mirror of
https://github.com/supabase/supabase.git
synced 2026-07-01 04:47:16 -04:00
c9cc6cd835
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Chore, CI hardening ## Additional context Hardens all GitHub actions to recommendations of [zizmor](https://docs.zizmor.sh/audits/) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Disabled persistence of checkout credentials across many CI workflows to reduce credential exposure. * Upgraded GitHub App token tooling and tightened generated token permissions for automation. * Added cooldown/rate-limiting to dependency update automation to reduce update churn. * Adjusted workflow-level permissions, required secret inputs for workflow callers, and refactored some job step logic. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46454?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Ali Waseem <waseema393@gmail.com>
38 lines
1.0 KiB
YAML
38 lines
1.0 KiB
YAML
name: reviewdog
|
|
on:
|
|
pull_request:
|
|
types: [opened, synchronize, reopened, edited]
|
|
|
|
# Cancel old builds on new commit for same workflow + branch/PR
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
misspell:
|
|
name: runner / misspell
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
steps:
|
|
- name: Check out code.
|
|
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
|
|
with:
|
|
persist-credentials: false
|
|
- name: misspell
|
|
uses: reviewdog/action-misspell@9daa94af4357dddb6fd3775de806bc0a8e98d3e4 # v1.26.3
|
|
with:
|
|
github_token: ${{ secrets.github_token }}
|
|
locale: 'US'
|
|
reporter: github-pr-review
|
|
level: error
|
|
exclude: |
|
|
*.css
|
|
**/package.json
|
|
**/pnpm-lock.yaml
|
|
./.git/*
|
|
*.ipynb
|
|
./i18n/README.*.md
|
|
./studio/public/monaco-editor/*
|