From 55340e5e826f2f92bfcafdac6911f7407a4fa5fa Mon Sep 17 00:00:00 2001 From: timo <22354443+tnkuehne@users.noreply.github.com> Date: Wed, 26 Nov 2025 17:37:24 +0100 Subject: [PATCH 1/4] Generate provenance statement on release to increase security --- .github/workflows/release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bd16a85490..4df4437ff2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,9 @@ on: concurrency: ${{ github.workflow }}-${{ github.ref }} +permissions: + id-token: write + jobs: release: name: Release @@ -27,3 +30,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true From b3781c20f485eeaa8565a34667ff7a3725b358c2 Mon Sep 17 00:00:00 2001 From: moklick Date: Wed, 6 May 2026 12:41:43 +0200 Subject: [PATCH 2/4] chore(gh-actions): update --- .github/actions/ci-setup/action.yml | 4 ++-- .github/workflows/release.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/ci-setup/action.yml b/.github/actions/ci-setup/action.yml index 5ac0769936..4806c9e71f 100644 --- a/.github/actions/ci-setup/action.yml +++ b/.github/actions/ci-setup/action.yml @@ -4,9 +4,9 @@ runs: using: 'composite' steps: - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@v6 - name: Setup node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: 20.x - name: Install dependencies diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bd16a85490..27a2c26881 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@v6 - uses: ./.github/actions/ci-setup - uses: ./.github/actions/ci-checks From 5d68c3a381c54ddf19d01b4b5d3ab3a8189f9532 Mon Sep 17 00:00:00 2001 From: moklick Date: Wed, 6 May 2026 12:44:30 +0200 Subject: [PATCH 3/4] chore(gh-actions): update --- .github/workflows/codespell.yml | 2 +- .github/workflows/dispatchWebsiteUpdate.yaml | 2 +- .github/workflows/playwright.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 7c9eafb17b..5c229bbba3 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -18,6 +18,6 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Codespell uses: codespell-project/actions-codespell@v2 diff --git a/.github/workflows/dispatchWebsiteUpdate.yaml b/.github/workflows/dispatchWebsiteUpdate.yaml index b769e571dd..7271302171 100644 --- a/.github/workflows/dispatchWebsiteUpdate.yaml +++ b/.github/workflows/dispatchWebsiteUpdate.yaml @@ -21,7 +21,7 @@ jobs: echo EOF } >> "$GITHUB_ENV" - name: Dispatch Website Update - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@v4 with: repository: xyflow/web token: ${{ secrets.PAT }} diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml index ac478a2e0f..d1935e8e9e 100644 --- a/.github/workflows/playwright.yml +++ b/.github/workflows/playwright.yml @@ -16,7 +16,7 @@ jobs: image: mcr.microsoft.com/playwright:v1.51.1-jammy steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@v6 - uses: ./.github/actions/ci-setup - uses: ./.github/actions/ci-checks - name: Run your tests From 34899901b850c7e156f043cf9dff4553173c8889 Mon Sep 17 00:00:00 2001 From: moklick Date: Wed, 6 May 2026 12:46:03 +0200 Subject: [PATCH 4/4] chore(gh-actions): update --- .github/actions/ci-setup/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/ci-setup/action.yml b/.github/actions/ci-setup/action.yml index 4806c9e71f..902a602895 100644 --- a/.github/actions/ci-setup/action.yml +++ b/.github/actions/ci-setup/action.yml @@ -8,7 +8,7 @@ runs: - name: Setup node.js uses: actions/setup-node@v6 with: - node-version: 20.x + node-version: 24.x - name: Install dependencies run: pnpm install shell: bash