diff --git a/.github/workflows/cloudflare_sync.yaml b/.github/workflows/cloudflare_sync.yaml index 8e57c8752ad..713aaf95fae 100644 --- a/.github/workflows/cloudflare_sync.yaml +++ b/.github/workflows/cloudflare_sync.yaml @@ -35,6 +35,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: ref: 'cloudflare-pages' + persist-credentials: false - name: Cleanup run: | rm -rf .git diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 279636d39d6..9a4080a4fcd 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -56,9 +56,10 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} token: ${{ secrets.GITHUB_TOKEN }} + persist-credentials: false - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' diff --git a/.github/workflows/deploy_dev_docs_to_cf.yaml b/.github/workflows/deploy_dev_docs_to_cf.yaml index 64d7e532354..ffa07ae8f6c 100644 --- a/.github/workflows/deploy_dev_docs_to_cf.yaml +++ b/.github/workflows/deploy_dev_docs_to_cf.yaml @@ -45,6 +45,7 @@ jobs: with: fetch-depth: 0 submodules: recursive + persist-credentials: false - name: Setup Hugo uses: peaceiris/actions-hugo@2752ce1d29631191ea3f27c23495fa06139a5b78 # v3 @@ -58,7 +59,7 @@ jobs: node-version: "22" - name: Cache dependencies - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} diff --git a/.github/workflows/deploy_previous_version_docs_to_cf.yaml b/.github/workflows/deploy_previous_version_docs_to_cf.yaml index d7bdf1fda38..5d1ca704ae3 100644 --- a/.github/workflows/deploy_previous_version_docs_to_cf.yaml +++ b/.github/workflows/deploy_previous_version_docs_to_cf.yaml @@ -35,6 +35,7 @@ jobs: ref: 'main' submodules: 'recursive' fetch-depth: 0 + persist-credentials: false - name: Checkout old content from tag into a temporary directory uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 @@ -43,6 +44,7 @@ jobs: path: 'old_version_source' sparse-checkout: | docs + persist-credentials: false - name: Replace content with old version run: | diff --git a/.github/workflows/deploy_versioned_docs_to_cf.yaml b/.github/workflows/deploy_versioned_docs_to_cf.yaml index 59a9b07f239..27d31d65be9 100644 --- a/.github/workflows/deploy_versioned_docs_to_cf.yaml +++ b/.github/workflows/deploy_versioned_docs_to_cf.yaml @@ -33,6 +33,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: ref: ${{ github.event.release.tag_name }} + persist-credentials: false - name: Get Version from Release Tag id: get_version diff --git a/.github/workflows/docs_lint.yaml b/.github/workflows/docs_lint.yaml index 00bc979e29b..8fe79645779 100644 --- a/.github/workflows/docs_lint.yaml +++ b/.github/workflows/docs_lint.yaml @@ -33,9 +33,11 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' @@ -57,4 +59,4 @@ jobs: run: bash .ci/lint-docs-tool-page.sh - name: Run Sample Filters Linter - run: bash .ci/lint-docs-sample-filters.sh \ No newline at end of file + run: bash .ci/lint-docs-sample-filters.sh diff --git a/.github/workflows/docs_preview_build_cf.yaml b/.github/workflows/docs_preview_build_cf.yaml index 3be26b8616a..cdbe23114a7 100644 --- a/.github/workflows/docs_preview_build_cf.yaml +++ b/.github/workflows/docs_preview_build_cf.yaml @@ -43,6 +43,7 @@ jobs: with: ref: ${{ env.HEAD_SHA }} fetch-depth: 0 + persist-credentials: false - name: Setup Hugo uses: peaceiris/actions-hugo@2752ce1d29631191ea3f27c23495fa06139a5b78 # v3 @@ -71,7 +72,7 @@ jobs: run: | mkdir -p ../artifact-payload cp -r public ../artifact-payload/public - echo ${{ env.PR_NUMBER }} > ../artifact-payload/pr_number.txt + echo ${PR_NUMBER} > ../artifact-payload/pr_number.txt - name: Upload Artifact uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 @@ -82,13 +83,15 @@ jobs: - name: Deployment Link run: | - DEPLOY_URL="https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/actions/workflows/docs_deploy_cf.yaml" + DEPLOY_URL="https://github.com/${{ github.repository_owner }}/${GITHUB_EVENT_REPOSITORY_NAME}/actions/workflows/docs_deploy_cf.yaml" echo "### Build Complete" >> $GITHUB_STEP_SUMMARY - echo "The build for PR #${{ env.PR_NUMBER }} succeeded." >> $GITHUB_STEP_SUMMARY + echo "The build for PR #${PR_NUMBER} succeeded." >> $GITHUB_STEP_SUMMARY echo "The Cloudflare deployment workflow is now starting." >> $GITHUB_STEP_SUMMARY echo "---" >> $GITHUB_STEP_SUMMARY echo "#### [Track Deployment Progress]($DEPLOY_URL)" >> $GITHUB_STEP_SUMMARY + env: + GITHUB_EVENT_REPOSITORY_NAME: ${{ github.event.repository.name }} remove-label: needs: build-preview diff --git a/.github/workflows/docs_preview_deploy_cf.yaml b/.github/workflows/docs_preview_deploy_cf.yaml index 995c55b13ff..531bb4010fc 100644 --- a/.github/workflows/docs_preview_deploy_cf.yaml +++ b/.github/workflows/docs_preview_deploy_cf.yaml @@ -46,6 +46,8 @@ jobs: steps: - name: Checkout base repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + with: + persist-credentials: false - name: Download Artifact uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 @@ -58,8 +60,8 @@ jobs: - name: Read PR Number id: get_pr run: | - if [ -n "${{ github.event.inputs.pr_number }}" ]; then - PR_NUMBER="${{ github.event.inputs.pr_number }}" + if [ -n "${GITHUB_EVENT_INPUTS_PR_NUMBER}" ]; then + PR_NUMBER="${GITHUB_EVENT_INPUTS_PR_NUMBER}" else PR_NUMBER=$(cat downloaded-artifact/pr_number.txt) fi @@ -68,6 +70,8 @@ jobs: exit 1 fi echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT" + env: + GITHUB_EVENT_INPUTS_PR_NUMBER: ${{ github.event.inputs.pr_number }} - name: Deploy to Cloudflare Pages id: cf_deploy diff --git a/.github/workflows/link_checker.yaml b/.github/workflows/link_checker.yaml index 32443255d61..5ba1764c428 100644 --- a/.github/workflows/link_checker.yaml +++ b/.github/workflows/link_checker.yaml @@ -27,6 +27,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 + persist-credentials: false - name: Identify Changed Files id: changed-files @@ -54,7 +55,7 @@ jobs: - name: Restore lychee cache if: steps.changed-files.outputs.HAS_CHANGES == 'true' - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .lycheecache key: cache-lychee-${{ github.sha }} diff --git a/.github/workflows/link_checker_report.yaml b/.github/workflows/link_checker_report.yaml index 43caabd6647..153c9ebbe83 100644 --- a/.github/workflows/link_checker_report.yaml +++ b/.github/workflows/link_checker_report.yaml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 + persist-credentials: false - name: Link Checker id: lychee-check diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index d570fa0d7ec..3b53e01e188 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -37,6 +37,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Setup Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 diff --git a/.github/workflows/nightly_tier_report.yml b/.github/workflows/nightly_tier_report.yml index 592dcd8080f..b0b236781c9 100644 --- a/.github/workflows/nightly_tier_report.yml +++ b/.github/workflows/nightly_tier_report.yml @@ -29,9 +29,11 @@ jobs: steps: - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + with: + persist-credentials: false - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' diff --git a/.github/workflows/publish-mcp.yml b/.github/workflows/publish-mcp.yml index fb34d5da6fb..3d192a6f52b 100644 --- a/.github/workflows/publish-mcp.yml +++ b/.github/workflows/publish-mcp.yml @@ -30,6 +30,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + with: + persist-credentials: false - name: Wait for image in Artifact Registry shell: bash diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index cc26094d5a1..a428b262ec0 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -29,9 +29,11 @@ jobs: steps: - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml index f64b612be99..4df688c15b9 100644 --- a/.github/workflows/sync-labels.yaml +++ b/.github/workflows/sync-labels.yaml @@ -30,6 +30,8 @@ jobs: pull-requests: 'write' steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 991c3292a2c..9ae05c9fbcf 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -47,6 +47,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Setup Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0