From 27ccf6afdd90271c1788111d2b745f112a8d803c Mon Sep 17 00:00:00 2001 From: Ludy Date: Thu, 23 Apr 2026 14:30:10 +0200 Subject: [PATCH] chore(ci): consolidate Dependabot directories and pin GitHub Actions in workflow automation (#6172) --- .github/dependabot.yml | 46 ++++++++------------------ .github/workflows/ai-engine.yml | 14 ++++++-- .github/workflows/aur-publish.yml | 8 ++--- .github/workflows/package-managers.yml | 8 ++--- 4 files changed, 33 insertions(+), 43 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1a811ddfea..48342f8475 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,7 +16,13 @@ updates: rebase-strategy: "auto" - package-ecosystem: "docker" - directory: "/" # Location of Dockerfile + directories: + - "/" # Location of Dockerfile + - "/docker/backend" + - "/docker/embedded" + - "/docker/frontend" + - "/docker/base" + - "/docker/engine" schedule: interval: "weekly" rebase-strategy: "auto" @@ -28,37 +34,18 @@ updates: rebase-strategy: "auto" - package-ecosystem: npm - directory: /devTools - schedule: - interval: "weekly" - rebase-strategy: "auto" - - - package-ecosystem: docker - directory: /docker/backend - schedule: - interval: "weekly" - rebase-strategy: "auto" - - - package-ecosystem: docker - directory: /docker/embedded - schedule: - interval: "weekly" - rebase-strategy: "auto" - - - package-ecosystem: docker - directory: /docker/frontend - schedule: - interval: "weekly" - rebase-strategy: "auto" - - - package-ecosystem: npm - directory: /frontend + directories: + - /devTools + - /frontend schedule: interval: "weekly" rebase-strategy: "auto" - package-ecosystem: cargo - directory: /frontend/src-tauri + directories: + - /frontend/src-tauri + - /frontend/src-tauri/thumbnail-handler + - /frontend/src-tauri/provisioner schedule: interval: "weekly" rebase-strategy: "auto" @@ -68,8 +55,3 @@ updates: schedule: interval: "weekly" rebase-strategy: "auto" - - - package-ecosystem: cargo - directory: /frontend/src-tauri/provisioner - schedule: - interval: daily diff --git a/.github/workflows/ai-engine.yml b/.github/workflows/ai-engine.yml index a90246f887..33e9c74999 100644 --- a/.github/workflows/ai-engine.yml +++ b/.github/workflows/ai-engine.yml @@ -5,6 +5,9 @@ on: branches: [main] pull_request: +permissions: + contents: read + jobs: engine: runs-on: ubuntu-latest @@ -12,11 +15,16 @@ jobs: contents: read pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 with: enable-cache: true @@ -60,7 +68,7 @@ jobs: - name: Comment on fixer failures if: steps.fixer_changes.outcome == 'failure' && github.event_name == 'pull_request' continue-on-error: true - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | const marker = ''; diff --git a/.github/workflows/aur-publish.yml b/.github/workflows/aur-publish.yml index 935e58ffe0..a8c240e7fd 100644 --- a/.github/workflows/aur-publish.yml +++ b/.github/workflows/aur-publish.yml @@ -26,7 +26,7 @@ jobs: jar_sha256: ${{ steps.hashes.outputs.jar_sha256 }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -70,12 +70,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit - name: Checkout repository (for PKGBUILD templates) - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Update stirling-pdf-bin PKGBUILD env: @@ -118,7 +118,7 @@ jobs: - name: Publish stirling-pdf-server-bin to AUR if: ${{ github.event_name == 'release' || inputs.dry_run == false }} - uses: KSXGitHub/github-actions-deploy-aur@v4.1.1 + uses: KSXGitHub/github-actions-deploy-aur@2ac5a4c1d7035885d46b10e3193393be8460b6f1 # v4.1.1 with: pkgname: stirling-pdf-server-bin pkgbuild: .github/aur/stirling-pdf-server-bin/PKGBUILD diff --git a/.github/workflows/package-managers.yml b/.github/workflows/package-managers.yml index 2a435f42e9..0ca7a1e9a2 100644 --- a/.github/workflows/package-managers.yml +++ b/.github/workflows/package-managers.yml @@ -2,7 +2,7 @@ name: Update Package Manager Manifests on: release: - types: [released] + types: [ released ] workflow_dispatch: inputs: version: @@ -29,7 +29,7 @@ jobs: jar_sha256: ${{ steps.hashes.outputs.jar_sha256 }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit @@ -82,12 +82,12 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit - name: Checkout homebrew-stirling-pdf tap (also hosts Scoop bucket) - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: repository: Stirling-Tools/homebrew-stirling-pdf token: ${{ secrets.HOMEBREW_TAP_TOKEN }}