-
Notifications
You must be signed in to change notification settings - Fork 0
Sync with upstream actions/setup-node (main) #4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
ab72c7e
48b55a0
670825a
ad1b57e
0355742
f4a67bb
4f8aac5
360237f
4e1a87a
30eb73b
6a61c03
654fbf5
5242a95
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,7 +14,7 @@ jobs: | |
|
|
||
| steps: | ||
| - name: Checking out | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
# Map the workflow file structure first.
ast-grep outline .github/workflows/publish-immutable-actions.yml --view expanded || true
# Show the workflow with line numbers.
cat -n .github/workflows/publish-immutable-actions.yml
# Inspect other steps in the job for any git/network use that might require checkout credentials.
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/publish-immutable-actions.yml')
text = p.read_text()
for i, line in enumerate(text.splitlines(), 1):
if any(k in line for k in ['checkout', 'git ', 'gh ', 'push', 'pull', 'fetch', 'submodule', 'publish', 'npm', 'yarn', 'pnpm']):
print(f"{i}: {line}")
PYRepository: rstackjs/setup-node Length of output: 971 Stop persisting checkout credentials. This job only checks out the repo before publishing, so 🧰 Tools🪛 zizmor (1.26.1)[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| - name: Publish | ||
| id: publish | ||
| uses: actions/publish-immutable-action@v0.0.4 | ||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
This file was deleted.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
This file was deleted.
This file was deleted.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
sed -n '1,120p' .github/workflows/proxy.ymlRepository: rstackjs/setup-node
Length of output: 1442
Disable persisted checkout credentials in both jobs.
actions/checkoutwrites the token into git config by default; these steps only need read access, so setpersist-credentials: falseon both checkout steps in.github/workflows/proxy.yml.🧰 Tools
🪛 zizmor (1.26.1)
[warning] 28-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Source: Linters/SAST tools