Skip to content

harden github actions #8650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
perminder-17 wants to merge 6 commits into
base: dev-2.0
Choose a base branch
from
+61 −33
Open

harden github actions #8650

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7a2524b
harden github actions
Mar 16, 2026
dcd8ce3
minor fixes
perminder-17 Mar 16, 2026
7b4f484
reverting unnecessary changes.
perminder-17 Mar 16, 2026
8a3eedf
reverting unnecessary changes form release-workflow.yml
perminder-17 Mar 16, 2026
a4c4bbd
reverting unnecessary changes from ci-lint.yml
perminder-17 Mar 16, 2026
5d668de
Merge branch 'dev-2.0' into harden-github-actions-for-dev-2.0
perminder-17 Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/auto-close-issues.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,18 @@ on:
branches:
- dev-2.0

permissions:
contents: read
issues: write
pull-requests: read

jobs:
close_issues:
if: github.event.pull_request.merged == true
runs-on: ubuntu-latest
steps:
- name: Close linked issues on non-default branches
uses: processing/branch-pr-close-issue@v1
uses: processing/branch-pr-close-issue@9fd7b409a12c677c5cdd8ff82c45600f790074e1 # v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
branch: dev-2.0
8 changes: 6 additions & 2 deletions .github/workflows/ci-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,19 @@ on:
pull_request:
branches:
- '*'
permissions:
contents: read

jobs:
lint:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v1
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- name: Use Node.js 22.x
uses: actions/setup-node@v1
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.x
- name: Get node modules
Expand Down
18 changes: 12 additions & 6 deletions .github/workflows/ci-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
branches:
- '*'

permissions:
contents: read

jobs:
test:
strategy:
Expand All @@ -22,10 +25,12 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Use Node.js 22.x
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.x

Expand Down Expand Up @@ -59,7 +64,7 @@ jobs:
CI: true
- name: Upload Visual Test Report
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: visual-test-report
path: test/unit/visual/visual-report.html
Expand All @@ -74,9 +79,10 @@ jobs:
CI: true
- name: report test coverage
if: steps.test.outcome == 'success'
run: bash <(curl -s https://codecov.io/bash) -f coverage/coverage-final.json
env:
CI: true
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
Copy link
Collaborator Author

@perminder-17 perminder-17 Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://about.codecov.io/apr-2021-post-mortem/

This actually happened in real life in 2021, Codecov's bash uploader was compromised and attackers stole secrets/tokens from thousands of CI pipelines. @ksen0 @davepagurek @limzykenneth

Copy link
Member

@limzykenneth limzykenneth Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're not really utilizing it at the moment so it probably can be skipped entirely. We'll do code coverage in Vitest for 2.x at some point and reporting can either use a service like this or even our own bot.

with:
files: coverage/coverage-final.json
fail_ci_if_error: false
- name: fail job if tests failed
if: steps.test.outcome != 'success'
run: exit 1
11 changes: 8 additions & 3 deletions .github/workflows/contributors-png.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,20 @@ on:
paths:
- '.all-contributorsrc'

permissions:
contents: read

jobs:
build:
if: github.ref == 'refs/heads/main' && github.repository == 'processing/p5.js'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Setup Node
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 20

Expand All @@ -30,7 +35,7 @@ jobs:
git checkout -- .

- name: Create Pull Request
uses: peter-evans/create-pull-request@v7
uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
with:
commit-message: "Update contributors.png from .all-contributorsrc"
branch: update-contributors-png
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,13 @@ on:
issues:
types: [opened, edited]
permissions:
contents: read
issues: write
jobs:
triage:
runs-on: ubuntu-latest
steps:
- uses: github/issue-labeler@v3.2
- uses: github/issue-labeler@98b5412841f6c4b0b3d9c29d53c13fad16bd7de2 # v3.2
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
configuration-path: .github/labeler.yml
Expand Down
21 changes: 12 additions & 9 deletions .github/workflows/release-workflow-v2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,15 @@ jobs:
INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
steps:
# 1. Setup
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
persist-credentials: false
- uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
with:
node-version: 22
- name: Get semver info
id: semver
uses: akshens/semver-tag@v4
uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4
with:
version: ${{ github.ref_name }}

Expand Down Expand Up @@ -57,7 +59,7 @@ jobs:
# 2. Prepare release files
- run: mkdir release && mkdir p5 && cp -r ./lib/* p5/
- name: Create release zip file
uses: TheDoctor0/zip-release@0.6.2
uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2
with:
type: zip
filename: release/p5.zip
Expand All @@ -68,29 +70,30 @@ jobs:

# 3. Release p5.js
- name: Create GitHub release
uses: softprops/action-gh-release@v0.1.15
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
draft: true
prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }}
files: release/*
generate_release_notes: true
token: ${{ secrets.ACCESS_TOKEN }}
token: ${{ secrets.GITHUB_TOKEN }}
Copy link
Member

@ksen0 ksen0 Mar 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@perminder-17 I don't think the token should change (or, why should it?)

Copy link
Collaborator Author

@perminder-17 perminder-17 Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Step 3 (Release p5.js), the release is created on the same repository, so GITHUB_TOKEN is sufficient. Unlike ACCESS_TOKEN, which is a long-lived Personal Access Token, GITHUB_TOKEN is automatically generated and scoped to the current repository for each workflow run, and expires once the workflow completes. ACCESS_TOKEN is only required in Step 4, where cross-repository access is needed to push changes to the p5.js-website repository. What you think?

Copy link
Member

@ksen0 ksen0 Mar 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah sure! Then GITHUB_TOKEN seems alright, thank you for the explanation

- name: Publish to NPM
uses: JS-DevTools/npm-publish@v1
uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939
with:
token: ${{ secrets.NPM_TOKEN }}
tag: ${{ steps.semver.outputs.is-prerelease != 'true' && 'latest' || 'beta' }}

# 4. Update p5.js website
- name: Clone p5.js website
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
repository: processing/p5.js-website
ref: '2.0'
path: website
fetch-depth: 0
token: ${{ secrets.ACCESS_TOKEN }}
persist-credentials: false
- name: Updated website files
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
run: |
Expand All @@ -111,7 +114,7 @@ jobs:
git commit -m "Update p5.js to ${{ github.ref_name }}"
- name: Push updated website repo
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: ad-m/github-push-action@v0.6.0
uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0
with:
github_token: ${{ secrets.ACCESS_TOKEN }}
branch: '2.0'
Expand Down
26 changes: 15 additions & 11 deletions .github/workflows/release-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,15 @@ jobs:
INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
steps:
# 1. Setup
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
persist-credentials: false
- uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
with:
node-version: 22
- name: Get semver info
id: semver
uses: akshens/semver-tag@v4
uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4
with:
version: ${{ github.ref_name }}

Expand All @@ -51,7 +53,7 @@ jobs:
# 2. Prepare release files
- run: mkdir release && mkdir p5 && cp -r ./lib/* p5/
- name: Create release zip file
uses: TheDoctor0/zip-release@0.6.2
uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2
with:
type: zip
filename: release/p5.zip
Expand All @@ -62,28 +64,29 @@ jobs:

# 3. Release p5.js
- name: Create GitHub release
uses: softprops/action-gh-release@v0.1.15
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
draft: true
prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }}
files: release/*
generate_release_notes: true
token: ${{ secrets.ACCESS_TOKEN }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: Publish to NPM
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: JS-DevTools/npm-publish@v1
uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1
with:
token: ${{ secrets.NPM_TOKEN }}

# 4. Update p5.js website
- name: Clone p5.js website
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
repository: processing/p5.js-website
path: website
fetch-depth: 0
token: ${{ secrets.ACCESS_TOKEN }}
persist-credentials: false
- name: Updated website files
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
run: |
Expand All @@ -104,7 +107,7 @@ jobs:
git commit -m "Update p5.js to ${{ github.ref_name }}"
- name: Push updated website repo
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: ad-m/github-push-action@v0.6.0
uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0
with:
github_token: ${{ secrets.ACCESS_TOKEN }}
branch: main
Expand All @@ -114,12 +117,13 @@ jobs:
# 5. Update Bower files
- name: Checkout Bower repo
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
repository: processing/p5.js-release
path: bower
fetch-depth: 0
token: ${{ secrets.ACCESS_TOKEN }}
persist-credentials: false
- name: Copy new version files to Bower repo
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
run: |
Expand All @@ -135,7 +139,7 @@ jobs:
git commit -m "Update p5.js to ${{ github.ref_name }}"
- name: Push updated Bower repo
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: ad-m/github-push-action@v0.6.0
uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0
with:
github_token: ${{ secrets.ACCESS_TOKEN }}
branch: master
Expand Down
Loading