diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3e9248e06d0..b4751eaaa71 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,8 @@ updates: directory: '/' schedule: interval: 'weekly' + cooldown: + default-days: 7 ignore: - dependency-name: '*' update-types: diff --git a/.github/workflows/ai-tests.yml b/.github/workflows/ai-tests.yml index 8596d3eacd2..7594f14fa94 100644 --- a/.github/workflows/ai-tests.yml +++ b/.github/workflows/ai-tests.yml @@ -34,6 +34,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | packages patches diff --git a/.github/workflows/authorize-vercel-deploys.yml b/.github/workflows/authorize-vercel-deploys.yml index 967dff10d78..2fce600a211 100644 --- a/.github/workflows/authorize-vercel-deploys.yml +++ b/.github/workflows/authorize-vercel-deploys.yml @@ -25,6 +25,7 @@ jobs: - name: Check out repo uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false ref: master # fetch only the root files and scripts folder sparse-checkout: | diff --git a/.github/workflows/autofix_linters.yml b/.github/workflows/autofix_linters.yml index 85284a5f4e9..5f3e16d81f5 100644 --- a/.github/workflows/autofix_linters.yml +++ b/.github/workflows/autofix_linters.yml @@ -81,9 +81,9 @@ jobs: steps: - name: Generate token id: app-token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: - app-id: ${{ secrets.GH_AUTOFIX_APP_ID }} + client-id: ${{ vars.GH_AUTOFIX_APP_CLIENT_ID }} private-key: ${{ secrets.GH_AUTOFIX_PRIVATE_KEY }} permission-contents: write diff --git a/.github/workflows/avoid-typos.yml b/.github/workflows/avoid-typos.yml index 0b1b4004d72..1102aedef59 100644 --- a/.github/workflows/avoid-typos.yml +++ b/.github/workflows/avoid-typos.yml @@ -18,6 +18,8 @@ jobs: steps: - name: Check out code. uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false - name: misspell uses: reviewdog/action-misspell@9daa94af4357dddb6fd3775de806bc0a8e98d3e4 # v1.26.3 with: diff --git a/.github/workflows/braintrust-evals.yml b/.github/workflows/braintrust-evals.yml index cf3e7ee8fa2..a2f9075f913 100644 --- a/.github/workflows/braintrust-evals.yml +++ b/.github/workflows/braintrust-evals.yml @@ -30,6 +30,7 @@ jobs: uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 + persist-credentials: false # For PR events, checkout the actual branch so Braintrust can report the correct branch name instead of detached HEAD. # github.head_ref is the PR source branch, github.ref_name is the fallback for push events (e.g., master). ref: ${{ github.head_ref || github.ref_name }} diff --git a/.github/workflows/braintrust-preview-scorers-cleanup.yml b/.github/workflows/braintrust-preview-scorers-cleanup.yml index 8e4a2fe66cf..abe53efb2d4 100644 --- a/.github/workflows/braintrust-preview-scorers-cleanup.yml +++ b/.github/workflows/braintrust-preview-scorers-cleanup.yml @@ -18,6 +18,7 @@ jobs: - name: Checkout uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - name: Delete preview scorers from staging diff --git a/.github/workflows/braintrust-preview-scorers-deploy.yml b/.github/workflows/braintrust-preview-scorers-deploy.yml index 565d2279476..ca3de102b5c 100644 --- a/.github/workflows/braintrust-preview-scorers-deploy.yml +++ b/.github/workflows/braintrust-preview-scorers-deploy.yml @@ -24,14 +24,18 @@ jobs: uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 + persist-credentials: false ref: ${{ github.head_ref || github.ref_name }} - name: Check for scorer file changes id: changed # On labeled events, always push. On synchronize, only push if scorer files changed. + env: + GH_EVENT_ACTION: ${{ github.event.action }} + GH_EVENT_PR_REF: ${{ github.event.pull_request.base.ref }} run: | - if [[ "${{ github.event.action }}" == "synchronize" ]]; then - changed=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD | grep -E 'evals/scorer' || true) + if [[ "${GH_EVENT_ACTION}" == "synchronize" ]]; then + changed=$(git diff --name-only origin/${GH_EVENT_PR_REF}...HEAD | grep -E 'evals/scorer' || true) if [ -z "$changed" ]; then echo "No scorer files changed, skipping push" echo "skip=true" >> $GITHUB_OUTPUT diff --git a/.github/workflows/braintrust-scorers-deploy.yml b/.github/workflows/braintrust-scorers-deploy.yml index c050a2dd08a..79aec9b7448 100644 --- a/.github/workflows/braintrust-scorers-deploy.yml +++ b/.github/workflows/braintrust-scorers-deploy.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false - name: Install pnpm uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 diff --git a/.github/workflows/dashboard-pr-reminder.yml b/.github/workflows/dashboard-pr-reminder.yml index d90bd6a0dcc..d259f80d0d9 100644 --- a/.github/workflows/dashboard-pr-reminder.yml +++ b/.github/workflows/dashboard-pr-reminder.yml @@ -19,6 +19,7 @@ jobs: - name: Checkout repository uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | scripts patches diff --git a/.github/workflows/docs-js-libs-update.yml b/.github/workflows/docs-js-libs-update.yml index 45b5f35c823..d39b7c73d3c 100644 --- a/.github/workflows/docs-js-libs-update.yml +++ b/.github/workflows/docs-js-libs-update.yml @@ -24,6 +24,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false ref: master - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 @@ -59,10 +60,13 @@ jobs: - name: Generate token id: app-token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: - app-id: ${{ secrets.GH_AUTOFIX_APP_ID }} + client-id: ${{ vars.GH_AUTOFIX_APP_CLIENT_ID }} private-key: ${{ secrets.GH_AUTOFIX_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write + - name: Create pull request uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 diff --git a/.github/workflows/docs-last-changed.yml b/.github/workflows/docs-last-changed.yml index 7760a24f32c..7975c1ce591 100644 --- a/.github/workflows/docs-last-changed.yml +++ b/.github/workflows/docs-last-changed.yml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 + persist-credentials: false sparse-checkout: | apps/docs patches diff --git a/.github/workflows/docs-lint-v2-scheduled.yml b/.github/workflows/docs-lint-v2-scheduled.yml index 24bf3db1d7a..6ba2b37e371 100644 --- a/.github/workflows/docs-lint-v2-scheduled.yml +++ b/.github/workflows/docs-lint-v2-scheduled.yml @@ -18,6 +18,7 @@ jobs: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 + persist-credentials: true sparse-checkout: | supa-mdx-lint.config.toml supa-mdx-lint diff --git a/.github/workflows/docs-lint-v2.yml b/.github/workflows/docs-lint-v2.yml index da3c07edba2..69c5c477436 100644 --- a/.github/workflows/docs-lint-v2.yml +++ b/.github/workflows/docs-lint-v2.yml @@ -31,6 +31,7 @@ jobs: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 + persist-credentials: false sparse-checkout: | supa-mdx-lint.config.toml supa-mdx-lint diff --git a/.github/workflows/docs-mgmt-api-update.yml b/.github/workflows/docs-mgmt-api-update.yml index e04b9354904..b2b27bcba6a 100644 --- a/.github/workflows/docs-mgmt-api-update.yml +++ b/.github/workflows/docs-mgmt-api-update.yml @@ -17,6 +17,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false ref: master sparse-checkout: | apps/docs @@ -43,10 +44,11 @@ jobs: - name: Generate token id: app-token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: - app-id: ${{ secrets.GH_AUTOFIX_APP_ID }} + client-id: ${{ vars.GH_AUTOFIX_APP_CLIENT_ID }} private-key: ${{ secrets.GH_AUTOFIX_PRIVATE_KEY }} + permission-pull-requests: write - name: Create pull request uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 diff --git a/.github/workflows/docs-sync-auto-troubleshooting.yml b/.github/workflows/docs-sync-auto-troubleshooting.yml index 333f14f173f..0b01322a161 100644 --- a/.github/workflows/docs-sync-auto-troubleshooting.yml +++ b/.github/workflows/docs-sync-auto-troubleshooting.yml @@ -21,7 +21,7 @@ jobs: with: persist-credentials: true - - name: Install pnpm + - name: Install pnpm uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: run_install: false @@ -35,19 +35,12 @@ jobs: - name: Install deps run: pnpm install --frozen-lockfile - - name: Decode the GitHub App Private Key - id: decode - run: | - private_key=$(echo "${{ secrets.DOCS_GITHUB_APP_PRIVATE_KEY }}" | base64 --decode | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null - echo "::add-mask::$private_key" - echo "private-key=$private_key" >> "$GITHUB_OUTPUT" - - name: Create GitHub App token for supabase/troubleshooting id: app-token - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: - app-id: ${{ vars.DOCS_GITHUB_APP_ID }} - private-key: ${{ steps.decode.outputs.private-key }} + client-id: ${{ vars.DOCS_GITHUB_APP_CLIENT_ID }} + private-key: ${{ secrets.DOCS_GITHUB_APP_PRIVATE_KEY_V2 }} repositories: troubleshooting permission-contents: read @@ -61,10 +54,11 @@ jobs: - name: Generate PR token id: pr-token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: - app-id: ${{ secrets.GH_AUTOFIX_APP_ID }} + client-id: ${{ vars.GH_AUTOFIX_APP_CLIENT_ID }} private-key: ${{ secrets.GH_AUTOFIX_PRIVATE_KEY }} + permission-pull-requests: write - name: Sync supabase/troubleshooting changes back to supabase/supabase env: diff --git a/.github/workflows/docs-sync-troubleshooting.yml b/.github/workflows/docs-sync-troubleshooting.yml index ce1720cb0b2..43bd118c0f4 100644 --- a/.github/workflows/docs-sync-troubleshooting.yml +++ b/.github/workflows/docs-sync-troubleshooting.yml @@ -26,6 +26,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | apps/docs patches diff --git a/.github/workflows/docs-sync.yml b/.github/workflows/docs-sync.yml index 437d32ce368..2adb6ea8b9b 100644 --- a/.github/workflows/docs-sync.yml +++ b/.github/workflows/docs-sync.yml @@ -28,6 +28,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | apps/docs packages diff --git a/.github/workflows/docs-tests-smoke.yml b/.github/workflows/docs-tests-smoke.yml index 0ac43ebcb0c..3a85c188ea9 100644 --- a/.github/workflows/docs-tests-smoke.yml +++ b/.github/workflows/docs-tests-smoke.yml @@ -21,6 +21,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | apps/docs packages diff --git a/.github/workflows/docs-tests.yml b/.github/workflows/docs-tests.yml index 35ab7b6ef59..2a8de4e5204 100644 --- a/.github/workflows/docs-tests.yml +++ b/.github/workflows/docs-tests.yml @@ -25,6 +25,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | apps/docs examples diff --git a/.github/workflows/fix-typos.yml b/.github/workflows/fix-typos.yml index bc1ca8cc089..6d4450e5749 100644 --- a/.github/workflows/fix-typos.yml +++ b/.github/workflows/fix-typos.yml @@ -18,14 +18,15 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false ref: master - uses: sobolevn/misspell-fixer-action@06ff0b508d4f4c0ba70d15f9a628232c0aade536 # v0.1.0 - name: Generate token id: app-token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: - app-id: ${{ secrets.GH_AUTOFIX_APP_ID }} + client-id: ${{ vars.GH_AUTOFIX_APP_CLIENT_ID }} private-key: ${{ secrets.GH_AUTOFIX_PRIVATE_KEY }} permission-contents: write permission-pull-requests: write diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index 56169a93802..fc789c86179 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -6,6 +6,9 @@ on: version: required: true type: string + secrets: + PROD_AWS_ROLE: + required: true workflow_dispatch: inputs: version: diff --git a/.github/workflows/og_images.yml b/.github/workflows/og_images.yml index 02a40a0bf58..99c88ddaed5 100644 --- a/.github/workflows/og_images.yml +++ b/.github/workflows/og_images.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false - name: Setup the Supabase CLI uses: supabase/setup-cli@b60b5899c73b63a2d2d651b1e90db8d4c9392f51 # v1.6.0 diff --git a/.github/workflows/pg-meta-tests.yml b/.github/workflows/pg-meta-tests.yml index 2c5740b46f3..1119cd57f98 100644 --- a/.github/workflows/pg-meta-tests.yml +++ b/.github/workflows/pg-meta-tests.yml @@ -26,6 +26,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | packages/pg-meta packages/tsconfig diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml index 8596073979f..3e74a745d2c 100644 --- a/.github/workflows/prettier.yml +++ b/.github/workflows/prettier.yml @@ -20,6 +20,7 @@ jobs: - name: Check out repo uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | apps blocks diff --git a/.github/workflows/publish_image.yml b/.github/workflows/publish_image.yml index 7b7c7212348..9de76e62f1e 100644 --- a/.github/workflows/publish_image.yml +++ b/.github/workflows/publish_image.yml @@ -75,7 +75,8 @@ jobs: image_digest: ${{ steps.build.outputs.digest }} steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - + with: + persist-credentials: false - id: meta uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: @@ -122,18 +123,22 @@ jobs: password: ${{ secrets.DOCKER_PASSWORD }} - name: Merge multi-arch manifests + env: + IMAGE_VERSION: ${{ needs.settings.outputs.image_version }} + x86_DIGEST: ${{ needs.release_x86.outputs.image_digest }} + ARM_DIGEST: ${{ needs.release_arm.outputs.image_digest }} run: | - docker buildx imagetools create -t supabase/studio:${{ needs.settings.outputs.image_version }} \ - supabase/studio@${{ needs.release_x86.outputs.image_digest }} \ - supabase/studio@${{ needs.release_arm.outputs.image_digest }} + docker buildx imagetools create -t supabase/studio:${IMAGE_VERSION} \ + supabase/studio@${x86_DIGEST} \ + supabase/studio@${ARM_DIGEST} docker buildx imagetools create -t supabase/studio:latest \ - supabase/studio@${{ needs.release_x86.outputs.image_digest }} \ - supabase/studio@${{ needs.release_arm.outputs.image_digest }} + supabase/studio@${x86_DIGEST} \ + supabase/studio@${ARM_DIGEST} echo "Published Registry Images" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "| Image | Link |" >> $GITHUB_STEP_SUMMARY echo "|-------|------|" >> $GITHUB_STEP_SUMMARY - echo "| \`supabase/studio:${{ needs.settings.outputs.image_version }}\` | [View on Docker Hub](https://hub.docker.com/r/supabase/studio/tags?name=${{ needs.settings.outputs.image_version }}) |" >> $GITHUB_STEP_SUMMARY + echo "| \`supabase/studio:${IMAGE_VERSION}\` | [View on Docker Hub](https://hub.docker.com/r/supabase/studio/tags?name=${IMAGE_VERSION}) |" >> $GITHUB_STEP_SUMMARY echo "| \`supabase/studio:latest\` | [View on Docker Hub](https://hub.docker.com/r/supabase/studio/tags?name=latest) |" >> $GITHUB_STEP_SUMMARY publish: @@ -144,4 +149,5 @@ jobs: uses: ./.github/workflows/mirror.yml with: version: ${{ needs.settings.outputs.image_version }} - secrets: inherit + secrets: + PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }} diff --git a/.github/workflows/search.yml b/.github/workflows/search.yml index 6ce4cdcbe5e..f75392eb7da 100644 --- a/.github/workflows/search.yml +++ b/.github/workflows/search.yml @@ -42,6 +42,7 @@ jobs: - name: Check out repo uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | apps/docs apps/www/.env.local.example diff --git a/.github/workflows/self-host-tests-smoke.yml b/.github/workflows/self-host-tests-smoke.yml index 1727558d181..f4240f70fbb 100644 --- a/.github/workflows/self-host-tests-smoke.yml +++ b/.github/workflows/self-host-tests-smoke.yml @@ -21,6 +21,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | docker/ - name: Run docker-compose up diff --git a/.github/workflows/studio-docker-build.yml b/.github/workflows/studio-docker-build.yml index adca02c7a78..221ee2a9252 100644 --- a/.github/workflows/studio-docker-build.yml +++ b/.github/workflows/studio-docker-build.yml @@ -19,6 +19,8 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: diff --git a/.github/workflows/studio-e2e-test.yml b/.github/workflows/studio-e2e-test.yml index be170f07d38..8c5a2992c9d 100644 --- a/.github/workflows/studio-e2e-test.yml +++ b/.github/workflows/studio-e2e-test.yml @@ -9,10 +9,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true -permissions: - contents: write - pull-requests: write - jobs: test: name: 'E2E tests' @@ -26,11 +22,16 @@ jobs: outputs: tests_ran: ${{ steps.filter.outputs.studio == 'true' }} + permissions: + contents: write + env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: @@ -128,9 +129,13 @@ jobs: if: ${{ !cancelled() && needs.test.outputs.tests_ran == 'true' }} needs: [test] runs-on: blacksmith-4vcpu-ubuntu-2404 + permissions: + contents: write + pull-requests: write steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - + with: + persist-credentials: false - name: Use Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: @@ -164,6 +169,7 @@ jobs: merge-results: name: 'E2E results' runs-on: ubuntu-latest + permissions: {} needs: [test] if: ${{ !cancelled() && needs.test.outputs.tests_ran == 'true' }} steps: diff --git a/.github/workflows/studio-lint-ratchet-decrease.yml b/.github/workflows/studio-lint-ratchet-decrease.yml index d29b3721bc2..23aaa0185f3 100644 --- a/.github/workflows/studio-lint-ratchet-decrease.yml +++ b/.github/workflows/studio-lint-ratchet-decrease.yml @@ -16,6 +16,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | .github apps/studio @@ -38,10 +39,12 @@ jobs: - name: Generate token id: app-token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: - app-id: ${{ secrets.GH_AUTOFIX_APP_ID }} + client-id: ${{ vars.GH_AUTOFIX_APP_CLIENT_ID }} private-key: ${{ secrets.GH_AUTOFIX_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write - name: Decrease ESLint ratchet baselines and open PR env: diff --git a/.github/workflows/studio-lint-ratchet.yml b/.github/workflows/studio-lint-ratchet.yml index 9a3025584cb..16b0553b9d3 100644 --- a/.github/workflows/studio-lint-ratchet.yml +++ b/.github/workflows/studio-lint-ratchet.yml @@ -22,6 +22,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | .github apps/studio diff --git a/.github/workflows/studio-unit-tests.yml b/.github/workflows/studio-unit-tests.yml index fa95d796757..d7f9da250d1 100644 --- a/.github/workflows/studio-unit-tests.yml +++ b/.github/workflows/studio-unit-tests.yml @@ -33,6 +33,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | apps/studio packages @@ -83,6 +84,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | apps/studio patches diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml index cd3b1d5d5f6..e9fb0896e39 100644 --- a/.github/workflows/typecheck.yml +++ b/.github/workflows/typecheck.yml @@ -23,6 +23,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 name: Install pnpm diff --git a/.github/workflows/ui-patterns-tests.yml b/.github/workflows/ui-patterns-tests.yml index 4638b4616a1..4b75674a3d7 100644 --- a/.github/workflows/ui-patterns-tests.yml +++ b/.github/workflows/ui-patterns-tests.yml @@ -21,6 +21,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | packages patches diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml index e97bda26030..2379f2f0f93 100644 --- a/.github/workflows/ui-tests.yml +++ b/.github/workflows/ui-tests.yml @@ -31,6 +31,7 @@ jobs: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 if: steps.filter.outputs.relevant == 'true' with: + persist-credentials: false sparse-checkout: | packages patches @@ -72,6 +73,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | packages/ui patches diff --git a/.github/workflows/update-js-libs.yml b/.github/workflows/update-js-libs.yml index c902baeb3e8..9be69ebdb02 100644 --- a/.github/workflows/update-js-libs.yml +++ b/.github/workflows/update-js-libs.yml @@ -24,6 +24,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false ref: master - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 @@ -88,10 +89,11 @@ jobs: - name: Generate token id: app-token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.GH_AUTOFIX_APP_ID }} private-key: ${{ secrets.GH_AUTOFIX_PRIVATE_KEY }} + permission-pull-requests: write - name: Create pull request uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 @@ -119,4 +121,4 @@ jobs: This PR was created automatically. branch: 'gha/auto-update-js-libs-v${{ github.event.inputs.version }}' - base: 'master' \ No newline at end of file + base: 'master' diff --git a/.github/workflows/update-ssr.yml b/.github/workflows/update-ssr.yml index ee1686ef44e..09cb1a9b289 100644 --- a/.github/workflows/update-ssr.yml +++ b/.github/workflows/update-ssr.yml @@ -24,6 +24,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false ref: master - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 @@ -51,10 +52,12 @@ jobs: - name: Generate token id: app-token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: - app-id: ${{ secrets.GH_AUTOFIX_APP_ID }} + client-id: ${{ vars.GH_AUTOFIX_APP_CLIENT_ID }} private-key: ${{ secrets.GH_AUTOFIX_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write - name: Create pull request uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml index af68e012b3d..1b10f526421 100644 --- a/.github/workflows/validate-pr.yml +++ b/.github/workflows/validate-pr.yml @@ -5,8 +5,7 @@ on: pull_request: types: [opened, labeled, unlabeled, synchronize, ready_for_review] -permissions: - contents: read +permissions: {} jobs: validate-pr: diff --git a/.github/workflows/www-tests.yml b/.github/workflows/www-tests.yml index 74cc5c34fb1..95410006eeb 100644 --- a/.github/workflows/www-tests.yml +++ b/.github/workflows/www-tests.yml @@ -26,6 +26,7 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: + persist-credentials: false sparse-checkout: | apps/www packages diff --git a/examples/edge-functions/.github/workflows/deploy.yaml b/examples/edge-functions/.github/workflows/deploy.yaml index f9fb01d2fac..afbb08da43a 100644 --- a/examples/edge-functions/.github/workflows/deploy.yaml +++ b/examples/edge-functions/.github/workflows/deploy.yaml @@ -6,6 +6,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest @@ -15,10 +18,12 @@ jobs: SUPABASE_PROJECT_ID: ${{ secrets.SUPABASE_PROJECT_ID }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - - uses: supabase/setup-cli@v1 + - uses: supabase/setup-cli@3c2f5e2ae34c34e428e8e206e2c4d21fa2d20fbf # v2.1.1 with: version: latest - - run: supabase functions deploy --project-ref $SUPABASE_PROJECT_ID \ No newline at end of file + - run: supabase functions deploy --project-ref $SUPABASE_PROJECT_ID