andrei/starship
1
0
Fork 0
mirror of https://github.com/starship/starship.git synced 2026-06-20 02:02:07 +07:00
Code Issues Packages Projects Releases 10 Wiki Activity

ci: Pin actions digests, remove unnecessary actions and add minimumReleaseAge (#7390)

Browse Source 
ci: Pin actions digests and add minimumReleaseAge
This commit is contained in:
David Knaack
2026-04-30 20:39:15 +02:00
committed by GitHub
parent aac03c7e3e
commit c22100a678
9 changed files with 99 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/renovate.json5
+18 -7
View File
@@ -1,18 +1,18 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
// stripped-down config:base
":prHourlyLimit2",
":prConcurrentLimit10",
"group:monorepos",
"group:recommended",
"workarounds:all",
"replacements:all",
"config:best-practices",
"security:openssf-scorecard",
// automerge minor updates
":automergeMinor",
":automergeBranch"
],
"ignorePresets": [
":dependencyDashboard",
":semanticPrefixFixDepsChoreOthers"
],
"labels": ["📦 dependencies"],
"minimumReleaseAge": "4 days",
"semanticCommits": "enabled",
"semanticCommitType": "build",
"rangeStrategy": "bump",
@@ -50,6 +50,7 @@
"matchDatasources": ["crate"],
"matchPackagePrefixes": ["unicode"]
},
// Prevent too many PRs by grouping certain updates together and only updating them weekly
{
"groupName": "dprint plugins",
"matchPackagePrefixes": ["dprint"],
@@ -59,6 +60,11 @@
"groupName": "npm",
"matchDatasources": ["npm"],
"extends": ["schedule:weekly"]
},
// Avoid frequent updates due to pinned digest values in GitHub Actions
{
"matchDepTypes": ["action"],
"extends": ["schedule:weekly"]
}
],
// custom regex update managers
@@ -72,6 +78,11 @@
"fileMatch": ["^(workflow-templates|\\.github\\/workflows)\\/[^/]+\\.ya?ml$"],
"matchStrings": ["cargo install.*--version (?<currentValue>\\S+).*\\s(?<depName>\\S+)"],
"datasourceTemplate": "crate"
},
{
"fileMatch": ["^(workflow-templates|\\.github\\/workflows)\\/[^/]+\\.ya?ml$"],
"matchStrings": ["^\\s+tool: (?<depName>[\\w-]+)@(?<currentValue>[^\\s]+)"],
"datasourceTemplate": "crate"
}
]
}
.github/workflows/crowdin-pretranslate.yml
+1 -1
View File
@@ -11,7 +11,7 @@ jobs:
# Prevent this workflow from running (and failing) on forks
if: github.repository == 'starship/starship'
steps:
- uses: starship/crowdin-pretranslate-action@v0.1.1
- uses: starship/crowdin-pretranslate-action@05f21625b1486f1b77d53002fed82c4609247712 # v0.1.1
with:
project_id: 372655
api_key: ${{ secrets.CROWDIN_API_TOKEN }}
.github/workflows/format-workflow.yml
+10 -8
View File
@@ -12,9 +12,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Docs | Format
uses: dprint/check@v2.3
uses: dprint/check@9cb3a2b17a8e606d37aae341e49df3654933fc23 # v2.3
# Validate preset files
taplo:
@@ -22,9 +22,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install | Taplo
run: cargo install --debug --locked --version 0.10.0 taplo-cli
uses: taiki-e/install-action@7a4939c09608b2a1986b484eca1d16fd0db8ebef # v2.75.5
with:
tool: taplo-cli@0.10.0
- name: Presets | Validate with schema
run: taplo lint --schema "file://${GITHUB_WORKSPACE}/.github/config-schema.json" docs/public/presets/toml/*.toml
@@ -35,11 +37,11 @@ jobs:
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref != 'i18n_master' }}
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Prevent File Change
uses: actions/github-script@v9
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
const { execSync } = require('child_process');
@@ -62,10 +64,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Node
uses: actions/setup-node@v6
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 24.15.0
cache: 'npm'
.github/workflows/install-script.yml
+3 -3
View File
@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Lint | Run shellcheck
run: shellcheck --severity=warning install/**/*.sh
@@ -23,7 +23,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Install shfmt
run: |
@@ -42,7 +42,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Test | Piped execution with curl
run: |
.github/workflows/publish-docs.yml
+2 -2
View File
@@ -7,10 +7,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Node
uses: actions/setup-node@v6
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 24.15.0
cache: 'npm'
.github/workflows/release.yml
+27 -29
View File
@@ -20,7 +20,7 @@ jobs:
release_created: ${{ steps.release.outputs.release_created }}
tag_name: ${{ steps.release.outputs.tag_name }}
steps:
- uses: googleapis/release-please-action@v5
- uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
id: release
with:
token: ${{ secrets.GITHUB_TOKEN }}
@@ -92,13 +92,10 @@ jobs:
RUSTFLAGS: ${{ matrix.rustflags || '' }}
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Rust
uses: dtolnay/rust-toolchain@master
with:
toolchain: stable
target: ${{ matrix.target }}
run: rustup toolchain install stable --profile minimal --target ${{ matrix.target }} --no-self-update
- name: Setup | Install cargo-wix [Windows]
continue-on-error: true
@@ -110,7 +107,9 @@ jobs:
- name: Setup | Install cross [Linux]
if: matrix.os == 'ubuntu-latest'
uses: taiki-e/install-action@cross
uses: taiki-e/install-action@7a4939c09608b2a1986b484eca1d16fd0db8ebef # v2.75.5
with:
tool: cross@0.2.5
- name: Build | Build [Cargo]
if: matrix.os != 'ubuntu-latest'
@@ -132,7 +131,7 @@ jobs:
continue-on-error: true
if: matrix.os == 'windows-latest'
id: unsigned-artifacts
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: unsigned-${{ matrix.name }}
path: |
@@ -142,7 +141,7 @@ jobs:
- name: Sign | Sign [Windows]
continue-on-error: true
if: matrix.os == 'windows-latest'
uses: signpath/github-action-submit-signing-request@v2
uses: signpath/github-action-submit-signing-request@bc66d86b015a46e9c6d9700de73143a82f9570ff # v2.1
with:
api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
@@ -167,7 +166,7 @@ jobs:
cd -
- name: Release | Upload artifacts
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: ${{ matrix.name }}
path: ${{ matrix.name }}
@@ -175,7 +174,7 @@ jobs:
- name: Release | Upload installer artifacts [Windows]
continue-on-error: true
if: matrix.os == 'windows-latest'
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: starship-${{ matrix.target }}.msi
path: target/${{ matrix.target }}/release/starship-${{ matrix.target }}.msi
@@ -205,7 +204,7 @@ jobs:
STARSHIP_VERSION: ${{ needs.release_please.outputs.tag_name }}
steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# Required to include the recently merged Crowdin PR
ref: master
@@ -242,7 +241,7 @@ jobs:
xcrun notarytool store-credentials "$KEYCHAIN_ENTRY" --team-id "$APPLEID_TEAMID" --apple-id "$APPLEID_USERNAME" --password "$APPLEID_PASSWORD" --keychain "$KEYCHAIN_PATH"
- name: Setup | Node
uses: actions/setup-node@v6
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 24.15.0
@@ -253,7 +252,7 @@ jobs:
npm run build
- name: Notarize | Download artifacts
uses: actions/download-artifact@v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ matrix.name }}
path: artifacts
@@ -265,7 +264,7 @@ jobs:
run: bash install/macos_packages/build_and_notarize.sh starship docs ${{ matrix.arch }} ${{ matrix.pkgname }}
- name: Notarize | Upload Notarized Flat Installer
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: ${{ matrix.pkgname }}
path: ${{ matrix.pkgname }}
@@ -274,7 +273,7 @@ jobs:
run: tar czvf ${{ matrix.name }} starship
- name: Notarize | Upload Notarized Binary
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: ${{ matrix.name }}
path: ${{ matrix.name }}
@@ -293,7 +292,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup | Artifacts
uses: actions/download-artifact@v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- name: Setup | Checksums
run: for file in starship-*/starship-*; do openssl dgst -sha256 -r "$file" | awk '{print $1}' > "${file}.sha256"; done
@@ -304,10 +303,9 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Build | Add Artifacts to Release
uses: softprops/action-gh-release@v3
with:
files: starship-*/starship-*
tag_name: ${{ needs.release_please.outputs.tag_name }}
run: gh release upload ${{ needs.release_please.outputs.tag_name }} starship-*/starship-* --repo starship/starship
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Publish starship to Crates.io
cargo_publish:
@@ -319,13 +317,13 @@ jobs:
id-token: write
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Rust
uses: dtolnay/rust-toolchain@stable
run: rustup toolchain install stable --profile minimal --no-self-update
- name: Build | Authenticate
uses: rust-lang/crates-io-auth-action@v1
uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3
id: auth
- name: Build | Publish
@@ -337,7 +335,7 @@ jobs:
needs: [release_please, upload_artifacts]
if: ${{ needs.release_please.outputs.release_created == 'true' }}
steps:
- uses: mislav/bump-homebrew-formula-action@v4.1
- uses: mislav/bump-homebrew-formula-action@ccf2332299a883f6af50a1d2d41e5df7904dd769 # v4.1
with:
formula-name: starship
tag-name: ${{ needs.release_please.outputs.tag_name }}
@@ -377,9 +375,9 @@ jobs:
if: ${{ needs.release_please.outputs.release_created == 'true' }}
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Artifacts
uses: actions/download-artifact@v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- run: pwsh ./install/windows/choco/update.ps1
env:
STARSHIP_VERSION: ${{ needs.release_please.outputs.tag_name }}
@@ -393,7 +391,7 @@ jobs:
continue-on-error: true
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Merge | Merge Crowdin PR
run: gh pr merge i18n_master --squash --repo=starship/starship
env:
@@ -405,7 +403,7 @@ jobs:
needs: merge_crowdin_pr
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Trigger workflow dispatch
run: gh workflow run publish-docs.yml
env:
.github/workflows/security-audit.yml
+2 -2
View File
@@ -22,8 +22,8 @@ jobs:
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Test | Security Audit
uses: EmbarkStudios/cargo-deny-action@v2.0.17
uses: EmbarkStudios/cargo-deny-action@91bf2b620e09e18d6eb78b92e7861937469acedb # v2.0.17
with:
command: check ${{ matrix.checks }}
.github/workflows/spell-check.yml
+2 -2
View File
@@ -6,5 +6,5 @@ jobs:
name: Spell Check with Typos
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: crate-ci/typos@v1.45.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: crate-ci/typos@7c572958218557a3272c2d6719629443b5cc26fd # v1.45.2
.github/workflows/workflow.yml
+34 -39
View File
@@ -24,12 +24,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Rust
uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt
run: rustup toolchain install stable --profile minimal --component rustfmt --no-self-update
- name: Build | Format
run: cargo fmt --all -- --check
@@ -43,18 +41,16 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Rust
uses: dtolnay/rust-toolchain@stable
with:
components: clippy
run: rustup toolchain install stable --profile minimal --component clippy --no-self-update
- name: Setup | Cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: Build | Lint
uses: giraffate/clippy-action@94e9bd8deab2618756ec5380f12eb35bcb0a88ca
run: cargo clippy --workspace --locked -- -D warnings
# Ensure that the project could be successfully compiled
cargo_check:
@@ -62,13 +58,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Rust
uses: dtolnay/rust-toolchain@stable
run: rustup toolchain install stable --profile minimal --no-self-update
- name: Setup | Cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: Build | Check
run: cargo check --workspace --locked
@@ -80,13 +76,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Rust
uses: dtolnay/rust-toolchain@stable
run: rustup toolchain install stable --profile minimal --no-self-update
- name: Setup | Cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: Build | Check
run: cargo check --workspace --locked --no-default-features
@@ -98,13 +94,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Rust
uses: dtolnay/rust-toolchain@stable
run: rustup toolchain install stable --profile minimal --no-self-update
- name: Setup | Cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: Build | Check
run: cargo check --workspace --locked --all-features
@@ -115,28 +111,26 @@ jobs:
needs: cargo_check
runs-on: ubuntu-latest
permissions:
checks: write
contents: read
pull-requests: write
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup | Rust
uses: dtolnay/rust-toolchain@stable
run: rustup toolchain install stable --profile minimal --no-self-update
- name: Setup | Cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: Run | Generate Schema
run: cargo run --locked --features config-schema -- config-schema > .github/config-schema.json
- name: Check | Detect Changes
uses: reviewdog/action-suggester@v1.24.0
with:
tool_name: starship config-schema
filter_mode: nofilter
fail_on_error: 'true'
run: |
if ! git diff --exit-code .github/config-schema.json; then
echo "::error file=.github/config-schema.json::config-schema.json is out of date. Run 'cargo run --features config-schema -- config-schema > .github/config-schema.json' and commit the result."
exit 1
fi
# Run tests on Linux, macOS, and Windows
# On both Rust stable and Rust nightly
@@ -156,20 +150,21 @@ jobs:
RUSTFLAGS: ${{ matrix.rustflags || '' }}
steps:
- name: Setup | Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# Install all the required dependencies for testing
- name: Setup | Rust
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ matrix.rust }}
components: llvm-tools-preview
run: |
rustup toolchain install ${{ matrix.rust }} --profile minimal --component llvm-tools-preview --no-self-update
rustup default ${{ matrix.rust }}
- name: Setup | Cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: Install cargo-llvm-cov
uses: taiki-e/install-action@cargo-llvm-cov
uses: taiki-e/install-action@7a4939c09608b2a1986b484eca1d16fd0db8ebef # v2.75.5
with:
tool: cargo-llvm-cov@0.8.5
# For windows installer test
# On stable rust & main repo pushes only
@@ -228,7 +223,7 @@ jobs:
STARSHIP_VERSION: v1.2.3
- name: Sign | Upload Executable [Windows]
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
continue-on-error: true
id: unsigned-artifacts
if: matrix.os == 'windows-latest' && matrix.rust == 'stable' && github.event_name == 'push' && github.repository == 'starship/starship'
@@ -239,7 +234,7 @@ jobs:
target/debug/starship-x86_64-pc-windows-msvc.msi
- name: Sign | Sign [Windows]
uses: signpath/github-action-submit-signing-request@v2
uses: signpath/github-action-submit-signing-request@bc66d86b015a46e9c6d9700de73143a82f9570ff # v2.1
continue-on-error: true
if: matrix.os == 'windows-latest' && matrix.rust == 'stable' && github.event_name == 'push' && github.repository == 'starship/starship'
with:
@@ -252,7 +247,7 @@ jobs:
output-artifact-directory: target/debug
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v6
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
if: github.repository == 'starship/starship'
with:
token: ${{ secrets.CODECOV_TOKEN }}