From c72c586b0630eb0d2710edc452a2cb66293c60de Mon Sep 17 00:00:00 2001 From: Vladimir Sheremet Date: Fri, 22 May 2026 11:48:42 +0200 Subject: [PATCH 1/3] ci: use SHA and fix zizmor errors --- .github/workflows/ci.yml | 17 +++++++++++++---- .github/workflows/pkg-pr-new.yml | 12 +++++++++--- .github/workflows/publish.yml | 19 ++++++++++++++----- .github/workflows/zizmor.yml | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 68 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d5c664f..3a21bc2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,9 @@ on: - master workflow_dispatch: +permissions: + contents: read + concurrency: group: ci-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -18,24 +21,30 @@ env: jobs: lint: + name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: voidzero-dev/setup-vp@v1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: voidzero-dev/setup-vp@40646972e9ea5e33609c1bb31ac6a27fb01b641e # v1.10.0 - run: vp i - run: vp check --no-lint - run: vp run build - run: vp run typecheck test: + name: Test strategy: matrix: os: [ubuntu-latest, macos-latest, windows-latest] fail-fast: false runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v6 - - uses: voidzero-dev/setup-vp@v1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: voidzero-dev/setup-vp@40646972e9ea5e33609c1bb31ac6a27fb01b641e # v1.10.0 - run: vp i - run: vp run build - run: vp exec playwright install --with-deps diff --git a/.github/workflows/pkg-pr-new.yml b/.github/workflows/pkg-pr-new.yml index 0260cd2..791f2c3 100644 --- a/.github/workflows/pkg-pr-new.yml +++ b/.github/workflows/pkg-pr-new.yml @@ -7,18 +7,24 @@ on: pull_request: types: [opened, synchronize] +permissions: + contents: read + concurrency: group: cr-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true jobs: release: + name: Publish preview if: github.repository == 'vitest-dev/ivya' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 - run: corepack enable - run: pnpm i - run: pnpm run build - - run: pnpm dlx pkg-pr-new publish --compact --no-template --pnpm + - run: pnpm dlx pkg-pr-new publish --compact --no-template --pnpm # zizmor: ignore[use-trusted-publishing] pkg-pr-new doesn't publish to npm diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 8328e3c..0cb19a4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,20 +5,29 @@ on: tags: - 'v*' +permissions: + contents: read + +concurrency: + group: publish-${{ github.ref }} + cancel-in-progress: false + jobs: publish: + name: Publish if: github.repository == 'vitest-dev/ivya' runs-on: ubuntu-latest permissions: - contents: write - id-token: write + contents: write # changelogithub creates a GitHub release + id-token: write # npm provenance via OIDC environment: Release steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 - - uses: actions/setup-node@v6 + persist-credentials: false + - uses: pnpm/action-setup@d15e628ca66d93ee5f352c71671a7bc6a97af5c9 # v6.0.8 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 registry-url: https://registry.npmjs.org/ diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..069a978 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,32 @@ +name: Zizmor + +on: + workflow_dispatch: + pull_request: + push: + branches: + - main + paths: + - '.github/workflows/**' + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} + cancel-in-progress: ${{ github.ref_name != 'main' }} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + persona: pedantic From b01ffbc68d3aa6368515d8da8f50313253df4dfd Mon Sep 17 00:00:00 2001 From: Vladimir Sheremet Date: Fri, 22 May 2026 11:59:40 +0200 Subject: [PATCH 2/3] fix: update sha --- .github/workflows/ci.yml | 4 ++-- .github/workflows/publish.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3a21bc2..932f5ca 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,7 +27,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: voidzero-dev/setup-vp@40646972e9ea5e33609c1bb31ac6a27fb01b641e # v1.10.0 + - uses: voidzero-dev/setup-vp@ca1c46663915d6c1042ae23bd39ab85718bfb0fa # v1.10.0 - run: vp i - run: vp check --no-lint - run: vp run build @@ -44,7 +44,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: voidzero-dev/setup-vp@40646972e9ea5e33609c1bb31ac6a27fb01b641e # v1.10.0 + - uses: voidzero-dev/setup-vp@ca1c46663915d6c1042ae23bd39ab85718bfb0fa # v1.10.0 - run: vp i - run: vp run build - run: vp exec playwright install --with-deps diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 0cb19a4..368bb59 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -26,7 +26,7 @@ jobs: with: fetch-depth: 0 persist-credentials: false - - uses: pnpm/action-setup@d15e628ca66d93ee5f352c71671a7bc6a97af5c9 # v6.0.8 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 From aed194489dcca4934aada578907af11d9db0fc93 Mon Sep 17 00:00:00 2001 From: Vladimir Sheremet Date: Fri, 22 May 2026 12:34:31 +0200 Subject: [PATCH 3/3] chore: update playwright --- package.json | 2 +- pnpm-lock.yaml | 26 +++++++++++++------------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/package.json b/package.json index dae06f4..a897ea1 100644 --- a/package.json +++ b/package.json @@ -44,7 +44,7 @@ "@vitest/browser-playwright": "^4.1.0", "bumpp": "^10.4.1", "changelogithub": "^14.0.0", - "playwright": "^1.58.2", + "playwright": "^1.60.0", "typescript": "^5.8.2", "vite": "^8.0.0", "vite-plus": "latest", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 448d00b..28fa1bc 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -10,7 +10,7 @@ importers: devDependencies: '@vitest/browser-playwright': specifier: ^4.1.0 - version: 4.1.0(playwright@1.58.2)(vite@8.0.0(esbuild@0.27.7)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.2))(vitest@4.1.0) + version: 4.1.0(playwright@1.60.0)(vite@8.0.0(esbuild@0.27.7)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.2))(vitest@4.1.0) bumpp: specifier: ^10.4.1 version: 10.4.1 @@ -18,8 +18,8 @@ importers: specifier: ^14.0.0 version: 14.0.0 playwright: - specifier: ^1.58.2 - version: 1.58.2 + specifier: ^1.60.0 + version: 1.60.0 typescript: specifier: ^5.8.2 version: 5.8.2 @@ -1262,13 +1262,13 @@ packages: pkg-types@2.3.1: resolution: {integrity: sha512-y+ichcgc2LrADuhLNAx8DFjVfgz91pRxfZdI3UDhxHvcVEZsenLO+7XaU5vOp0u/7V/wZ+plyuQxtrDlZJ+yeg==} - playwright-core@1.58.2: - resolution: {integrity: sha512-yZkEtftgwS8CsfYo7nm0KE8jsvm6i/PTgVtB8DL726wNf6H2IMsDuxCpJj59KDaxCtSnrWan2AeDqM7JBaultg==} + playwright-core@1.60.0: + resolution: {integrity: sha512-9bW6zvX/m0lEbgTKJ6YppOKx8H3VOPBMOCFh2irXFOT4BbHgrx5hPjwJYLT40Lu+4qtD36qKc/Hn56StUW57IA==} engines: {node: '>=18'} hasBin: true - playwright@1.58.2: - resolution: {integrity: sha512-vA30H8Nvkq/cPBnNw4Q8TWz1EJyqgpuinBcHET0YVJVFldr8JDNiU9LaWAE1KqSkRYazuaBhTpB5ZzShOezQ6A==} + playwright@1.60.0: + resolution: {integrity: sha512-hheHdokM8cdqCb0lcE3s+zT4t4W+vvjpGxsZlDnikarzx8tSzMebh3UiFtgqwFwnTnjYQcsyMF8ei2mCO/tpeA==} engines: {node: '>=18'} hasBin: true @@ -1844,11 +1844,11 @@ snapshots: '@types/estree@1.0.5': {} - '@vitest/browser-playwright@4.1.0(playwright@1.58.2)(vite@8.0.0(esbuild@0.27.7)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.2))(vitest@4.1.0)': + '@vitest/browser-playwright@4.1.0(playwright@1.60.0)(vite@8.0.0(esbuild@0.27.7)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.2))(vitest@4.1.0)': dependencies: '@vitest/browser': 4.1.0(vite@8.0.0(esbuild@0.27.7)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.2))(vitest@4.1.0) '@vitest/mocker': 4.1.0(vite@8.0.0(esbuild@0.27.7)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.2)) - playwright: 1.58.2 + playwright: 1.60.0 tinyrainbow: 3.1.0 vitest: 4.1.0(@vitest/browser-playwright@4.1.0)(vite@8.0.0(esbuild@0.27.7)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.2)) transitivePeerDependencies: @@ -2504,11 +2504,11 @@ snapshots: exsolve: 1.0.8 pathe: 2.0.3 - playwright-core@1.58.2: {} + playwright-core@1.60.0: {} - playwright@1.58.2: + playwright@1.60.0: dependencies: - playwright-core: 1.58.2 + playwright-core: 1.60.0 optionalDependencies: fsevents: 2.3.2 @@ -2727,7 +2727,7 @@ snapshots: vite: 8.0.0(esbuild@0.27.7)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.2) why-is-node-running: 2.3.0 optionalDependencies: - '@vitest/browser-playwright': 4.1.0(playwright@1.58.2)(vite@8.0.0(esbuild@0.27.7)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.2))(vitest@4.1.0) + '@vitest/browser-playwright': 4.1.0(playwright@1.60.0)(vite@8.0.0(esbuild@0.27.7)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.2))(vitest@4.1.0) transitivePeerDependencies: - msw