mirror of
https://github.com/actualbudget/actual.git
synced 2026-05-22 12:12:11 -05:00
3373154b40
* [AI] Run setup once per workflow and fan out via needs Add a prep `setup` job at the top of `check.yml` and `build.yml`, and make every other job in those workflows declare `needs: setup`. The composite action in `.github/actions/setup` caches `node_modules` keyed on `yarn.lock`. When that hash changes (dep-bump PRs, master after a merge), the cache is cold and every fan-out job races to run `yarn --immutable` in parallel — one wins the cache save, the rest do redundant work. Serialising through a single `setup` job warms the cache once so downstream jobs restore instantly and skip yarn install via the existing `if: steps.cache.outputs.cache-hit != 'true'` guard. No changes to the composite action or cache keys. `e2e-test.yml` is intentionally left alone. * [AI] Harden setup jobs and add release note Address zizmor code-scanning findings on the new `setup` jobs added in the previous commit: - Scope `permissions: contents: read` so the job no longer inherits workflow-default write permissions. - Pass `persist-credentials: false` to `actions/checkout` so the GitHub token isn't left on disk for later steps that don't need it. Add `upcoming-release-notes/7551.md` to satisfy the release-notes PR check. * [AI] Disable credential persistence on build.yml checkouts Each of `api`, `crdt`, `web`, `cli`, `server` in build.yml does `actions/checkout` (which writes the GitHub token into `.git/config`) and then uploads build artifacts in the same job. Zizmor flags this as "credential persistence through GitHub Actions artifacts" because a misconfigured upload path could capture `.git/config` and leak the token. None of these jobs push or write to git, so drop the credential persistence via `persist-credentials: false` on the checkout. * [AI] Disable credential persistence on check.yml checkouts None of the jobs in check.yml (`constraints`, `lint`, `typecheck`, `validate-cli`, `test`, `migrations`) push or write to git, so pass `persist-credentials: false` to their `actions/checkout` calls to resolve the zizmor "credential persistence" finding. Mirrors the fix just applied to build.yml. --------- Co-authored-by: Claude <noreply@anthropic.com>