File sync from hanakai-rb/repo-sync

github-actions[bot] · github-actions[bot] · commit 0bae738af264 · 2026-03-03T07:59:32.000Z
Updated files:

- .github/workflows/ci.yml
- .github/workflows/pr-comments.yml
- .github/workflows/repo-sync-preview.yml
- .github/workflows/rubocop.yml
- .github/workflows/ci-lint.yml
- zizmor.yml
diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml
@@ -0,0 +1,25 @@
+name: CI lint
+
+on:
+  push:
+    branches: ["main", "release-*", "ci/*"]
+    tags: ["v*"]
+  pull_request:
+    branches: ["main", "release-*"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,11 +33,11 @@ jobs:
       COVERAGE: ${{ matrix.coverage }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
       - name: Install package dependencies
         run: "[ -e $APT_DEPS ] || sudo apt-get install -y --no-install-recommends $APT_DEPS"
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@896e71e063dc0933bb442a54e949d75291991ecb # zizmor: ignore[cache-poisoning]
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
@@ -77,7 +77,7 @@ jobs:
     needs: tests
     steps:
       - name: Trigger release workflow
-        uses: actions/github-script@v7
+        uses: actions/github-script@450193c5abd4cdb17ba9f3ffcfe8f635c4bb6c2a
         with:
           github-token: ${{ secrets.RELEASE_MACHINE_DISPATCH_TOKEN }}
           script: |
diff --git a/.github/workflows/pr-comments.yml b/.github/workflows/pr-comments.yml
@@ -9,7 +9,7 @@
 
 name: PR comments
 
-on:
+on: # zizmor: ignore[dangerous-triggers]
   workflow_run:
     workflows: ["CI"]
     types:
@@ -21,6 +21,8 @@ permissions:
 jobs:
   post-comments:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     if: github.event.workflow_run.event == 'pull_request'
 
     steps:
diff --git a/.github/workflows/repo-sync-preview.yml b/.github/workflows/repo-sync-preview.yml
@@ -1,31 +1,42 @@
 name: Repo-sync preview
 
-on:
+on: # zizmor: ignore[dangerous-triggers]
   workflow_run:
-    workflows: ["CI", "RuboCop"]
+    workflows: ["CI", "RuboCop", "CI lint"]
     types: [completed]
     branches:
       - "ci/repo-sync-preview-*"
 
 jobs:
   report:
     runs-on: ubuntu-latest
+    permissions: {}
+    if: >
+      github.event.workflow_run.event == 'push' &&
+      github.event.workflow_run.head_repository.fork == false
     steps:
       - name: Dispatch status to repo-sync
-        uses: actions/github-script@v7
+        uses: actions/github-script@450193c5abd4cdb17ba9f3ffcfe8f635c4bb6c2a
         with:
           github-token: ${{ secrets.REPO_SYNC_DISPATCH_TOKEN }}
           script: |
+            const { BRANCH, REPO, WORKFLOW, STATUS, RUN_URL } = process.env;
             await github.rest.actions.createWorkflowDispatch({
               owner: "hanakai-rb",
               repo: "repo-sync",
               workflow_id: "aggregate-preview-status.yml",
               ref: "main",
               inputs: {
-                pr_number: "${{ github.event.workflow_run.head_branch }}".replace("ci/repo-sync-preview-", ""),
-                repo_name: "${{ github.repository }}",
-                workflow_name: "${{ github.event.workflow_run.name }}",
-                status: "${{ github.event.workflow_run.conclusion }}",
-                run_url: "${{ github.event.workflow_run.html_url }}"
+                pr_number: BRANCH.replace("ci/repo-sync-preview-", ""),
+                repo_name: REPO,
+                workflow_name: WORKFLOW,
+                status: STATUS,
+                run_url: RUN_URL
               }
             });
+        env:
+          BRANCH: ${{ github.event.workflow_run.head_branch }}
+          REPO: ${{ github.repository }}
+          WORKFLOW: ${{ github.event.workflow_run.name }}
+          STATUS: ${{ github.event.workflow_run.conclusion }}
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
diff --git a/.github/workflows/rubocop.yml b/.github/workflows/rubocop.yml
@@ -21,10 +21,12 @@ jobs:
       BUNDLE_ONLY: tools
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby 4.0
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@896e71e063dc0933bb442a54e949d75291991ecb # zizmor: ignore[cache-poisoning]
         with:
           ruby-version: 4.0
           bundler-cache: true
diff --git a/zizmor.yml b/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        hanakai-rb/*: ref-pin
