Ws/security-fixes (#1002)

* fix: fix test.yml

* fix: update permissions

* fix: fix alpha.release.yml

* fix: fix update.yml

* chore: fix versions for pnpm

* chore: proper fix for version

* chore: use env

* chore: remove extra check

* chore: fix exact version

Author: wswebcreation

.github/workflows/alpha.release.yml

@@ -25,15 +25,18 @@ jobs:
   alpha-release:
     name: Alpha Release
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
 
     strategy:
       matrix:
         node-version: [20.x]
 
     steps:
       - name: ⬇️ Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -44,6 +47,8 @@ jobs:
 
       - name: 🔧 Setup pnpm
         uses: pnpm/action-setup@v4
+        with:
+          version: 9.15.9
 
       - name: 🔧 Setup NPM
         run: |
@@ -52,14 +57,25 @@ jobs:
           npm whoami
 
       - name: 🔧 Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: pnpm
 
       - name: 🧩 Install Dependencies
         run: pnpm pnpm.install.workaround
 
+      - name: 🔄 Validate Package Directory
+        run: |
+          if [[ ! "${{ github.event.inputs.package_dir }}" =~ ^packages/[a-zA-Z0-9_-]+$ ]]; then
+            echo "Invalid package directory: ${{ github.event.inputs.package_dir }}"
+            exit 1
+          fi
+          if [[ ! -d "${{ github.event.inputs.package_dir }}" ]]; then
+            echo "Package directory does not exist: ${{ github.event.inputs.package_dir }}"
+            exit 1
+          fi
+
       - name: 🔄 Navigate to Package Directory
         run: |
           cd ${{ github.event.inputs.package_dir }}

.github/workflows/deploy-visual-reporter.yml

@@ -26,28 +26,36 @@ jobs:
     steps:
       - name: ⬇️ Checkout Repository
         uses: actions/checkout@v4
+
       - name: 📦 Setup pnpm
         uses: pnpm/action-setup@v4
+        with:
+          version: 9.15.9
+
       - name: 🟢 Setup Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
           cache: pnpm
       - name: 🧩 Install Dependencies
         run: pnpm pnpm.install.workaround
+
       - name: 🏗️ Build
         working-directory: packages/visual-reporter
         run: |
           pnpm build
           pnpm script:prepare.report
         env:
           GITHUB_PAGES: "/visual-testing/"
+
       - name: ⚙️ Setup Pages
         uses: actions/configure-pages@v5
+
       - name: 📤 Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:
           path: "packages/visual-reporter/build/client"
+
       - name: 🚀 Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@v4

.github/workflows/release.yml

@@ -13,15 +13,18 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
 
     strategy:
       matrix:
         node-version: [20.x]
 
     steps:
       - name: ⬇️ Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: 🔧 Setup Git
         run: |
@@ -30,6 +33,8 @@ jobs:
 
       - name: 🔧 Setup pnpm
         uses: pnpm/action-setup@v4
+        with:
+          version: 9.15.9
 
       - name: 🔧 Setup NPM
         run: |
@@ -38,7 +43,7 @@ jobs:
           npm whoami
 
       - name: 🔧 Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: pnpm

.github/workflows/tests.yml

@@ -5,7 +5,13 @@ on:
     branches:
       - main
   pull_request:
-  pull_request_target:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+env:
+  PNPM_VERSION: 9.15.9+sha256.cf86a7ad764406395d4286a6d09d730711720acc6d93e9dce9ac7ac4dc4a28a7
 
 jobs:
   dependency-check:
@@ -40,18 +46,15 @@ jobs:
 
     steps:
       - name: ⬇️ Checkout Repository
-        uses: actions/checkout@v3
-
-      - name: ⬇️ Checkout PR Repository
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
+        uses: actions/checkout@v4
 
       - name: 📦 Setup pnpm
         uses: pnpm/action-setup@v4
+        with:
+          version: ${{ env.PNPM_VERSION }}
 
       - name: 🟢 Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: pnpm
@@ -78,20 +81,15 @@ jobs:
 
     steps:
       - name: ⬇️ Checkout Repository
-        if: ${{ github.event_name != 'pull_request_target' }}
-        uses: actions/checkout@v3
-
-      - name: ⬇️ Checkout PR Repository
-        if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
+        uses: actions/checkout@v4
 
       - name: 📦 Setup pnpm
         uses: pnpm/action-setup@v4
+        with:
+          version: ${{ env.PNPM_VERSION }}
 
       - name: 🟢 Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: pnpm
@@ -141,20 +139,15 @@ jobs:
 
     steps:
       - name: ⬇️ Checkout Repository
-        if: ${{ github.event_name != 'pull_request_target' }}
-        uses: actions/checkout@v3
-
-      - name: ⬇️ Checkout PR Repository
-        if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
+        uses: actions/checkout@v4
 
       - name: 📦 Setup pnpm
         uses: pnpm/action-setup@v4
+        with:
+          version: ${{ env.PNPM_VERSION }}
 
       - name: 🟢 Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: pnpm
@@ -204,20 +197,15 @@ jobs:
 
     steps:
       - name: ⬇️ Checkout Repository
-        if: ${{ github.event_name != 'pull_request_target' }}
-        uses: actions/checkout@v3
-
-      - name: ⬇️ Checkout PR Repository
-        if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
+        uses: actions/checkout@v4
 
       - name: 📦 Setup pnpm
         uses: pnpm/action-setup@v4
+        with:
+          version: ${{ env.PNPM_VERSION }}
 
       - name: 🟢 Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: pnpm
@@ -267,20 +255,15 @@ jobs:
 
     steps:
       - name: ⬇️ Checkout Repository
-        if: ${{ github.event_name != 'pull_request_target' }}
-        uses: actions/checkout@v3
-
-      - name: ⬇️ Checkout PR Repository
-        if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
+        uses: actions/checkout@v4
 
       - name: 📦 Setup pnpm
         uses: pnpm/action-setup@v4
+        with:
+          version: ${{ env.PNPM_VERSION }}
 
       - name: 🟢 Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: pnpm
@@ -330,20 +313,15 @@ jobs:
 
     steps:
       - name: ⬇️ Checkout Repository
-        if: ${{ github.event_name != 'pull_request_target' }}
-        uses: actions/checkout@v3
-
-      - name: ⬇️ Checkout PR Repository
-        if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
+        uses: actions/checkout@v4
 
       - name: 📦 Setup pnpm
         uses: pnpm/action-setup@v4
+        with:
+          version: ${{ env.PNPM_VERSION }}
 
       - name: 🟢 Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: pnpm
@@ -393,20 +371,15 @@ jobs:
 
     steps:
       - name: ⬇️ Checkout Repository
-        if: ${{ github.event_name != 'pull_request_target' }}
-        uses: actions/checkout@v3
-
-      - name: ⬇️ Checkout PR Repository
-        if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
+        uses: actions/checkout@v4
 
       - name: 📦 Setup pnpm
         uses: pnpm/action-setup@v4
+        with:
+          version: ${{ env.PNPM_VERSION }}
 
       - name: 🟢 Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: pnpm

.github/workflows/update.yml

@@ -3,8 +3,7 @@
 # Ref: https://github.com/dependabot/fetch-metadata
 name: Auto-merge
 
-# `pull_request_target` means this uses code in the base branch, not the PR.
-on: pull_request_target
+on: pull_request
 
 # Dependabot PRs' tokens have read permissions by default and thus we must enable write permissions.
 permissions:
@@ -20,7 +19,7 @@ jobs:
       # Fetch PR metadata
       - name: Fetch PR metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v1.6.0
+        uses: dependabot/fetch-metadata@v2.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}