diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..90eb809ab --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,22 @@ +# Dependabot configuration for Uptime Kuma +# See: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + # Enable version updates for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + # Group all GitHub Actions updates into a single PR + groups: + github-actions: + patterns: + - "*" + open-pull-requests-limit: 5 + commit-message: + prefix: "chore" + include: "scope" + cooldown: + default-days: 7 diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml index f0dfdfa55..c88a5d695 100644 --- a/.github/workflows/auto-test.yml +++ b/.github/workflows/auto-test.yml @@ -12,12 +12,15 @@ on: branches: [ master, 1.23.X ] paths-ignore: - '*.md' +permissions: {} jobs: auto-test: needs: [ e2e-test ] runs-on: ${{ matrix.os }} timeout-minutes: 15 + permissions: + contents: read strategy: matrix: @@ -31,17 +34,18 @@ jobs: steps: - run: git config --global core.autocrlf false # Mainly for Windows - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Cache/Restore node_modules - uses: actions/cache@v4 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: node-modules-cache with: path: node_modules key: node-modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} - name: Use Node.js ${{ matrix.node }} - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: ${{ matrix.node }} - run: npm install @@ -56,6 +60,8 @@ jobs: needs: [ e2e-test ] runs-on: ${{ matrix.os }} timeout-minutes: 15 + permissions: + contents: read if: ${{ github.repository == 'louislam/uptime-kuma' }} strategy: matrix: @@ -65,37 +71,41 @@ jobs: steps: - run: git config --global core.autocrlf false # Mainly for Windows - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Cache/Restore node_modules - uses: actions/cache@v4 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: node-modules-cache with: path: node_modules key: node-modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} - name: Use Node.js ${{ matrix.node }} - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: ${{ matrix.node }} - run: npm install --production check-linters: runs-on: ubuntu-latest + permissions: + contents: read steps: - run: git config --global core.autocrlf false # Mainly for Windows - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Cache/Restore node_modules - uses: actions/cache@v4 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: node-modules-cache with: path: node_modules key: node-modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} - name: Use Node.js 20 - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: 20 - run: npm install @@ -104,21 +114,24 @@ jobs: e2e-test: needs: [ check-linters ] runs-on: ARM64 + permissions: + contents: read env: PLAYWRIGHT_VERSION: ~1.39.0 steps: - run: git config --global core.autocrlf false # Mainly for Windows - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Cache/Restore node_modules - uses: actions/cache@v4 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: node-modules-cache with: path: node_modules key: node-modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: 22 - run: npm install diff --git a/.github/workflows/close-incorrect-issue.yml b/.github/workflows/close-incorrect-issue.yml index f618cd7c2..aa7113ed7 100644 --- a/.github/workflows/close-incorrect-issue.yml +++ b/.github/workflows/close-incorrect-issue.yml @@ -3,10 +3,13 @@ name: Close Incorrect Issue on: issues: types: [opened] +permissions: {} jobs: close-incorrect-issue: runs-on: ${{ matrix.os }} + permissions: + issues: write strategy: matrix: @@ -14,11 +17,15 @@ jobs: node-version: [20] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: ${{ matrix.node-version }} - run: npm ci - - run: node extra/close-incorrect-issue.js ${{ secrets.GITHUB_TOKEN }} ${{ github.event.issue.number }} ${{ github.event.issue.user.login }} + - name: Close incorrect issue + run: node extra/close-incorrect-issue.js ${{ secrets.GITHUB_TOKEN }} ${{ github.event.issue.number }} "$ISSUE_USER_LOGIN" + env: + ISSUE_USER_LOGIN: ${{ github.event.issue.user.login }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0e3b72c4b..aa0b3c860 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -25,19 +25,19 @@ jobs: language: [ 'go', 'javascript-typescript' ] steps: - - name: Checkout repository - uses: actions/checkout@v3 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/conflict_labeler.yml b/.github/workflows/conflict_labeler.yml index fdcc9c551..65634d11e 100644 --- a/.github/workflows/conflict_labeler.yml +++ b/.github/workflows/conflict_labeler.yml @@ -1,6 +1,11 @@ name: Merge Conflict Labeler -on: +# pull_request_target is safe here because: +# 1. Only uses a pinned trusted action (by SHA) +# 2. Has minimal permissions (contents: read, pull-requests: write) +# 3. Doesn't checkout or execute any untrusted code from PRs +# 4. Only adds/removes labels based on merge conflict status +on: # zizmor: ignore[dangerous-triggers] push: branches: - master @@ -19,7 +24,7 @@ jobs: pull-requests: write steps: - name: Apply label - uses: eps1lon/actions-label-merge-conflict@v3 + uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3 with: dirtyLabel: 'needs:resolve-merge-conflict' repoToken: '${{ secrets.GITHUB_TOKEN }}' diff --git a/.github/workflows/prevent-file-change.yml b/.github/workflows/prevent-file-change.yml index 0af3a6cbf..3c48dec1b 100644 --- a/.github/workflows/prevent-file-change.yml +++ b/.github/workflows/prevent-file-change.yml @@ -2,13 +2,16 @@ name: prevent-file-change on: pull_request: +permissions: {} jobs: check-file-changes: runs-on: ubuntu-latest + permissions: + pull-requests: read steps: - name: Prevent file change - uses: xalvarez/prevent-file-change-action@v1 + uses: xalvarez/prevent-file-change-action@004d9f17c2e4a7afa037cda5f38dc55a5e9c9c06 # v1.9.1 with: githubToken: ${{ secrets.GITHUB_TOKEN }} # Regex, /src/lang/*.json is not allowed to be changed, except for /src/lang/en.json diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml index 60eca6403..8cb8dd55d 100644 --- a/.github/workflows/stale-bot.yml +++ b/.github/workflows/stale-bot.yml @@ -4,12 +4,16 @@ on: schedule: - cron: '0 */6 * * *' #Run every 6 hours +permissions: {} jobs: stale: runs-on: ubuntu-latest + permissions: + actions: write + issues: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 with: stale-issue-message: |- We are clearing up our old `help`-issues and your issue has been open for 60 days with no activity. @@ -18,10 +22,10 @@ jobs: days-before-close: 7 days-before-pr-stale: -1 days-before-pr-close: -1 - exempt-issue-labels: 'News,Medium,High,discussion,bug,doc,feature-request' + exempt-issue-labels: 'News,discussion,bug,doc,feature-request' exempt-issue-assignees: 'louislam' operations-per-run: 200 - - uses: actions/stale@v9 + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 with: stale-issue-message: |- This issue was marked as `cannot-reproduce` by a maintainer. diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 4dff3689d..3da0f9060 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -8,20 +8,21 @@ on: - master - 1.23.X workflow_dispatch: - -permissions: - contents: read - pull-requests: write # enable write permissions for pull request comments +permissions: {} jobs: json-yaml-validate: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write # enable write permissions for pull request comments steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: json-yaml-validate id: json-yaml-validate - uses: GrantBirki/json-yaml-validate@v2.4.0 + uses: GrantBirki/json-yaml-validate@9bbaa8474e3af4e91f25eda8ac194fdc30564d96 # v4.0.0 with: comment: "true" # enable comment mode exclude_file: ".github/config/exclude.txt" # gitignore style file for exclusions @@ -29,10 +30,13 @@ jobs: # General validations validate: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Use Node.js 20 - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: 20