Merge pull request #21185 from emberjs/kg-action-lint

Author: kategengler

.github/actions/setup/action.yml

@@ -24,5 +24,7 @@ runs:
         registry-url: 'https://registry.npmjs.org'
         cache: pnpm
 
-    - run: pnpm install ${{ fromJSON('{"false":"--no-lockfile", "true":"--frozen-lockfile"}')[inputs.use_lockfile] }}
+    - run: pnpm install ${INSTALL_OPTIONS}
+      env: 
+        INSTALL_OPTIONS: ${{ fromJSON('{"false":"--no-lockfile", "true":"--frozen-lockfile"}')[inputs.use_lockfile] }}
       shell: bash

.github/dependabot.yml

@@ -5,14 +5,14 @@ on:
     - cron: '0 20 * * 3' # weekly (Wednesday)
   workflow_dispatch:
 
+permissions:
+  contents: read # PAT used for push
+  
 jobs:
   tests:
     uses: ./.github/workflows/ci-jobs.yml
 
   release:
-    permissions:
-      contents: read # PAT used for push
-
     name: Tag + Push
     runs-on: ubuntu-latest
     needs: [ tests ]
@@ -31,9 +31,9 @@ jobs:
           export NEXT_ALPHA=`node bin/next-alpha-version.js ${LATEST_ALPHA}`
           echo "NEXT_ALPHA=$NEXT_ALPHA" >> $GITHUB_ENV
       - name: bump version
-        run: npm version ${{env.NEXT_ALPHA}} --allow-same-version --no-git-tag-version
+        run: npm version ${NEXT_ALPHA} --allow-same-version --no-git-tag-version
       - name: create tag
-        run: git tag v${{env.NEXT_ALPHA}}-ember-source
+        run: git tag v${NEXT_ALPHA}-ember-source
       - name: push tag
         # Push in a way that WILL trigger other workflows
-        run: git push https://${GITHUB_ACTOR}:${{ secrets.PERSONAL_TOKEN }}@github.com/${GITHUB_REPOSITORY} v${{env.NEXT_ALPHA}}-ember-source
+        run: git push https://${GITHUB_ACTOR}:${{ secrets.PERSONAL_TOKEN }}@github.com/${GITHUB_REPOSITORY} v${NEXT_ALPHA}-ember-source

.github/workflows/alpha-releases.yml

@@ -14,6 +14,8 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - name: linting
         run: pnpm lint
@@ -28,6 +30,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - name: build types
         run: pnpm build:types
@@ -47,6 +51,8 @@ jobs:
         ts-version: ["5.2", "5.3", "5.4", "5.5", "5.6", "5.7", "5.8", "5.9"]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - name: build stable type definitions
         run: pnpm build:types
@@ -60,6 +66,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - name: build
         run: pnpm vite build --mode=development
@@ -94,6 +102,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - name: build
         run: pnpm vite build --mode=${{ matrix.BUILD || 'development' }}
@@ -114,6 +124,8 @@ jobs:
     needs: [basic-test, lint, types]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - name: build
         env:
@@ -144,6 +156,8 @@ jobs:
       matrix: ${{fromJson(needs.lint.outputs.matrix)}}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
         with:
           use_lockfile: "false"
@@ -152,14 +166,18 @@ jobs:
       - name: test
         working-directory: smoke-tests/scenarios
         run: |
-          ${{ matrix.command }}
+          ${MATRIX_COMMAND}
+        env:
+          MATRIX_COMMAND: ${{ matrix.command }}
 
   node-test:
     name: Node.js Tests
     runs-on: ubuntu-latest
     needs: [basic-test, lint, types]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - name: build
         env:
@@ -174,6 +192,8 @@ jobs:
     needs: [lint]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - name: test
         run: pnpm test:blueprints
@@ -184,6 +204,8 @@ jobs:
     needs: [basic-test, lint, types]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - name: build
         run: pnpm vite build --mode=development
@@ -202,6 +224,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - name: Check that the perf script works, so we don't regress
         run: RUNS='2' pnpm bench

.github/workflows/ci-jobs.yml

@@ -28,7 +28,7 @@ jobs:
     # Only run on pushes to branches that are not from the cron workflow
     if: github.event_name == 'push' && contains(github.ref, 'cron') != true
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] creds are used for build-for-publishing.js
       - uses: ./.github/actions/setup
       - name: build for publish
         run: node bin/build-for-publishing.js
@@ -46,7 +46,7 @@ jobs:
     # Only run on pushes to main
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] creds are used for build-for-publishing.js
       - uses: ./.github/actions/setup
       - name: build for publish
         run: node bin/build-for-publishing.js

.github/workflows/ci.yml

@@ -10,6 +10,9 @@ on:
         required: true
         description: Tag name or branch or ref to generate docs for
 
+permissions: 
+  contents: read
+  
 jobs:
   generate-and-pr:
     runs-on: ubuntu-latest
@@ -20,18 +23,21 @@ jobs:
           repository: emberjs/ember.js
           path: ember.js
           ref: ${{ inputs.ref || github.ref_name }}
+          persist-credentials: false
 
       - name: Checkout ember-jsonapi-docs
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: kategengler/ember-jsonapi-docs
           path: ember-jsonapi-docs
+          persist-credentials: false
 
       - name: Checkout ember-api-docs-data
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: ember-learn/ember-api-docs-data
           path: ember-api-docs-data
+          persist-credentials: false
 
       - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         name: Install pnpm
@@ -42,6 +48,7 @@ jobs:
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: '20'
+          package-manager-cache: false
 
       - name: Install dependencies for ember-jsonapi-docs
         run: pnpm install
@@ -58,16 +65,20 @@ jobs:
         working-directory: ember.js
 
       - name: Generate API docs
-        run: pnpm run gen --project ember --version "${{ steps.pkg.outputs.version }}"
+        run: pnpm run gen --project ember --version "${STEPS_PKG_OUTPUTS_VERSION}"
         working-directory: ember-jsonapi-docs
+        env:
+          STEPS_PKG_OUTPUTS_VERSION: ${{ steps.pkg.outputs.version }}
 
       - name: Commit changes
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
           git add .
-          git commit -m "Add docs for Ember ${{ steps.pkg.outputs.version }}"
+          git commit -m "Add docs for Ember ${STEPS_PKG_OUTPUTS_VERSION}"
         working-directory: ember-api-docs-data
+        env:
+          STEPS_PKG_OUTPUTS_VERSION: ${{ steps.pkg.outputs.version }}
 
       - name: Fix docs, commit, push
         run: |

.github/workflows/docs.yml

@@ -9,6 +9,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - run: pnpm build
       - run: pnpm add --save-dev typescript@latest --workspace-root

.github/workflows/night-ts.yml

@@ -15,6 +15,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup
       - uses: wyvox/pkg-size@4c68a40496b9dd2d228575f8738cdfa4ad277754
         with:

.github/workflows/package-size.yml

@@ -6,7 +6,6 @@ on:
 
 permissions:
   contents: read
-  issues: write
   pull-requests: read
 
 jobs:
@@ -61,6 +60,8 @@ jobs:
   comment-if-fix:
     name: Comment on PR if title includes "Fix" without a bracket tag
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Validate title
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0

.github/workflows/pr-title-lint.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: read
+  
 jobs:
   tests:
     uses: ./.github/workflows/ci-jobs.yml
@@ -16,7 +19,7 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] creds are used for build-for-publishing.js
       - uses: ./.github/actions/setup
         with:
           node-version: 20