Skip to content

Commit

Permalink
ci: address zizmor findings (#68)
Browse files Browse the repository at this point in the history 
Signed-off-by: William Woodruff <[email protected]>
  • Loading branch information
@woodruffw
woodruffw authored Nov 21, 2024
1 parent 5280430 commit b41665b
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 13 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/ci-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,10 @@ jobs:
run: sudo snap install dart-sass-embedded

- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
submodules: recursive
persist-credentials: false

- name: Install Node.js dependencies
run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
Expand All @@ -40,7 +41,7 @@ jobs:
run: hugo --minify

- name: Upload artifact
uses: actions/upload-pages-artifact@v1
uses: actions/upload-pages-artifact@v3
with:
path: ./public
retention-days: '5'
26 changes: 15 additions & 11 deletions .github/workflows/hugo.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,7 @@ on:
branches: ["main"]
workflow_dispatch:

permissions:
contents: read
pages: write
id-token: write
permissions: {}

# Allow one concurrent deployment
concurrency:
Expand All @@ -24,24 +21,27 @@ jobs:
runs-on: ubuntu-latest
env:
HUGO_VERSION: 0.108.0
permissions:
contents: read

steps:
- name: Install Hugo CLI
run: |
wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
&& sudo dpkg -i ${{ runner.temp }}/hugo.deb
wget -O "${RUNNER_TEMP}/hugo.deb" https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
&& sudo dpkg -i "${RUNNER_TEMP}/hugo.deb"
- name: Install Dart Sass Embedded
run: sudo snap install dart-sass-embedded

- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
submodules: recursive
persist-credentials: false

- name: Setup Pages
id: pages
uses: actions/configure-pages@v2
uses: actions/configure-pages@v5

- name: Install Node.js dependencies
run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
Expand All @@ -51,13 +51,14 @@ jobs:
# For maximum backward compatibility with Hugo modules
HUGO_ENVIRONMENT: production
HUGO_ENV: production
BASE_URL: ${{ steps.pages.outputs.base_url }}
run: |
hugo \
--minify \
--baseURL "${{ steps.pages.outputs.base_url }}/"
--baseURL "${BASE_URL}/"
- name: Upload artifact
uses: actions/upload-pages-artifact@v1
uses: actions/upload-pages-artifact@v3
with:
path: ./public

Expand All @@ -68,8 +69,11 @@ jobs:
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
needs: build
permissions:
pages: write
id-token: write

steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v1
uses: actions/deploy-pages@v4

0 comments on commit b41665b

Please sign in to comment.