diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml index 6dec3c086..db85a7ca6 100644 --- a/.github/workflows/code_coverage.yml +++ b/.github/workflows/code_coverage.yml @@ -2,6 +2,8 @@ on: [push, pull_request] name: Code Coverage +permissions: {} + jobs: Codecov: name: Code Coverage @@ -26,7 +28,7 @@ jobs: profile: minimal components: llvm-tools-preview - name: Rust Cache - uses: Swatinem/rust-cache@v2.7.7 + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - name: Install grcov run: if [[ ! -e ~/.cargo/bin/grcov ]]; then cargo install grcov; fi - name: Test diff --git a/.github/workflows/cont_integration.yml b/.github/workflows/cont_integration.yml index e517c2bf8..0c8db4581 100644 --- a/.github/workflows/cont_integration.yml +++ b/.github/workflows/cont_integration.yml @@ -2,6 +2,8 @@ on: [push, pull_request] name: CI +permissions: {} + jobs: prepare: @@ -43,7 +45,7 @@ jobs: override: true profile: minimal - name: Rust Cache - uses: Swatinem/rust-cache@v2.7.7 + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - name: Pin dependencies for 1.75 if: matrix.rust.version == '1.75.0' run: | @@ -84,7 +86,7 @@ jobs: profile: minimal # target: "thumbv6m-none-eabi" - name: Rust Cache - uses: Swatinem/rust-cache@v2.7.7 + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - name: Check bdk_chain working-directory: ./crates/chain # TODO "--target thumbv6m-none-eabi" should work but currently does not @@ -118,7 +120,7 @@ jobs: profile: minimal target: "wasm32-unknown-unknown" - name: Rust Cache - uses: Swatinem/rust-cache@v2.7.7 + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - name: Check esplora working-directory: ./crates/esplora run: cargo check --target wasm32-unknown-unknown --no-default-features --features bdk_core/hashbrown,async @@ -158,7 +160,7 @@ jobs: components: clippy override: true - name: Rust Cache - uses: Swatinem/rust-cache@v2.7.7 + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - uses: actions-rs/clippy-check@v1 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -188,7 +190,7 @@ jobs: override: true profile: minimal - name: Rust Cache - uses: Swatinem/rust-cache@v2.7.7 + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - name: Build working-directory: examples/${{ matrix.example-dir }} run: cargo build diff --git a/.github/workflows/cron-update-rust.yml b/.github/workflows/cron-update-rust.yml index 2fc212ebd..1264203d5 100644 --- a/.github/workflows/cron-update-rust.yml +++ b/.github/workflows/cron-update-rust.yml @@ -1,4 +1,7 @@ name: Update rust version + +permissions: {} + on: schedule: - cron: "0 0 15 * *" # At 00:00 on day-of-month 15. diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..0c2aa080d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,35 @@ +name: Zizmor Actions Analysis + +on: + push: + branches: ["master"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Rust Cache + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 + + - name: Install zizmor + run: cargo install zizmor --locked --version 1.6.0 + + - name: Run zizmor 🌈 + run: zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor \ No newline at end of file