Commit Graph

21 Commits

Author SHA1 Message Date
neilnaveen
83ecc3f46c
chore: Set permissions for GitHub actions
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
2022-06-25 15:32:33 +02:00
Tim van der Meij
8403bafbfc
Merge pull request #15100 from turrisxyz/Dependabot-GitHub-Actions
chore: Included githubactions in the dependabot config
2022-06-25 15:18:11 +02:00
naveen
12c76d35a5 chore: Included githubactions in the dependabot config
This should help with keeping the GitHub actions updated on new releases. This will also help with keeping it secure.

Dependabot helps in keeping the supply chain secure https://docs.github.com/en/code-security/dependabot

GitHub actions up to date https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot

https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
2022-06-25 01:30:04 +00:00
Jonas Jenwald
6371a7605d Force-install npm packages to try and fix the repeated GitHub Action failures 2022-06-09 15:10:58 +02:00
Tim van der Meij
349fc51f2c
Update GitHub Actions workflow steps to the most recent versions 2022-04-02 16:21:43 +02:00
tiziodcaio
1a380b5736
Update Checkout to version 3
Uses node 16 as default
2022-03-11 14:35:06 +01:00
Tim van der Meij
4269148d3d
Upgrade Node.js to version 16 in the CI workflow
Version 14 that we used before is now in maintenance mode, so we should
upgrade to the most recent LTS version.

Moreover, use the most recent `setup-node` workflow version and syntax;
see https://github.com/actions/setup-node#usage.
2021-12-11 15:50:23 +01:00
Jonas Jenwald
d67d48486c Remove the npm test-command
This command was added all the way back when basic CI-support was first introduced (using Travis at the time), however it's never really intended to be used e.g. for local development.
By having a `npm test`-command listed in the `package.json` file, there's a very real risk that someone unfamiliar with the code-base would only run that one and thus miss all the other (more important) test-suites[1].

Hence this patch which removes the `npm test`-command, and instead simply calls the relevant gulp-task[2] directly in the GitHub Actions configuration.

---
[1] Which consist of the unit-tests (run in browsers), the font-tests (potentially), the reference-tests, and the integration-tests.

[2] Which is also renamed slightly, to better fit its current usage.
2021-08-27 16:29:55 +02:00
Tim van der Meij
574fed2bdf
Improve the code analysis workflow with quality checks
This allows us to get the quality checks that LGTM does into GitHub
Advanced Security. Since it not only runs security checks anymore, the
workflow is also renamed to CodeQL to make this more explicit (and this
matches the documentation better).
2021-07-31 15:33:07 +02:00
Tim van der Meij
5a08d62e76
Improve the CI workflow YAML file
This makes it consistent with the GitHub Advanced Security file and,
more importantly, ensures that all steps have a proper name for better
visibility.
2021-07-31 13:33:14 +02:00
Mathew Payne
4774858d3c
Introduce the GitHub Advanced Security workflow
This can help to find security problems sooner.
2021-07-31 13:32:22 +02:00
Tim van der Meij
dd190a59b9
Switch from Travis CI to GitHub Actions 2020-12-19 22:01:58 +01:00
Brendan Dahl
594a8dfac4 Update links from IRC to Matrix.
Mozilla's IRC is going away and we're migrating to Matrix/Riot.
2020-02-27 16:26:17 -08:00
Jonas Jenwald
8d781b28d7 Attempt to clarify the l10n section of CONTRIBUTING.md
The existing wording is perhaps not as clear as it could be, with regards to how the translations are actually managed.
2019-04-10 11:33:25 +02:00
Jonas Jenwald
40466a85e0 Attempt to clarify the meaning of "extension" in the ISSUE_TEMPLATE
Based on a number of opened issues, it seems that the "Is an extension" field might be causing some confusion as to its meaning. Without providing too much detail, I'm still thinking that we could attempt to clarify that it's referring to either of the *browser* extensions.
2017-10-21 11:32:03 +02:00
Brendan Dahl
5ad945f462 Learning to spell. 2017-10-13 10:04:51 -07:00
Brendan Dahl
bc396efb54 Reccomend attaching pdfs instead of links. 2017-10-05 11:29:56 -07:00
Jonas Jenwald
044a115d6e Change the importl10n script to use the Nightly channel
It seems that PR 8323 unfortunately didn't pick the right channel for pulling translations from, according to the information in:
 - https://groups.google.com/forum/#!topic/mozilla.dev.l10n/vzmbHLPo3rg
 - https://github.com/mozilla-l10n/localizer-documentation/blob/master/misc/aurora_faqs.md

My apologies for the unnecessary churn in this code!
2017-05-18 12:35:05 +02:00
Jonas Jenwald
57cd52303a Change the importl10n script to use the Beta channel, since Aurora is being removed
Since the Aurora channel is being removed, and is no longer going to be receiving updates (with the possible exception of security bugs), we need to change the target for the `gulp importl10n` command.

For more information, please refer to:
 - https://groups.google.com/forum/#!topic/firefox-dev/q4Eb5nEcfSg
 - https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/
 - https://mozilla.github.io/process-releases/draft/development_overview/
 - http://release.mozilla.org/firefox/release/2017/04/17/Dawn-Project-FAQ.html
2017-04-22 16:24:52 +02:00
Jonas Jenwald
b0fbfc85f0 [CONTRIBUTING.md] Remove any mention of the mailing list, and the weekly meetings
Given that the mailing list has now been closed, see [bug 1340296](https://bugzilla.mozilla.org/show_bug.cgi?id=1340296), and that there's no weekly meetings any more, we probably shouldn't mention either of those in CONTRIBUTING.md.
Instead, let's just suggest the IRC channel as a means of communication here.
2017-02-28 12:12:57 +01:00
fkaelberer
4eb9daf34a Add an ISSUE_TEMPLATE 2016-03-23 22:48:14 +01:00