Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion .github/workflows/check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ permissions:

jobs:
format:
name: Flake check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Expand All @@ -33,6 +34,7 @@ jobs:
- run: nix flake check --print-build-logs

build-the-world:
name: Build all artifacts
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Expand All @@ -42,6 +44,7 @@ jobs:
- run: nix run .#nixos-branding.verification.verify-nixos-branding-all --print-build-logs

compare-artifacts-build:
name: Build artifact comparison
runs-on: ubuntu-latest
needs: build-the-world
if: github.event_name == 'pull_request'
Expand Down Expand Up @@ -112,14 +115,15 @@ jobs:
if-no-files-found: error

compare-artifacts-comment:
name: Comment artifact comparison
runs-on: ubuntu-latest
needs: compare-artifacts-build
# Skip on fork PRs (read-only token can't post). Also implicitly
# only runs on pull_request events because compare-artifacts-build
# itself is gated to those.
if: github.event.pull_request.head.repo.full_name == github.repository
permissions:
pull-requests: write
pull-requests: write # post the artifact-comparison sticky comment
steps:
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
Expand Down Expand Up @@ -165,6 +169,7 @@ jobs:
</details>

branding-guide-changelog:
name: Changelog query
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand All @@ -190,6 +195,7 @@ jobs:
printf '%s\n' "$NOTES"

workflow-security:
name: Workflow security
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand Down
15 changes: 11 additions & 4 deletions .github/workflows/netlify-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,21 @@ on:
workflow_call:
workflow_dispatch:

permissions:
contents: write
statuses: write
deployments: write
concurrency:
# Never interrupt an in-progress deploy; queue the next run instead.
group: netlify-deploy-${{ github.ref }}
cancel-in-progress: false

permissions: {}

jobs:
deploy:
name: Deploy media kit to Netlify
runs-on: ubuntu-latest
permissions:
contents: write # Netlify action posts a commit comment
statuses: write # Netlify action sets a commit status
deployments: write # Netlify action creates a GitHub deployment
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/release-guide.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@ on:
tags:
- "nixos-branding-guide-v*.*.*"

concurrency:
# Serialize release runs for a tag; never interrupt a release in progress.
group: release-guide-${{ github.ref }}
cancel-in-progress: false

permissions: {}

jobs:
Expand All @@ -15,10 +20,11 @@ jobs:
contents: read

release:
name: Create GitHub release
needs: check
runs-on: ubuntu-latest
permissions:
contents: write
contents: write # gh release create publishes the release
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Expand Down Expand Up @@ -84,13 +90,13 @@ jobs:
uses: ./.github/workflows/netlify-deploy.yml
needs: release
permissions:
contents: write
statuses: write
deployments: write
contents: write # Netlify action posts a commit comment
statuses: write # Netlify action sets a commit status
deployments: write # Netlify action creates a GitHub deployment

release-npm-package:
uses: ./.github/workflows/release-npm-package.yaml
needs: release
permissions:
id-token: write
id-token: write # OIDC for npm provenance publish
contents: read
13 changes: 10 additions & 3 deletions .github/workflows/release-npm-package.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,20 @@ on:
workflow_call:
workflow_dispatch:

permissions:
id-token: write # Required for OIDC
contents: read
concurrency:
# Never interrupt an in-progress publish; queue the next run instead.
group: release-npm-package-${{ github.ref }}
cancel-in-progress: false

permissions: {}

jobs:
build-npm-package:
name: Build and publish npm package
runs-on: ubuntu-latest
permissions:
id-token: write # Required for OIDC
contents: read
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
Expand Down
44 changes: 44 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Workflow security report

on:
push:
branches:
- main
paths:
- ".github/**"
- flake.lock
pull_request:
paths:
- ".github/**"
- flake.lock

concurrency:
group: zizmor-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

permissions: {}

jobs:
zizmor:
name: zizmor pedantic audit (report-only)
runs-on: ubuntu-latest
permissions:
contents: read # checkout
security-events: write # upload the SARIF report to code scanning
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: ./.github/actions/setup-nix
- name: Run zizmor (pedantic, SARIF)
# SARIF mode exits 0 even with findings, so this reports rather than
# blocks; the blocking gate is the regular-persona run in check.yml.
env:
GH_TOKEN: ${{ github.token }}
run: nix run .#zizmor -- --format sarif --pedantic . > results.sarif
- name: Upload SARIF to code scanning
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
sarif_file: results.sarif
category: zizmor
Loading