Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 11 additions & 11 deletions .github/workflows/e2e-cache.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Clean global cache
run: npm cache clean --force
- name: Setup Node
Expand All @@ -44,9 +44,9 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Install pnpm
uses: pnpm/action-setup@v4
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
with:
version: 6.10.0
- name: Generate pnpm file
Expand Down Expand Up @@ -77,7 +77,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Yarn version
run: yarn --version
- name: Generate yarn file
Expand Down Expand Up @@ -109,7 +109,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Update yarn
run: yarn set version 3.6.4
- name: Yarn version
Expand Down Expand Up @@ -143,7 +143,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

- name: prepare sub-projects
run: __tests__/prepare-yarn-subprojects.sh yarn1
Expand All @@ -170,7 +170,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

- name: prepare sub-projects
run: __tests__/prepare-yarn-subprojects.sh keepcache keepcache
Expand All @@ -197,7 +197,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

- name: prepare sub-projects
run: __tests__/prepare-yarn-subprojects.sh global
Expand All @@ -224,7 +224,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

- name: prepare sub-projects
run: /bin/bash __tests__/prepare-yarn-subprojects.sh keepcache
Expand Down Expand Up @@ -253,7 +253,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Create package.json with packageManager field
run: |
echo '{ "name": "test-project", "version": "1.0.0", "packageManager": "npm@8.0.0" }' > package.json
Expand All @@ -278,7 +278,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Create package.json with devEngines field
run: |
echo '{
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/proxy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
env:
https_proxy: http://squid-proxy:3128
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

sed -n '1,120p' .github/workflows/proxy.yml

Repository: rstackjs/setup-node

Length of output: 1442


Disable persisted checkout credentials in both jobs. actions/checkout writes the token into git config by default; these steps only need read access, so set persist-credentials: false on both checkout steps in .github/workflows/proxy.yml.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 28-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/proxy.yml at line 28, The checkout steps in the workflow
are leaving the GitHub token persisted in git config by default. Update both
uses of actions/checkout in proxy.yml to set persist-credentials to false so the
jobs only use read access; this applies to each checkout step in the workflow.

Source: Linters/SAST tools

- name: Clear tool cache
run: rm -rf $RUNNER_TOOL_CACHE/*
- name: Setup node 24
Expand All @@ -41,7 +41,7 @@ jobs:
https_proxy: http://no-such-proxy:3128
no_proxy: api.github.com,github.com,cdn.npmmirror.com,registry.npmjs.org,*.s3.amazonaws.com,s3.amazonaws.com
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Clear tool cache
run: rm -rf $RUNNER_TOOL_CACHE/*
- name: Setup node 24
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-immutable-actions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:

steps:
- name: Checking out
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Map the workflow file structure first.
ast-grep outline .github/workflows/publish-immutable-actions.yml --view expanded || true

# Show the workflow with line numbers.
cat -n .github/workflows/publish-immutable-actions.yml

# Inspect other steps in the job for any git/network use that might require checkout credentials.
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/publish-immutable-actions.yml')
text = p.read_text()
for i, line in enumerate(text.splitlines(), 1):
    if any(k in line for k in ['checkout', 'git ', 'gh ', 'push', 'pull', 'fetch', 'submodule', 'publish', 'npm', 'yarn', 'pnpm']):
        print(f"{i}: {line}")
PY

Repository: rstackjs/setup-node

Length of output: 971


Stop persisting checkout credentials. This job only checks out the repo before publishing, so persist-credentials: false keeps the checkout token out of the workspace for later steps.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-immutable-actions.yml at line 17, The checkout
step in the publish workflow is still persisting Git credentials, which should
be disabled for this publish-only job. Update the actions/checkout usage in the
workflow to set persist-credentials to false so the token is not left available
to later steps. Use the existing checkout step in the publish-immutable-actions
workflow as the place to apply this change.

Source: Linters/SAST tools

- name: Publish
id: publish
uses: actions/publish-immutable-action@v0.0.4
20 changes: 10 additions & 10 deletions .github/workflows/versions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup Node
uses: ./
with:
Expand All @@ -37,7 +37,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20.10.0, 22.0.0, 24.9.0]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup Node
uses: ./
with:
Expand All @@ -54,7 +54,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup Node and check latest
uses: ./
with:
Expand All @@ -73,7 +73,7 @@ jobs:
node-version-file:
[.nvmrc, .tool-versions, .tool-versions-node, package.json]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup node from node version file
uses: ./
with:
Expand All @@ -88,7 +88,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup node from node version file
uses: ./
with:
Expand All @@ -103,7 +103,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup node from node version file
uses: ./
with:
Expand All @@ -118,7 +118,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup node from node version file
uses: ./
with:
Expand All @@ -134,7 +134,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [17, 19]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup Node from dist
uses: ./
with:
Expand All @@ -150,7 +150,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-15-intel]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
# test old versions which didn't have npm and layout different
- name: Setup node 0.12.18 from dist
uses: ./
Expand All @@ -163,7 +163,7 @@ jobs:
arch:
runs-on: windows-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup node 20 x86 from dist
uses: ./
with:
Expand Down
2 changes: 1 addition & 1 deletion .licenses/npm/@actions/cache.dep.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 0 additions & 20 deletions .licenses/npm/@actions/core-1.11.1.dep.yml

This file was deleted.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 0 additions & 20 deletions .licenses/npm/@actions/exec-1.1.1.dep.yml

This file was deleted.

20 changes: 0 additions & 20 deletions .licenses/npm/@actions/io-1.1.3.dep.yml

This file was deleted.

2 changes: 1 addition & 1 deletion .licenses/npm/@actions/tool-cache.dep.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 11 additions & 0 deletions .licenses/npm/@nodable/entities.dep.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .licenses/npm/brace-expansion.dep.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions .licenses/npm/fast-xml-builder.dep.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .licenses/npm/fast-xml-parser.dep.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

35 changes: 35 additions & 0 deletions .licenses/npm/is-unsafe.dep.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading