moneyhub · MH-Fergus · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -4,6 +4,7 @@ on:
   pull_request:
   push:
     branches:
+      - main
   schedule:
     - cron: '0 10 * * *'
 
@@ -12,10 +13,15 @@ jobs:
     name: npm audit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
       - name: install dependencies
         run: npm ci
-      - uses: oke-py/npm-audit-action@v2.3.0
+
+      - uses: oke-py/npm-audit-action@c2ee44bdb97ee28fe9f41d78779ee0127b687778 # v2.3.0
         with:
           audit_level: moderate
           production_flag: true

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -32,32 +32,58 @@ permissions:
 jobs:
   publish:
     name: Test, Build and publish
-    runs-on: linux-x64-static-ip-2core-8gb
+    runs-on: ubuntu-latest
     # Single run per release: npm allows one publish per version. A matrix over
     # environments would run publish multiple times and the second job would fail.
     # Optional: add `environment: npm` (or another single environment) for approval
     # gates — see header comments.
     steps:
-      - name: Checkout and Setup
-        uses: moneyhub/checkout-and-setup@v1
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          quay-io-username: ${{ secrets.QUAY_IO_USERNAME }}
-          quay-io-password: ${{ secrets.QUAY_IO_PASSWORD }}
-          npm-token: ${{ secrets.NPM_TOKEN }}
-          # Trusted publishing (OIDC) requires Node 22.14.0+ and npm 11.5.1+ per npm docs.
-          # npm-token is still used for registry auth during install (e.g. private scopes);
-          # use a read-only granular token where possible — publish uses OIDC when available.
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Set up Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          registry-url: "https://registry.npmjs.org"
           node-version: "22.22"
+
       - name: Ensure npm supports OIDC trusted publishing
         run: npm install -g npm@^11.5.1
-      - name: Run and Report Unit Tests
-        uses: moneyhub/run-and-report-tests@v1
+
+      - name: Install Dependencies
+        shell: bash
+        run: npm ci --ignore-scripts
+
+      - name: Audit npm signatures
+        shell: bash
+        run: npm audit signatures
+
+      - name: Run install scripts
+        shell: bash
+        run: npm rebuild && npm run prepare --if-present
+
+      - name: Run Tests
+        shell: bash
+        run: npm run test-ci
+        env:
+          NODE_CONFIG: ${{ secrets.TEST_CONFIG }}
+
+      - name: Tests Report
+        if: success() || failure()
+        uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4.3.1
         with:
-          test-script: test-ci
-          report-path: test-reports/report.xml
-          name: Integration
+          report_paths: test-reports/report.xml
+          fail_on_failure: true
+          detailed_summary: true
+          check_name: Test Report
+          require_tests: true
+          require_passed_tests: false
         env:
           NODE_CONFIG: ${{ secrets.TEST_CONFIG }}
+
       # Publish auth: npm 11.5.1+ exchanges GitHub's OIDC token (id-token: write) for a
       # short-lived publish token when trusted publishing is configured. No NODE_AUTH_TOKEN
       # is required for publish. Provenance is automatic for trusted publishing from GitHub

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,32 @@
+name: Moneyhub - Github Actions Security with zizmor 🌈
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+
+      - name: Run zizmor 🌈
+        shell: bash
+        run: uvx zizmor .
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}