Mirrors_Dome/ohmyzsh
1
0
Fork 0
mirror of https://github.com/ohmyzsh/ohmyzsh.git synced 2025-12-07 01:21:48 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

ci: Harden GitHub Actions [StepSecurity] (#13318)

Browse Source
This commit is contained in:
StepSecurity Bot
2025-09-19 08:30:10 -07:00
committed by GitHub
parent c87eb79140
commit 7f3d8a34e2
4 changed files with 32 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/dependencies.yml vendored
View File

@@ -13,18 +13,23 @@ jobs:
runs-on: ubuntu-latest
if: github.repository == 'ohmyzsh/ohmyzsh'
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Authenticate as @ohmyzsh
id: generate-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
with:
app-id: ${{ secrets.OHMYZSH_APP_ID }}
private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}
- name: Setup Python
uses: actions/setup-python@v6
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: "3.12"
cache: "pip"

14
.github/workflows/installer.yml vendored
View File

@@ -25,8 +25,13 @@ jobs:
- ubuntu-latest
- macos-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: Set up git repository
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install zsh
if: runner.os == 'Linux'
run: sudo apt-get update; sudo apt-get install zsh
@@ -41,8 +46,13 @@ jobs:
needs:
- test
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install Vercel CLI
run: npm install -g vercel
- name: Setup project and deploy

7
.github/workflows/main.yml vendored
View File

@@ -23,8 +23,13 @@ jobs:
runs-on: ubuntu-latest
if: github.repository == 'ohmyzsh/ohmyzsh'
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: Set up git repository
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install zsh
run: sudo apt-get update; sudo apt-get install zsh
- name: Check syntax

7
.github/workflows/project.yml vendored
View File

@@ -16,9 +16,14 @@ jobs:
runs-on: ubuntu-latest
if: github.repository == 'ohmyzsh/ohmyzsh'
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: Authenticate as @ohmyzsh
id: generate-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
with:
app-id: ${{ secrets.OHMYZSH_APP_ID }}
private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}