htmlhint · coliff · Sep 15, 2025 · Sep 15, 2025
@@ -10,6 +10,7 @@
     "htmlhintrc",
     "mylang",
     "nvmrc",
+    "ossf",
     "rollup",
     "ruleset",
     "sarif",

@@ -5,3 +5,10 @@
 - All code is formatted with Prettier.
 - All code and comments are in US English.
 - We use TypeScript v5.5.4.
+
+## GitHub Actions
+
+- The GitHub Actions workflows should be placed in the .github/workflows directory.
+- The workflows should be named <workflow-name>.yml.
+- All GitHub Actions should be pinned versions to avoid breaking changes (SHA-1).
+- If using actions/checkout, it should have persist-credentials: false set.
@@ -32,7 +32,7 @@ jobs:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
@@ -41,9 +41,9 @@ jobs:
               - test/*
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
+        uses: github/codeql-action/autobuild@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
         with:
           category: "/language:${{matrix.language}}"
@@ -0,0 +1,43 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: "27 12 * * 2"
+  push:
+    branches: ["main"]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        with:
+          sarif_file: results.sarif
@@ -28,12 +28,12 @@ jobs:
       - run: npm run package
 
       - name: Publish to Open VSX Registry
-        uses: HaaLeo/publish-vscode-extension@v2
+        uses: HaaLeo/publish-vscode-extension@ca5561daa085dee804bf9f37fe0165785a9b14db # v2.0.0
         with:
           pat: ${{ secrets.OPEN_VSX_TOKEN }}
 
       - name: Publish to Visual Studio Marketplace
-        uses: HaaLeo/publish-vscode-extension@v2
+        uses: HaaLeo/publish-vscode-extension@ca5561daa085dee804bf9f37fe0165785a9b14db # v2.0.0
         with:
           pat: ${{ secrets.VS_MARKETPLACE_TOKEN }}
           registryUrl: https://marketplace.visualstudio.com
@@ -36,7 +36,6 @@ jobs:
           SUPPRESS_POSSUM: true
           VALIDATE_ALL_CODEBASE: false
           VALIDATE_EDITORCONFIG: false
-          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_HTML: false
           VALIDATE_HTML_PRETTIER: false
           VALIDATE_JSCPD: false

@@ -8,7 +8,7 @@
     "watch": "tsc --watch -p ./src"
   },
   "dependencies": {
-    "htmlhint": "^1.6.3",
+    "htmlhint": "^1.7.0",
     "strip-json-comments": "3.1.1",
     "vscode-languageserver": "^9.0.1",
     "vscode-languageserver-textdocument": "^1.0.12",

@@ -87,7 +87,7 @@
     "vscode:prepublish": "npm run compile && npm run bundle-dependencies",
     "compile": "tsc -p ./",
     "watch": "tsc -watch -p ./",
-    "bundle-dependencies": "npm install --no-package-lock --no-save --no-fund htmlhint@1.6.3 strip-json-comments@3.1.1 vscode-languageserver@9.0.1 vscode-languageserver-textdocument@1.0.12 vscode-uri@3.1.0 ignore@7.0.5",
+    "bundle-dependencies": "npm install --no-package-lock --no-save --no-fund htmlhint@1.7.0 strip-json-comments@3.1.1 vscode-languageserver@9.0.1 vscode-languageserver-textdocument@1.0.12 vscode-uri@3.1.0 ignore@7.0.5",
     "package": "vsce package"
   },
   "devDependencies": {
@@ -97,7 +97,7 @@
     "vscode-test": "^1.6.1"
   },
   "dependencies": {
-    "htmlhint": "1.6.3",
+    "htmlhint": "1.7.0",
     "ignore": "^7.0.5",
     "strip-json-comments": "3.1.1",
     "vscode-languageclient": "9.0.1",

@@ -49,6 +49,6 @@
     "node": ">= 22"
   },
   "volta": {
-    "node": "22.16.0"
+    "node": "22.19.0"
   }
 }