Skip to content

harden github actions #8650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
perminder-17 wants to merge 6 commits into
base: dev-2.0
Choose a base branch
from
Open

harden github actions #8650

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7a2524b
harden github actions
Mar 16, 2026
dcd8ce3
minor fixes
perminder-17 Mar 16, 2026
7b4f484
reverting unnecessary changes.
perminder-17 Mar 16, 2026
8a3eedf
reverting unnecessary changes form release-workflow.yml
perminder-17 Mar 16, 2026
a4c4bbd
reverting unnecessary changes from ci-lint.yml
perminder-17 Mar 16, 2026
5d668de
Merge branch 'dev-2.0' into harden-github-actions-for-dev-2.0
perminder-17 Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/auto-close-issues.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,18 @@ on:
branches:
- dev-2.0

permissions:
contents: read
issues: write
pull-requests: read

jobs:
close_issues:
if: github.event.pull_request.merged == true
runs-on: ubuntu-latest
steps:
- name: Close linked issues on non-default branches
uses: processing/branch-pr-close-issue@v1
uses: processing/branch-pr-close-issue@9fd7b409a12c677c5cdd8ff82c45600f790074e1 # v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
branch: dev-2.0
14 changes: 9 additions & 5 deletions .github/workflows/ci-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,20 +7,24 @@ on:
pull_request:
branches:
- '*'
permissions:
contents: read

jobs:
lint:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v1
- name: Use Node.js 22.x
uses: actions/setup-node@v1
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
node-version: 22.x
persist-credentials: false
- name: Use Node.js 20.x
Copy link
Copy Markdown
Member

@ksen0 ksen0 Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why 20?

uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 20.x
- name: Get node modules
run: npm ci
env:
CI: true
- name: Lint source code
run: npm run lint
run: npm run lint
18 changes: 12 additions & 6 deletions .github/workflows/ci-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
branches:
- '*'

permissions:
contents: read

jobs:
test:
strategy:
Expand All @@ -22,10 +25,12 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Use Node.js 22.x
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.x

Expand Down Expand Up @@ -59,7 +64,7 @@ jobs:
CI: true
- name: Upload Visual Test Report
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: visual-test-report
path: test/unit/visual/visual-report.html
Expand All @@ -74,9 +79,10 @@ jobs:
CI: true
- name: report test coverage
if: steps.test.outcome == 'success'
run: bash <(curl -s https://codecov.io/bash) -f coverage/coverage-final.json
env:
CI: true
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
Copy link
Copy Markdown
Collaborator Author

@perminder-17 perminder-17 Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://about.codecov.io/apr-2021-post-mortem/

This actually happened in real life in 2021, Codecov's bash uploader was compromised and attackers stole secrets/tokens from thousands of CI pipelines. @ksen0 @davepagurek @limzykenneth

Copy link
Copy Markdown
Member

@limzykenneth limzykenneth Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're not really utilizing it at the moment so it probably can be skipped entirely. We'll do code coverage in Vitest for 2.x at some point and reporting can either use a service like this or even our own bot.

Copy link
Copy Markdown
Member

@ksen0 ksen0 Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@perminder-17 could you remove the coverage altogether as @limzykenneth suggests? since in fact we are not really using it

with:
files: coverage/coverage-final.json
fail_ci_if_error: false
- name: fail job if tests failed
if: steps.test.outcome != 'success'
run: exit 1
11 changes: 8 additions & 3 deletions .github/workflows/contributors-png.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,20 @@ on:
paths:
- '.all-contributorsrc'

permissions:
contents: read

jobs:
build:
if: github.ref == 'refs/heads/main' && github.repository == 'processing/p5.js'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Setup Node
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 20

Expand All @@ -30,7 +35,7 @@ jobs:
git checkout -- .

- name: Create Pull Request
uses: peter-evans/create-pull-request@v7
uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
with:
commit-message: "Update contributors.png from .all-contributorsrc"
branch: update-contributors-png
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,13 @@ on:
issues:
types: [opened, edited]
permissions:
contents: read
issues: write
jobs:
triage:
runs-on: ubuntu-latest
steps:
- uses: github/issue-labeler@v3.2
- uses: github/issue-labeler@98b5412841f6c4b0b3d9c29d53c13fad16bd7de2 # v3.2
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
configuration-path: .github/labeler.yml
Expand Down
33 changes: 15 additions & 18 deletions .github/workflows/release-workflow-v2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,15 @@ jobs:
INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
steps:
# 1. Setup
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
node-version: 22
persist-credentials: false
- uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
with:
node-version: 20
- name: Get semver info
id: semver
uses: akshens/semver-tag@v4
uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4
with:
version: ${{ github.ref_name }}

Expand All @@ -42,22 +44,16 @@ jobs:
env:
CI: true
- name: Run test
run: npm test -- --project=unit-tests
Copy link
Copy Markdown
Member

@ksen0 ksen0 Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@perminder-17 needed?

Copy link
Copy Markdown
Collaborator Author

@perminder-17 perminder-17 Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I think I was directly using the same diff from the main branch which gets me to some unnecessary changes, Fixing that now.

run: npm test
env:
CI: true
- name: Run build
run: npm run build
- name: Generate types
run: npm run generate-types
- name: test TypeScript types
run: npm run test:types
env:
CI: true

# 2. Prepare release files
- run: mkdir release && mkdir p5 && cp -r ./lib/* p5/
- name: Create release zip file
uses: TheDoctor0/zip-release@0.6.2
uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2
with:
type: zip
filename: release/p5.zip
Expand All @@ -68,29 +64,30 @@ jobs:

# 3. Release p5.js
- name: Create GitHub release
uses: softprops/action-gh-release@v0.1.15
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
draft: true
prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }}
files: release/*
generate_release_notes: true
token: ${{ secrets.ACCESS_TOKEN }}
token: ${{ secrets.GITHUB_TOKEN }}
Copy link
Copy Markdown
Member

@ksen0 ksen0 Mar 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@perminder-17 I don't think the token should change (or, why should it?)

Copy link
Copy Markdown
Collaborator Author

@perminder-17 perminder-17 Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Step 3 (Release p5.js), the release is created on the same repository, so GITHUB_TOKEN is sufficient. Unlike ACCESS_TOKEN, which is a long-lived Personal Access Token, GITHUB_TOKEN is automatically generated and scoped to the current repository for each workflow run, and expires once the workflow completes. ACCESS_TOKEN is only required in Step 4, where cross-repository access is needed to push changes to the p5.js-website repository. What you think?

Copy link
Copy Markdown
Member

@ksen0 ksen0 Mar 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah sure! Then GITHUB_TOKEN seems alright, thank you for the explanation

- name: Publish to NPM
uses: JS-DevTools/npm-publish@v1
uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939
with:
token: ${{ secrets.NPM_TOKEN }}
tag: ${{ steps.semver.outputs.is-prerelease != 'true' && 'latest' || 'beta' }}

# 4. Update p5.js website
- name: Clone p5.js website
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
repository: processing/p5.js-website
ref: '2.0'
path: website
fetch-depth: 0
token: ${{ secrets.ACCESS_TOKEN }}
persist-credentials: false
- name: Updated website files
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
run: |
Expand All @@ -111,9 +108,9 @@ jobs:
git commit -m "Update p5.js to ${{ github.ref_name }}"
- name: Push updated website repo
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: ad-m/github-push-action@v0.6.0
uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0
with:
github_token: ${{ secrets.ACCESS_TOKEN }}
branch: '2.0'
directory: website/
repository: processing/p5.js-website
repository: processing/p5.js-website
32 changes: 18 additions & 14 deletions .github/workflows/release-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,15 @@ jobs:
INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
steps:
# 1. Setup
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
node-version: 22
persist-credentials: false
- uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
with:
node-version: 20
- name: Get semver info
id: semver
uses: akshens/semver-tag@v4
uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4
with:
version: ${{ github.ref_name }}

Expand All @@ -41,17 +43,16 @@ jobs:
run: npm ci
env:
CI: true
- name: Run test
- name: Run build
Copy link
Copy Markdown
Member

@ksen0 ksen0 Mar 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo (?)

run: npm test
env:
CI: true
- name: Run build
run: npm run build
Copy link
Copy Markdown
Member

@ksen0 ksen0 Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also typo?

- run: rm ./lib/p5-test.js ./lib/p5.pre-min.js

# 2. Prepare release files
- run: mkdir release && mkdir p5 && cp -r ./lib/* p5/
- name: Create release zip file
uses: TheDoctor0/zip-release@0.6.2
uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2
with:
type: zip
filename: release/p5.zip
Expand All @@ -62,7 +63,7 @@ jobs:

# 3. Release p5.js
- name: Create GitHub release
uses: softprops/action-gh-release@v0.1.15
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
draft: true
prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }}
Expand All @@ -71,19 +72,21 @@ jobs:
token: ${{ secrets.ACCESS_TOKEN }}
- name: Publish to NPM
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: JS-DevTools/npm-publish@v1
uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1
with:
token: ${{ secrets.NPM_TOKEN }}
tag: r1

# 4. Update p5.js website
- name: Clone p5.js website
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
repository: processing/p5.js-website
path: website
fetch-depth: 0
token: ${{ secrets.ACCESS_TOKEN }}
persist-credentials: false
- name: Updated website files
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
run: |
Expand All @@ -104,7 +107,7 @@ jobs:
git commit -m "Update p5.js to ${{ github.ref_name }}"
- name: Push updated website repo
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: ad-m/github-push-action@v0.6.0
uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0
with:
github_token: ${{ secrets.ACCESS_TOKEN }}
branch: main
Expand All @@ -114,12 +117,13 @@ jobs:
# 5. Update Bower files
- name: Checkout Bower repo
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
repository: processing/p5.js-release
path: bower
fetch-depth: 0
token: ${{ secrets.ACCESS_TOKEN }}
persist-credentials: false
- name: Copy new version files to Bower repo
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
run: |
Expand All @@ -135,7 +139,7 @@ jobs:
git commit -m "Update p5.js to ${{ github.ref_name }}"
- name: Push updated Bower repo
if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
uses: ad-m/github-push-action@v0.6.0
uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0
with:
github_token: ${{ secrets.ACCESS_TOKEN }}
branch: master
Expand Down
Loading