aboutsummaryrefslogtreecommitdiffstats
path: root/vendor/twbs/bootstrap/.github/workflows
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/twbs/bootstrap/.github/workflows')
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/browserstack.yml7
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/bundlewatch.yml7
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/calibreapp-image-actions.yml2
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/codeql.yml10
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/cspell.yml10
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/css.yml7
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/docs.yml7
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/issue-close-require.yml7
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/issue-labeled.yml7
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/js.yml11
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/lint.yml7
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/node-sass.yml7
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/release-notes.yml7
-rw-r--r--vendor/twbs/bootstrap/.github/workflows/scorecards.yml65
14 files changed, 152 insertions, 9 deletions
diff --git a/vendor/twbs/bootstrap/.github/workflows/browserstack.yml b/vendor/twbs/bootstrap/.github/workflows/browserstack.yml
index 425c56684..9a2fc91e5 100644
--- a/vendor/twbs/bootstrap/.github/workflows/browserstack.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/browserstack.yml
@@ -6,7 +6,10 @@ on:
env:
FORCE_COLOR: 2
- NODE: 16
+ NODE: 18
+
+permissions:
+ contents: read
jobs:
browserstack:
@@ -17,6 +20,8 @@ jobs:
steps:
- name: Clone repository
uses: actions/checkout@v3
+ with:
+ persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@v3
diff --git a/vendor/twbs/bootstrap/.github/workflows/bundlewatch.yml b/vendor/twbs/bootstrap/.github/workflows/bundlewatch.yml
index d1a174784..2add86c49 100644
--- a/vendor/twbs/bootstrap/.github/workflows/bundlewatch.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/bundlewatch.yml
@@ -9,7 +9,10 @@ on:
env:
FORCE_COLOR: 2
- NODE: 16
+ NODE: 18
+
+permissions:
+ contents: read
jobs:
bundlewatch:
@@ -18,6 +21,8 @@ jobs:
steps:
- name: Clone repository
uses: actions/checkout@v3
+ with:
+ persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@v3
diff --git a/vendor/twbs/bootstrap/.github/workflows/calibreapp-image-actions.yml b/vendor/twbs/bootstrap/.github/workflows/calibreapp-image-actions.yml
index e23f5626e..21df1f626 100644
--- a/vendor/twbs/bootstrap/.github/workflows/calibreapp-image-actions.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/calibreapp-image-actions.yml
@@ -17,6 +17,8 @@ jobs:
steps:
- name: Checkout Repo
uses: actions/checkout@v3
+ with:
+ persist-credentials: false
- name: Compress Images
uses: calibreapp/image-actions@1.1.0
diff --git a/vendor/twbs/bootstrap/.github/workflows/codeql.yml b/vendor/twbs/bootstrap/.github/workflows/codeql.yml
index 70be0563c..98aa891c4 100644
--- a/vendor/twbs/bootstrap/.github/workflows/codeql.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/codeql.yml
@@ -7,7 +7,6 @@ on:
- v4-dev
- "!dependabot/**"
pull_request:
- # The branches below must be a subset of the branches above
branches:
- main
- v4-dev
@@ -28,11 +27,20 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v3
+ with:
+ persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
+ config-file: ./.github/codeql/codeql-config.yml
languages: "javascript"
+ queries: +security-and-quality
+
+ - name: Autobuild
+ uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
+ with:
+ category: "/language:javascript"
diff --git a/vendor/twbs/bootstrap/.github/workflows/cspell.yml b/vendor/twbs/bootstrap/.github/workflows/cspell.yml
index 3751ad339..1d946981c 100644
--- a/vendor/twbs/bootstrap/.github/workflows/cspell.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/cspell.yml
@@ -9,15 +9,23 @@ on:
env:
FORCE_COLOR: 2
- NODE: 16
+
+permissions:
+ contents: read
jobs:
cspell:
+ permissions:
+ # allow streetsidesoftware/cspell-action to fetch files for commits and PRs
+ contents: read
+ pull-requests: read
runs-on: ubuntu-latest
steps:
- name: Clone repository
uses: actions/checkout@v3
+ with:
+ persist-credentials: false
- name: Run cspell
uses: streetsidesoftware/cspell-action@v2
diff --git a/vendor/twbs/bootstrap/.github/workflows/css.yml b/vendor/twbs/bootstrap/.github/workflows/css.yml
index 857a5672c..6bfde50af 100644
--- a/vendor/twbs/bootstrap/.github/workflows/css.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/css.yml
@@ -9,7 +9,10 @@ on:
env:
FORCE_COLOR: 2
- NODE: 16
+ NODE: 18
+
+permissions:
+ contents: read
jobs:
css:
@@ -18,6 +21,8 @@ jobs:
steps:
- name: Clone repository
uses: actions/checkout@v3
+ with:
+ persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@v3
diff --git a/vendor/twbs/bootstrap/.github/workflows/docs.yml b/vendor/twbs/bootstrap/.github/workflows/docs.yml
index f33413eb4..bdeae6043 100644
--- a/vendor/twbs/bootstrap/.github/workflows/docs.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/docs.yml
@@ -9,7 +9,10 @@ on:
env:
FORCE_COLOR: 2
- NODE: 16
+ NODE: 18
+
+permissions:
+ contents: read
jobs:
docs:
@@ -18,6 +21,8 @@ jobs:
steps:
- name: Clone repository
uses: actions/checkout@v3
+ with:
+ persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@v3
diff --git a/vendor/twbs/bootstrap/.github/workflows/issue-close-require.yml b/vendor/twbs/bootstrap/.github/workflows/issue-close-require.yml
index b251cd75e..b5000d8b4 100644
--- a/vendor/twbs/bootstrap/.github/workflows/issue-close-require.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/issue-close-require.yml
@@ -4,8 +4,15 @@ on:
schedule:
- cron: "0 0 * * *"
+permissions:
+ contents: read
+
jobs:
issue-close-require:
+ permissions:
+ # allow actions-cool/issues-helper to update issues and PRs
+ issues: write
+ pull-requests: write
runs-on: ubuntu-latest
if: github.repository == 'twbs/bootstrap'
steps:
diff --git a/vendor/twbs/bootstrap/.github/workflows/issue-labeled.yml b/vendor/twbs/bootstrap/.github/workflows/issue-labeled.yml
index fac58493b..584879dd8 100644
--- a/vendor/twbs/bootstrap/.github/workflows/issue-labeled.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/issue-labeled.yml
@@ -4,8 +4,15 @@ on:
issues:
types: [labeled]
+permissions:
+ contents: read
+
jobs:
issue-labeled:
+ permissions:
+ # allow actions-cool/issues-helper to update issues and PRs
+ issues: write
+ pull-requests: write
if: github.repository == 'twbs/bootstrap'
runs-on: ubuntu-latest
steps:
diff --git a/vendor/twbs/bootstrap/.github/workflows/js.yml b/vendor/twbs/bootstrap/.github/workflows/js.yml
index 82616c574..a8994b6cc 100644
--- a/vendor/twbs/bootstrap/.github/workflows/js.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/js.yml
@@ -9,16 +9,25 @@ on:
env:
FORCE_COLOR: 2
- NODE: 16
+ NODE: 18
+
+permissions:
+ contents: read
jobs:
run:
+ permissions:
+ # allow coverallsapp/github-action to create new checks issues and fetch code
+ checks: write
+ contents: read
name: JS Tests
runs-on: ubuntu-latest
steps:
- name: Clone repository
uses: actions/checkout@v3
+ with:
+ persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@v3
diff --git a/vendor/twbs/bootstrap/.github/workflows/lint.yml b/vendor/twbs/bootstrap/.github/workflows/lint.yml
index 816694ec2..51ee18999 100644
--- a/vendor/twbs/bootstrap/.github/workflows/lint.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/lint.yml
@@ -9,7 +9,10 @@ on:
env:
FORCE_COLOR: 2
- NODE: 16
+ NODE: 18
+
+permissions:
+ contents: read
jobs:
lint:
@@ -18,6 +21,8 @@ jobs:
steps:
- name: Clone repository
uses: actions/checkout@v3
+ with:
+ persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@v3
diff --git a/vendor/twbs/bootstrap/.github/workflows/node-sass.yml b/vendor/twbs/bootstrap/.github/workflows/node-sass.yml
index 465cee485..dc687ca46 100644
--- a/vendor/twbs/bootstrap/.github/workflows/node-sass.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/node-sass.yml
@@ -9,7 +9,10 @@ on:
env:
FORCE_COLOR: 2
- NODE: 16
+ NODE: 18
+
+permissions:
+ contents: read
jobs:
css:
@@ -18,6 +21,8 @@ jobs:
steps:
- name: Clone repository
uses: actions/checkout@v3
+ with:
+ persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@v3
diff --git a/vendor/twbs/bootstrap/.github/workflows/release-notes.yml b/vendor/twbs/bootstrap/.github/workflows/release-notes.yml
index bbd0a2448..f620dd31d 100644
--- a/vendor/twbs/bootstrap/.github/workflows/release-notes.yml
+++ b/vendor/twbs/bootstrap/.github/workflows/release-notes.yml
@@ -6,8 +6,15 @@ on:
- main
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
update_release_draft:
+ permissions:
+ # allow release-drafter/release-drafter to create GitHub releases and add labels to PRs
+ contents: write
+ pull-requests: write
runs-on: ubuntu-latest
if: github.repository == 'twbs/bootstrap'
steps:
diff --git a/vendor/twbs/bootstrap/.github/workflows/scorecards.yml b/vendor/twbs/bootstrap/.github/workflows/scorecards.yml
new file mode 100644
index 000000000..01977ac1c
--- /dev/null
+++ b/vendor/twbs/bootstrap/.github/workflows/scorecards.yml
@@ -0,0 +1,65 @@
+name: Scorecards supply-chain security
+
+on:
+ # Only the default branch is supported.
+ branch_protection_rule:
+ push:
+ branches:
+ - main
+ schedule:
+ - cron: "16 10 * * 6"
+ workflow_dispatch:
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+ analysis:
+ name: Scorecards analysis
+ runs-on: ubuntu-latest
+ permissions:
+ # Needed to upload the results to code-scanning dashboard.
+ security-events: write
+ # Used to receive a badge.
+ id-token: write
+ # Needs for private repositories.
+ contents: read
+ actions: read
+
+ steps:
+ - name: Clone repository
+ uses: actions/checkout@v3
+ with:
+ persist-credentials: false
+
+ - name: Run analysis
+ uses: ossf/scorecard-action@v2.1.1
+ with:
+ results_file: results.sarif
+ results_format: sarif
+ # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+ # - you want to enable the Branch-Protection check on a *public* repository, or
+ # - you are installing Scorecards on a *private* repository
+ # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+ # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+ # Publish the results for public repositories to enable scorecard badges. For more details, see
+ # https://github.com/ossf/scorecard-action#publishing-results.
+ # For private repositories, `publish_results` will automatically be set to `false`, regardless
+ # of the value entered here.
+ publish_results: true
+
+ # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+ # format to the repository Actions tab.
+ - name: Upload artifact
+ uses: actions/upload-artifact@v3
+ with:
+ name: SARIF file
+ path: results.sarif
+ retention-days: 5
+
+ # Upload the results to GitHub's code scanning dashboard.
+ - name: Upload to code-scanning
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: results.sarif