lywsvip/supabase
1
0
Fork 0
mirror of https://github.com/supabase/supabase.git synced 2026-06-11 15:10:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

chore: cleanup gh actions (#46454)

Browse Source 
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Chore, CI hardening


## Additional context

Hardens all GitHub actions to recommendations of
[zizmor](https://docs.zizmor.sh/audits/)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Disabled persistence of checkout credentials across many CI workflows
to reduce credential exposure.
* Upgraded GitHub App token tooling and tightened generated token
permissions for automation.
* Added cooldown/rate-limiting to dependency update automation to reduce
update churn.
* Adjusted workflow-level permissions, required secret inputs for
workflow callers, and refactored some job step logic.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46454?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Ali Waseem <waseema393@gmail.com>
This commit is contained in:
Etienne Stalmans
2026-05-28 17:31:04 +02:00
committed by GitHub
parent 7e9badc6b8
commit c9cc6cd835
41 changed files with 114 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/studio-lint-ratchet-decrease.yml vendored
View File

@@ -16,6 +16,7 @@ jobs:
steps:
- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
persist-credentials: false
sparse-checkout: |
.github
apps/studio
@@ -38,10 +39,12 @@ jobs:
- name: Generate token
id: app-token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.GH_AUTOFIX_APP_ID }}
client-id: ${{ vars.GH_AUTOFIX_APP_CLIENT_ID }}
private-key: ${{ secrets.GH_AUTOFIX_PRIVATE_KEY }}
permission-contents: write
permission-pull-requests: write
- name: Decrease ESLint ratchet baselines and open PR
env: