diff --git a/.github/workflows/auto-close-issues.yml b/.github/workflows/auto-close-issues.yml index a2b3310aae..72ac018794 100644 --- a/.github/workflows/auto-close-issues.yml +++ b/.github/workflows/auto-close-issues.yml @@ -6,13 +6,18 @@ on: branches: - dev-2.0 +permissions: + contents: read + issues: write + pull-requests: read + jobs: close_issues: if: github.event.pull_request.merged == true runs-on: ubuntu-latest steps: - name: Close linked issues on non-default branches - uses: processing/branch-pr-close-issue@v1 + uses: processing/branch-pr-close-issue@9fd7b409a12c677c5cdd8ff82c45600f790074e1 # v1 with: token: ${{ secrets.GITHUB_TOKEN }} branch: dev-2.0 diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml index ea1eccbee2..8f5091ec23 100644 --- a/.github/workflows/ci-lint.yml +++ b/.github/workflows/ci-lint.yml @@ -7,15 +7,19 @@ on: pull_request: branches: - '*' +permissions: + contents: read jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Use Node.js 22.x - uses: actions/setup-node@v1 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 22.x - name: Get node modules diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml index e5ceb912c1..484f424510 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/ci-test.yml @@ -9,6 +9,9 @@ on: branches: - '*' +permissions: + contents: read + jobs: test: strategy: @@ -22,10 +25,12 @@ jobs: runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Use Node.js 22.x - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 22.x @@ -59,7 +64,7 @@ jobs: CI: true - name: Upload Visual Test Report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: visual-test-report path: test/unit/visual/visual-report.html @@ -74,9 +79,10 @@ jobs: CI: true - name: report test coverage if: steps.test.outcome == 'success' - run: bash <(curl -s https://codecov.io/bash) -f coverage/coverage-final.json - env: - CI: true + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 + with: + files: coverage/coverage-final.json + fail_ci_if_error: false - name: fail job if tests failed if: steps.test.outcome != 'success' run: exit 1 \ No newline at end of file diff --git a/.github/workflows/contributors-png.yml b/.github/workflows/contributors-png.yml index 79933b44a4..321b5ddfa5 100644 --- a/.github/workflows/contributors-png.yml +++ b/.github/workflows/contributors-png.yml @@ -5,15 +5,20 @@ on: paths: - '.all-contributorsrc' +permissions: + contents: read + jobs: build: if: github.ref == 'refs/heads/main' && github.repository == 'processing/p5.js' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20 @@ -30,7 +35,7 @@ jobs: git checkout -- . - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: commit-message: "Update contributors.png from .all-contributorsrc" branch: update-contributors-png diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 74e500b5e6..cc10da56c3 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -3,12 +3,13 @@ on: issues: types: [opened, edited] permissions: + contents: read issues: write jobs: triage: runs-on: ubuntu-latest steps: - - uses: github/issue-labeler@v3.2 + - uses: github/issue-labeler@98b5412841f6c4b0b3d9c29d53c13fad16bd7de2 # v3.2 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: .github/labeler.yml diff --git a/.github/workflows/release-workflow-v2.yml b/.github/workflows/release-workflow-v2.yml index 6574cc0e88..216d6e7b9d 100644 --- a/.github/workflows/release-workflow-v2.yml +++ b/.github/workflows/release-workflow-v2.yml @@ -18,13 +18,15 @@ jobs: INPUT_TOKEN: ${{ secrets.NPM_TOKEN }} steps: # 1. Setup - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: 22 - name: Get semver info id: semver - uses: akshens/semver-tag@v4 + uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4 with: version: ${{ github.ref_name }} @@ -57,7 +59,7 @@ jobs: # 2. Prepare release files - run: mkdir release && mkdir p5 && cp -r ./lib/* p5/ - name: Create release zip file - uses: TheDoctor0/zip-release@0.6.2 + uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2 with: type: zip filename: release/p5.zip @@ -68,15 +70,15 @@ jobs: # 3. Release p5.js - name: Create GitHub release - uses: softprops/action-gh-release@v0.1.15 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: draft: true prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }} files: release/* generate_release_notes: true - token: ${{ secrets.ACCESS_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} - name: Publish to NPM - uses: JS-DevTools/npm-publish@v1 + uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 with: token: ${{ secrets.NPM_TOKEN }} tag: ${{ steps.semver.outputs.is-prerelease != 'true' && 'latest' || 'beta' }} @@ -84,13 +86,14 @@ jobs: # 4. Update p5.js website - name: Clone p5.js website if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: processing/p5.js-website ref: '2.0' path: website fetch-depth: 0 token: ${{ secrets.ACCESS_TOKEN }} + persist-credentials: false - name: Updated website files if: ${{ steps.semver.outputs.is-prerelease != 'true' }} run: | @@ -111,7 +114,7 @@ jobs: git commit -m "Update p5.js to ${{ github.ref_name }}" - name: Push updated website repo if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: ad-m/github-push-action@v0.6.0 + uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0 with: github_token: ${{ secrets.ACCESS_TOKEN }} branch: '2.0' diff --git a/.github/workflows/release-workflow.yml b/.github/workflows/release-workflow.yml index 714f0890d0..40a944fa60 100644 --- a/.github/workflows/release-workflow.yml +++ b/.github/workflows/release-workflow.yml @@ -18,13 +18,15 @@ jobs: INPUT_TOKEN: ${{ secrets.NPM_TOKEN }} steps: # 1. Setup - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: 22 - name: Get semver info id: semver - uses: akshens/semver-tag@v4 + uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4 with: version: ${{ github.ref_name }} @@ -51,7 +53,7 @@ jobs: # 2. Prepare release files - run: mkdir release && mkdir p5 && cp -r ./lib/* p5/ - name: Create release zip file - uses: TheDoctor0/zip-release@0.6.2 + uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2 with: type: zip filename: release/p5.zip @@ -62,28 +64,29 @@ jobs: # 3. Release p5.js - name: Create GitHub release - uses: softprops/action-gh-release@v0.1.15 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: draft: true prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }} files: release/* generate_release_notes: true - token: ${{ secrets.ACCESS_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} - name: Publish to NPM if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: JS-DevTools/npm-publish@v1 + uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1 with: token: ${{ secrets.NPM_TOKEN }} # 4. Update p5.js website - name: Clone p5.js website if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: processing/p5.js-website path: website fetch-depth: 0 token: ${{ secrets.ACCESS_TOKEN }} + persist-credentials: false - name: Updated website files if: ${{ steps.semver.outputs.is-prerelease != 'true' }} run: | @@ -104,7 +107,7 @@ jobs: git commit -m "Update p5.js to ${{ github.ref_name }}" - name: Push updated website repo if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: ad-m/github-push-action@v0.6.0 + uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0 with: github_token: ${{ secrets.ACCESS_TOKEN }} branch: main @@ -114,12 +117,13 @@ jobs: # 5. Update Bower files - name: Checkout Bower repo if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: processing/p5.js-release path: bower fetch-depth: 0 token: ${{ secrets.ACCESS_TOKEN }} + persist-credentials: false - name: Copy new version files to Bower repo if: ${{ steps.semver.outputs.is-prerelease != 'true' }} run: | @@ -135,7 +139,7 @@ jobs: git commit -m "Update p5.js to ${{ github.ref_name }}" - name: Push updated Bower repo if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: ad-m/github-push-action@v0.6.0 + uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0 with: github_token: ${{ secrets.ACCESS_TOKEN }} branch: master