Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CI: Check workflows and actions with zizmor #1679

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

CI: Check workflows and actions with zizmor #1679

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b2d77bc
CI: Add workflow that runs zizmor latest
str4d Jan 9, 2025
df1aa4f
CI: Opt out of credential persistence
str4d Jan 9, 2025
81be266
CI: Fix potential template injection issues
str4d Jan 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions .github/actions/prepare/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,10 @@ runs:
shell: bash
run: echo "feature=test-dependencies" >> $GITHUB_OUTPUT
if: inputs.test-dependencies == 'true'
- name: Prepare feature flags

# `steps.test.outputs.feature` cannot expand into attacker-controllable code
# because the previous step only enables it to have one of two fixed values.
- name: Prepare feature flags # zizmor: ignore[template-injection]
id: prepare
shell: bash
run: >
Expand All @@ -34,6 +37,8 @@ runs:
unstable
unstable-serialization
unstable-spanning-tree
${{ inputs.extra-features }}
${EXTRA_FEATURES}
${{ steps.test.outputs.feature }}
'" >> $GITHUB_OUTPUT
env:
EXTRA_FEATURES: ${{ inputs.extra-features }}
12 changes: 10 additions & 2 deletions .github/workflows/audits.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@stable
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}
- run: cargo install cargo-vet --version ~0.10
- run: cargo vet --locked

Expand All @@ -25,6 +29,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check licenses
Expand All @@ -39,4 +45,6 @@ jobs:
steps:
- name: Determine whether all required-pass steps succeeded
run: |
echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all'
env:
NEEDS: ${{ toJSON(needs) }}
6 changes: 5 additions & 1 deletion .github/workflows/book.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- uses: dtolnay/rust-toolchain@nightly
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}

- name: Build latest rustdocs
run: >
Expand Down
41 changes: 38 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
with:
Expand Down Expand Up @@ -92,6 +94,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
with:
Expand Down Expand Up @@ -141,6 +145,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
with:
Expand Down Expand Up @@ -194,6 +200,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
with:
Expand Down Expand Up @@ -225,6 +233,8 @@ jobs:
os: [ubuntu-latest, windows-latest, macOS-latest]
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- uses: actions/cache@v4
Expand All @@ -238,7 +248,10 @@ jobs:
key: ${{ runner.os }}-cargo-latest
- uses: dtolnay/rust-toolchain@stable
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
shell: sh
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}
- name: Remove lockfile to build with latest dependencies
run: rm Cargo.lock
- name: Build crates
Expand All @@ -262,6 +275,7 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
path: crates
# We use a synthetic crate to ensure no dev-dependencies are enabled, which can
# be incompatible with some of these targets.
Expand Down Expand Up @@ -298,6 +312,7 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
path: crates
# We use a synthetic crate to ensure no dev-dependencies are enabled, which can
# be incompatible with some of these targets.
Expand Down Expand Up @@ -333,6 +348,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
# Build benchmarks to prevent bitrot
- name: Build benchmarks
run: cargo build --all --benches
Expand All @@ -342,6 +359,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- name: Run clippy
Expand All @@ -361,11 +380,15 @@ jobs:
continue-on-error: true
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- uses: dtolnay/rust-toolchain@beta
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}
- name: Run Clippy (beta)
uses: actions-rs/clippy-check@v1
continue-on-error: true
Expand All @@ -387,6 +410,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- uses: actions/cache@v4
Expand Down Expand Up @@ -416,6 +441,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- run: cargo fetch
Expand All @@ -432,6 +459,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Check formatting
run: cargo fmt --all -- --check

Expand All @@ -440,6 +469,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- name: Install protoc
Expand All @@ -462,6 +493,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Extract UUIDs
id: extract
run: |
Expand Down Expand Up @@ -507,4 +540,6 @@ jobs:
steps:
- name: Determine whether all required-pass steps succeeded
run: |
echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all'
env:
NEEDS: ${{ toJSON(needs) }}
31 changes: 31 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: GitHub Actions Security Analysis with zizmor 🌈

on:
push:
branches: ["main"]
pull_request:
branches: ["*"]

jobs:
zizmor:
name: zizmor latest via Cargo
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v4
- name: Run zizmor 🌈
run: uvx zizmor --format sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
with:
sarif_file: results.sarif
category: zizmor
Loading