubuntu-latest
 
@@ -60,6 +32,14 @@ jobs:
           use-version-file: true
           fetch-depth: 2
 
+      - name: Capture Vercel Preview
+        id: deployment
+        uses: patrickedqvist/wait-for-vercel-preview@d7982701e6fcd3ae073bff929e408e004404d38d # v1.3.3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          max_timeout: 300 # timeout after 5 minutes
+          check_interval: 10 # check every 10 seconds
+
       - name: Get Playwright version
         id: playwright-version
         working-directory: apps/site
@@ -80,7 +60,7 @@ jobs:
         working-directory: apps/site
         run: node --run playwright
         env:
-          PLAYWRIGHT_BASE_URL: ${{ needs.get-vercel-preview.outputs.url }}
+          PLAYWRIGHT_BASE_URL: ${{ steps.deployment.outputs.url }}
 
       - name: Upload Playwright test results
         if: always()

.github/workflows/pnpm-updater.yml

@@ -11,13 +11,21 @@ on:
   schedule:
     - cron: '0 0 1 * *'
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
 
 jobs:
   update-pnpm:
+    name: Update pnpm
     runs-on: ubuntu-latest
+    permissions:
+      # Required to push changes to the update branch
+      contents: write
+      # Required to create the pull request
+      pull-requests: write
 
     steps:
       - name: Harden Runner
@@ -27,6 +35,8 @@ jobs:
 
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup pnpm
         uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0