diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 44500cfd3c..fded680002 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,6 +5,9 @@ updates: schedule: interval: weekly time: "06:00" + cooldown: + default-days-before-reopen: 30 + default-days: 7 open-pull-requests-limit: 10 labels: - Dependencies diff --git a/.github/workflows/cast_deployment.yaml b/.github/workflows/cast_deployment.yaml index 6b7896860c..be9fe7ec9a 100644 --- a/.github/workflows/cast_deployment.yaml +++ b/.github/workflows/cast_deployment.yaml @@ -8,6 +8,9 @@ on: branches: - master +permissions: + contents: read + env: NODE_OPTIONS: --max_old_space_size=6144 @@ -24,6 +27,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: dev + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -59,6 +63,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: master + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 29ee04fdff..115450e7ad 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -18,6 +18,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: lint: name: Lint and check format @@ -25,6 +28,8 @@ jobs: steps: - name: Check out files from GitHub uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -59,6 +64,8 @@ jobs: steps: - name: Check out files from GitHub uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -77,6 +84,8 @@ jobs: steps: - name: Check out files from GitHub uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b05c769df1..445883966f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -7,6 +7,10 @@ on: # The branches below must be a subset of the branches above branches: [dev] +permissions: + contents: read + security-events: write + jobs: analyze: name: Analyze @@ -28,6 +32,7 @@ jobs: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. fetch-depth: 2 + persist-credentials: false # If this run was triggered by a pull request event, then checkout # the head of the pull request instead of the merge commit. diff --git a/.github/workflows/demo_deployment.yaml b/.github/workflows/demo_deployment.yaml index 7244f21e4e..0c81a0a71d 100644 --- a/.github/workflows/demo_deployment.yaml +++ b/.github/workflows/demo_deployment.yaml @@ -9,6 +9,9 @@ on: - dev - master +permissions: + contents: read + env: NODE_OPTIONS: --max_old_space_size=6144 @@ -25,6 +28,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: dev + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -60,6 +64,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: master + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/design_deployment.yaml b/.github/workflows/design_deployment.yaml index 0c46adacb0..680f32a134 100644 --- a/.github/workflows/design_deployment.yaml +++ b/.github/workflows/design_deployment.yaml @@ -5,6 +5,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + env: NODE_OPTIONS: --max_old_space_size=6144 @@ -17,6 +20,8 @@ jobs: steps: - name: Check out files from GitHub uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/design_preview.yaml b/.github/workflows/design_preview.yaml index 48d1f87412..104a86d434 100644 --- a/.github/workflows/design_preview.yaml +++ b/.github/workflows/design_preview.yaml @@ -10,6 +10,9 @@ on: branches: - dev +permissions: + contents: read + env: NODE_OPTIONS: --max_old_space_size=6144 @@ -22,6 +25,8 @@ jobs: steps: - name: Check out files from GitHub uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml index 91384c1e18..7ef9a96ba0 100644 --- a/.github/workflows/labeler.yaml +++ b/.github/workflows/labeler.yaml @@ -1,6 +1,6 @@ name: "Pull Request Labeler" -on: pull_request_target +on: pull_request_target # zizmor: ignore[dangerous-triggers] -- safe: only runs actions/labeler, no PR code checkout jobs: triage: diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index d2a44922f5..b4eb2de48a 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "0 * * * *" +permissions: + issues: write + pull-requests: write + jobs: lock: runs-on: ubuntu-latest diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index cc5f37e60f..ca185e3555 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -21,6 +21,8 @@ jobs: steps: - name: Checkout the repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 diff --git a/.github/workflows/relative-ci.yaml b/.github/workflows/relative-ci.yaml index 22bb409b8f..bf8ad7cc04 100644 --- a/.github/workflows/relative-ci.yaml +++ b/.github/workflows/relative-ci.yaml @@ -1,25 +1,39 @@ name: RelativeCI on: + # zizmor: ignore[dangerous-triggers] -- safe: only downloads artifacts, no PR code checkout workflow_run: workflows: [CI] types: - completed +permissions: + contents: read + actions: read + jobs: - upload: - name: Upload stats + upload-frontend-modern: + name: Upload stats (frontend/modern) if: ${{ github.event.workflow_run.conclusion == 'success' }} - strategy: - matrix: - bundle: [frontend] - build: [modern, legacy] runs-on: ubuntu-latest steps: - name: Send bundle stats and build information to RelativeCI uses: relative-ci/agent-action@3c681926017930047fc03acaa35cd6a44efcbfc3 # v3.2.2 with: - key: ${{ secrets[format('RELATIVE_CI_KEY_{0}_{1}', matrix.bundle, matrix.build)] }} + key: ${{ secrets.RELATIVE_CI_KEY_frontend_modern }} token: ${{ github.token }} - artifactName: ${{ format('{0}-bundle-stats', matrix.bundle) }} - webpackStatsFile: ${{ format('{0}-{1}.json', matrix.bundle, matrix.build) }} + artifactName: frontend-bundle-stats + webpackStatsFile: frontend-modern.json + + upload-frontend-legacy: + name: Upload stats (frontend/legacy) + if: ${{ github.event.workflow_run.conclusion == 'success' }} + runs-on: ubuntu-latest + steps: + - name: Send bundle stats and build information to RelativeCI + uses: relative-ci/agent-action@3c681926017930047fc03acaa35cd6a44efcbfc3 # v3.2.2 + with: + key: ${{ secrets.RELATIVE_CI_KEY_frontend_legacy }} + token: ${{ github.token }} + artifactName: frontend-bundle-stats + webpackStatsFile: frontend-legacy.json diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 890ea9f614..5a620414fc 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout the repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -34,13 +36,12 @@ jobs: python-version: ${{ env.PYTHON_VERSION }} - name: Verify version - uses: home-assistant/actions/helpers/verify-version@master + uses: home-assistant/actions/helpers/verify-version@d56d093b9ab8d2105bc0cb6ee9bcc0ef4ec8b96d # master - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: ".nvmrc" - cache: yarn - name: Install dependencies run: yarn install @@ -74,15 +75,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Generate requirements.txt + env: + GITHUB_REF: ${{ github.ref }} run: | # Sleep to give pypi time to populate the new version across mirrors sleep 240 - version=$(echo "${{ github.ref }}" | awk -F"/" '{print $NF}' ) + version=$(echo "$GITHUB_REF" | awk -F"/" '{print $NF}' ) echo "home-assistant-frontend==$version" > ./requirements.txt # home-assistant/wheels doesn't support SHA pinning - name: Build wheels - uses: home-assistant/wheels@2025.12.0 + uses: home-assistant/wheels@e5742a69d69f0e274e2689c998900c7d19652c21 # 2025.12.0 with: abi: cp314 tag: musllinux_1_2 @@ -99,11 +102,12 @@ jobs: steps: - name: Checkout the repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: ".nvmrc" - cache: yarn - name: Install dependencies run: yarn install - name: Download Translations @@ -113,7 +117,9 @@ jobs: - name: Build landing-page run: landing-page/script/build_landing_page - name: Tar folder - run: tar -czf landing-page/home_assistant_frontend_landingpage-${{ github.event.release.tag_name }}.tar.gz -C landing-page/dist . + env: + TAG_NAME: ${{ github.event.release.tag_name }} + run: tar -czf "landing-page/home_assistant_frontend_landingpage-${TAG_NAME}.tar.gz" -C landing-page/dist . - name: Upload release asset uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 with: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 441f53ca68..9533d5abe0 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "0 * * * *" +permissions: + issues: write + pull-requests: write + jobs: stale: runs-on: ubuntu-latest diff --git a/.github/workflows/translations.yaml b/.github/workflows/translations.yaml index e2b3495157..96e664170e 100644 --- a/.github/workflows/translations.yaml +++ b/.github/workflows/translations.yaml @@ -8,6 +8,9 @@ on: paths: - src/translations/en.json +permissions: + contents: read + jobs: upload: name: Upload @@ -15,6 +18,8 @@ jobs: steps: - name: Checkout the repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Upload Translations run: |