From ebaa98b663c28afe2e988eb0470dd51cd8fdda48 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Mon, 22 Apr 2024 07:32:11 +1200 Subject: [PATCH] ci: harden workflows and cancel in-progress workflows whenever new changes are pushed up (#318) This just applies some standard stuff ensuring jobs only have the permissions they actually need and that in-progress jobs are cancelled whenever new changes are pushed up to reduce CI spend. --- .github/workflows/checks.yaml | 25 +++++++++++++++++++++++++ .github/workflows/release.yaml | 8 ++++++++ 2 files changed, 33 insertions(+) diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 2f374c7..af5286e 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -1,6 +1,15 @@ name: Checks on: [pull_request] +concurrency: + # Pushing new changes to a branch will cancel any in-progress CI runs of this workflow + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +# Restrict jobs in this workflow to have no permissions by default; permissions +# should be granted per job as needed using a dedicated `permissions` block +permissions: {} + env: # reduces noise from npm post-install scripts DISABLE_OPENCOLLECTIVE: true @@ -8,6 +17,8 @@ env: jobs: commitlint: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -18,6 +29,8 @@ jobs: with: configFile: './package.json' docs: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -37,6 +50,8 @@ jobs: | xargs -I '{}' bash -c \ 'echo "::error file={}::This needs to be regenerated by running \`tools:generate-configs-list\`" && false' lint: + permissions: + contents: read # to fetch code (actions/checkout) # prettier-ignore name: Lint on ${{ matrix.os }} with eslint v${{ matrix.eslint }}, using Node.js LTS strategy: @@ -47,6 +62,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: 20.x @@ -56,6 +73,8 @@ jobs: - run: npm install eslint@${{ matrix.eslint }} --no-fund - run: npm run lint test: + permissions: + contents: read # to fetch code (actions/checkout) name: Test on ${{ matrix.os }} using Node.js LTS strategy: fail-fast: false @@ -64,6 +83,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: 20.x @@ -72,6 +93,8 @@ jobs: - run: npm ci - run: npm run test typecheck: + permissions: + contents: read # to fetch code (actions/checkout) name: Typecheck on ${{ matrix.os }} using Node.js LTS strategy: fail-fast: false @@ -80,6 +103,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: 20.x diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 555322b..2fa4f3b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -4,6 +4,10 @@ on: branches: - main +# Restrict jobs in this workflow to have no permissions by default; permissions +# should be granted per job as needed using a dedicated `permissions` block +permissions: {} + env: # reduces noise from npm post-install scripts DISABLE_OPENCOLLECTIVE: true @@ -11,6 +15,10 @@ env: jobs: release: + permissions: + contents: write # to be able to publish a GitHub release + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests runs-on: ubuntu-latest steps: - uses: actions/checkout@v4