From 0a7a897360abe23dddea72e9fe467ddcde1c0aad Mon Sep 17 00:00:00 2001 From: "Willow (GHOST)" Date: Fri, 22 May 2026 23:03:29 +0100 Subject: [PATCH 1/6] chore: don't save git credentials when they're unused --- .github/workflows/main.yml | 3 +++ .github/workflows/validate-pr.yml | 1 + 2 files changed, 4 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bdc43c6..8d7e5d6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,6 +15,9 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Setup pnpm uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - name: Use Node v${{ matrix.node-version }} diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml index a0426e0..e2290d8 100644 --- a/.github/workflows/validate-pr.yml +++ b/.github/workflows/validate-pr.yml @@ -12,6 +12,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - name: Use Node.js From f16260653dca3d380118f671404f7bf3dce533f5 Mon Sep 17 00:00:00 2001 From: "Willow (GHOST)" Date: Fri, 22 May 2026 23:04:01 +0100 Subject: [PATCH 2/6] chore: add concurrency limits to save on CI time --- .github/workflows/main.yml | 4 ++++ .github/workflows/validate-pr.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8d7e5d6..56206e3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,6 +5,10 @@ on: branches: [main] pull_request: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml index e2290d8..eafeffa 100644 --- a/.github/workflows/validate-pr.yml +++ b/.github/workflows/validate-pr.yml @@ -3,6 +3,10 @@ name: Validate PR on: pull_request: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: validate: runs-on: ubuntu-latest From 4c97bddfcb949e4c1898cc5eeff18dca89ca44a7 Mon Sep 17 00:00:00 2001 From: "Willow (GHOST)" Date: Fri, 22 May 2026 23:05:58 +0100 Subject: [PATCH 3/6] chore: only run validate on changes to manifests to save time --- .github/workflows/validate-pr.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml index eafeffa..9a62eac 100644 --- a/.github/workflows/validate-pr.yml +++ b/.github/workflows/validate-pr.yml @@ -2,6 +2,8 @@ name: Validate PR on: pull_request: + paths: + - manifests/** concurrency: group: ${{ github.workflow }}-${{ github.ref }} From 8d906f039d0866051d16db86ce68fab1a8e0eaf0 Mon Sep 17 00:00:00 2001 From: "Willow (GHOST)" Date: Fri, 22 May 2026 23:06:20 +0100 Subject: [PATCH 4/6] chore: disable cache on publish workflow to help mitigate cache poisioning --- .github/workflows/publish.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b6b7d57..461c57e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,6 +15,8 @@ jobs: - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22.x + package-manager-cache: false + cache: '' - run: pnpm install --frozen-lockfile - run: pnpm build - run: pnpm lint @@ -33,7 +35,8 @@ jobs: with: node-version: 22.x registry-url: 'https://registry.npmjs.org' - cache: 'pnpm' + package-manager-cache: false + cache: '' - run: npm install -g npm@~11.10.0 # Work-around for https://github.com/npm/cli/issues/9151#issuecomment-4131466208 - run: npm install -g npm@latest - run: pnpm install --frozen-lockfile From dc67ecb68db011923ae3e96a1ba6f3673f25e65b Mon Sep 17 00:00:00 2001 From: "Willow (GHOST)" Date: Fri, 22 May 2026 23:07:24 +0100 Subject: [PATCH 5/6] fix: validate-pr pnpm caching --- .github/workflows/validate-pr.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml index 9a62eac..606f401 100644 --- a/.github/workflows/validate-pr.yml +++ b/.github/workflows/validate-pr.yml @@ -25,6 +25,7 @@ jobs: uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22.x + cache: pnpm - name: Install Dependencies run: pnpm install --frozen-lockfile - name: Validate PR From bca5dfe8ff40ba2a270329016fd80a64383c5fbb Mon Sep 17 00:00:00 2001 From: "Willow (GHOST)" Date: Fri, 22 May 2026 23:12:50 +0100 Subject: [PATCH 6/6] chore: set explicit permissions --- .github/workflows/main.yml | 2 ++ .github/workflows/publish.yml | 1 + .github/workflows/validate-pr.yml | 2 ++ 3 files changed, 5 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 56206e3..9e1acd6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,6 +9,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 461c57e..63ad00c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -7,6 +7,7 @@ on: jobs: build: runs-on: ubuntu-latest + permissions: {} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml index 606f401..b9a021c 100644 --- a/.github/workflows/validate-pr.yml +++ b/.github/workflows/validate-pr.yml @@ -9,6 +9,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: validate: runs-on: ubuntu-latest