Skip to content
Security

ci(dependabot-changeset): use a deploy key instead of GITHUB_TOKEN [AR-59671] #1840

Sign in to view logs

ci(dependabot-changeset): use a deploy key instead of GITHUB_TOKEN [AR-59671]

ci(dependabot-changeset): use a deploy key instead of GITHUB_TOKEN [AR-59671] #1840

Workflow file for this run

.github/workflows/security.yml at 5cb6500
name: Security
on:
pull_request:
branches: ['main', 'next']
schedule:
- cron: '0 0 * * 6'
permissions: {}
concurrency:
group: '${{ github.workflow }} @ ${{ github.ref }}'
cancel-in-progress: true
jobs:
CodeQL:
name: CodeQL (${{ matrix.label }})
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
strategy:
fail-fast: false
matrix:
include:
- label: 'GitHub Actions'
language: actions
- label: 'TypeScript'
language: javascript-typescript
steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: ${{ matrix.language }}
queries: +security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
category: '/language:${{matrix.language}}'
Zizmor:
name: Zizmor (GitHub Actions)
runs-on: ubuntu-latest
permissions:
security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
min-severity: informational