From 2472aa90e9ebbc82780ba014e764b7a58ecb9469 Mon Sep 17 00:00:00 2001 From: Filipe PINTO Date: Mon, 20 Jan 2025 10:42:47 +0100 Subject: [PATCH] Fix Zizmor --- .github/workflows/accept-pull-request.yml | 1 + .github/workflows/auto-close-inactive-pr.yml | 2 + .github/workflows/check.yml | 5 +- .github/workflows/coverage.yml | 2 + .github/workflows/extra-package.yml | 159 ++++++++++--------- .github/workflows/package.yml | 14 ++ .github/workflows/release.yml | 6 + .github/workflows/test.yml | 15 +- .github/workflows/update-actions.yml | 1 + .github/workflows/update-branch-version.yml | 8 +- .github/workflows/update-crates.yml | 1 + bin/check/zizmor.sh | 31 +++- 12 files changed, 154 insertions(+), 91 deletions(-) diff --git a/.github/workflows/accept-pull-request.yml b/.github/workflows/accept-pull-request.yml index a7148b1ef60..2a99fe185fc 100644 --- a/.github/workflows/accept-pull-request.yml +++ b/.github/workflows/accept-pull-request.yml @@ -69,6 +69,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: true ref: ${{ env.BASE_REF }} token: ${{ secrets.HURL_BOT_TOKEN }} fetch-depth: 0 diff --git a/.github/workflows/auto-close-inactive-pr.yml b/.github/workflows/auto-close-inactive-pr.yml index a42a4b2fc61..c9d256d1b7b 100644 --- a/.github/workflows/auto-close-inactive-pr.yml +++ b/.github/workflows/auto-close-inactive-pr.yml @@ -18,6 +18,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.2 + with: + persist-credentials: false - name: Auto close inactive PR run: .github/workflows/bin/auto-close-inactive-pr.sh --github-project-path "${REPO}" --github-token "${GITHUB_TOKEN}" --max-days-of-inactivity 15 diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index c91b1524018..e1e2dd69857 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -13,6 +13,8 @@ on: env: CARGO_TERM_COLOR: always +permissions: {} + jobs: checks: @@ -22,6 +24,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Shellcheck @@ -62,7 +65,7 @@ jobs: - name: Zizmor env: - GITHUB_TOKEN: ${{ secrets.HURL_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} if: always() run: | pip install zizmor diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 4fd275108a5..5ba93699507 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -18,6 +18,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.2 + with: + persist-credentials: false - name: Install Prerequisites run: bin/install_prerequisites_ubuntu.sh diff --git a/.github/workflows/extra-package.yml b/.github/workflows/extra-package.yml index 84a0b2cca02..610022566c4 100644 --- a/.github/workflows/extra-package.yml +++ b/.github/workflows/extra-package.yml @@ -1,78 +1,81 @@ -name: extra-package - -on: - workflow_dispatch: - inputs: - set-release-version: - description: 'Desired release version (x.y.z)' - required: true - type: string - push-to-chocolatey: - description: 'Push to chocolatey' - type: boolean - default: false - push-to-winget: - description: 'Push to winget' - type: boolean - default: false - -concurrency: extra-package - -jobs: - check-release: - env: - GH_TOKEN: ${{ github.token }} - RELEASE_VERSION: ${{ github.event.inputs.set-release-version }} - name: Check-release - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - ref: ${{ github.event.inputs.set-release-version }} - - name: Check if branch is a published release - run: | - if gh release list --exclude-drafts --exclude-pre-releases | grep -E "^${RELEASE_VERSION}" ; then - echo "✅ Desired release ${RELEASE_VERSION} is a published release" - else - echo "❌ You have to run this workflow for a published release (excluding draft and pre-release), but the desired one [${RELEASE_VERSION}] is not." - exit 1 - fi - - push-to-chocolatey: - if: github.event.inputs.push-to-chocolatey == 'true' - needs: check-release - env: - RELEASE_VERSION: ${{ github.event.inputs.set-release-version }} - CHOCOLATEY_TOKEN: ${{ secrets.LEPAPAREIL_CHOCOLATEY_TOKEN }} - name: Push to chocolatey - runs-on: windows-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - ref: ${{ github.event.inputs.set-release-version }} - - name: Push to chocolatey - run: .\bin\release\push_package_to_chocolatey.ps1 $env:RELEASE_VERSION $env:CHOCOLATEY_TOKEN - - push-to-winget: - if: github.event.inputs.push-to-winget == 'true' - needs: check-release - env: - RELEASE_VERSION: ${{ github.event.inputs.set-release-version }} - WINGET_TOKEN: ${{ secrets.LEPAPAREIL_WINGET_TOKEN }} - name: Push to winget - runs-on: windows-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - ref: ${{ github.event.inputs.set-release-version }} - - name: Push to winget - run: | - Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile .\wingetcreate.exe - .\wingetcreate.exe version - .\bin\release\push_package_to_winget.ps1 "$env:RELEASE_VERSION" "$env:LEPAPAREIL_WINGET_TOKEN" +name: extra-package + +on: + workflow_dispatch: + inputs: + set-release-version: + description: 'Desired release version (x.y.z)' + required: true + type: string + push-to-chocolatey: + description: 'Push to chocolatey' + type: boolean + default: false + push-to-winget: + description: 'Push to winget' + type: boolean + default: false + +concurrency: extra-package + +jobs: + check-release: + env: + GH_TOKEN: ${{ github.token }} + RELEASE_VERSION: ${{ github.event.inputs.set-release-version }} + name: Check-release + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4.2.2 + with: + persist-credentials: true + fetch-depth: 1 + ref: ${{ github.event.inputs.set-release-version }} + - name: Check if branch is a published release + run: | + if gh release list --exclude-drafts --exclude-pre-releases | grep -E "^${RELEASE_VERSION}" ; then + echo "✅ Desired release ${RELEASE_VERSION} is a published release" + else + echo "❌ You have to run this workflow for a published release (excluding draft and pre-release), but the desired one [${RELEASE_VERSION}] is not." + exit 1 + fi + + push-to-chocolatey: + if: github.event.inputs.push-to-chocolatey == 'true' + needs: check-release + env: + RELEASE_VERSION: ${{ github.event.inputs.set-release-version }} + CHOCOLATEY_TOKEN: ${{ secrets.LEPAPAREIL_CHOCOLATEY_TOKEN }} + name: Push to chocolatey + runs-on: windows-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4.2.2 + with: + persist-credentials: false + fetch-depth: 1 + ref: ${{ github.event.inputs.set-release-version }} + - name: Push to chocolatey + run: .\bin\release\push_package_to_chocolatey.ps1 $env:RELEASE_VERSION $env:CHOCOLATEY_TOKEN + + push-to-winget: + if: github.event.inputs.push-to-winget == 'true' + needs: check-release + env: + RELEASE_VERSION: ${{ github.event.inputs.set-release-version }} + WINGET_TOKEN: ${{ secrets.LEPAPAREIL_WINGET_TOKEN }} + name: Push to winget + runs-on: windows-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4.2.2 + with: + persist-credentials: true + fetch-depth: 1 + ref: ${{ github.event.inputs.set-release-version }} + - name: Push to winget + run: | + Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile .\wingetcreate.exe + .\wingetcreate.exe version + .\bin\release\push_package_to_winget.ps1 "$env:RELEASE_VERSION" "$env:LEPAPAREIL_WINGET_TOKEN" diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 016186b936e..b985e5fe04c 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -14,6 +14,8 @@ on: env: CARGO_TERM_COLOR: always +permissions: {} + jobs: package-generic-linux-x64: runs-on: ubuntu-20.04 @@ -21,6 +23,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install prerequisites run: bin/install_prerequisites_ubuntu.sh @@ -64,6 +67,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Set up QEMU uses: docker/setup-qemu-action@v3.3.0 @@ -113,6 +117,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Retrieve release-generic-linux-x64-artifacts uses: actions/download-artifact@v4.1.8 @@ -166,6 +171,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Retrieve release-generic-linux-x64-artifacts uses: actions/download-artifact@v4.1.8 @@ -217,6 +223,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Retrieve release-generic-linux-x64-artifacts uses: actions/download-artifact@v4.1.8 @@ -268,6 +275,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Retrieve release-generic-linux-x64-artifacts uses: actions/download-artifact@v4.1.8 @@ -321,6 +329,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3.8.0 @@ -392,6 +401,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install Prerequisites run: bin/install_prerequisites_ubuntu.sh @@ -443,6 +453,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install Prerequisites run: | @@ -492,6 +503,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install Prerequisites run: | @@ -547,6 +559,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install Rust run: | @@ -606,6 +619,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - uses: actions/download-artifact@v4.1.8 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5b6faf76655..c03799ab961 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,6 +56,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.2 + with: + persist-credentials: true - name: Check release pull request existence id: check-release-pull-request-existence @@ -172,6 +174,8 @@ jobs: - name: Checkout repository if: github.ref_name == 'master' uses: actions/checkout@v4.2.2 + with: + persist-credentials: true - name: Create release branch if: github.ref_name == 'master' @@ -189,6 +193,7 @@ jobs: - name: Checkout new release branch uses: actions/checkout@v4.2.2 with: + persist-credentials: true ref: ${{ needs.set-context.outputs.release_branch }} - name: Check CHANGELOG @@ -298,6 +303,7 @@ jobs: - name: Checkout new release branch uses: actions/checkout@v4.2.2 with: + persist-credentials: true ref: ${{ needs.set-context.outputs.release_branch }} - name: Init git bot context diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ac54cdabf72..900cb0e18f8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,6 +14,8 @@ on: env: CARGO_TERM_COLOR: always +permissions: {} + jobs: benchsuite: runs-on: ubuntu-latest @@ -21,6 +23,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install Prerequisites run: bin/install_prerequisites_ubuntu.sh @@ -54,6 +57,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install Rust run: bin/install_rust.sh @@ -75,6 +79,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install Prerequisites run: bin/install_prerequisites_ubuntu.sh @@ -119,6 +124,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install Prerequisites run: bin/install_prerequisites_ubuntu.sh @@ -160,6 +166,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Build, Test units and Integration tests uses: addnab/docker-run-action@v3 @@ -201,6 +208,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Build, Test units and Integration tests uses: addnab/docker-run-action@v3 @@ -249,6 +257,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Build, Test units and Integration tests uses: addnab/docker-run-action@v3 @@ -299,6 +308,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install Prerequisites run: | @@ -347,6 +357,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install Prerequisites run: | @@ -398,6 +409,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Install Rust run: | @@ -439,7 +451,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: - ref: ${{ inputs.branch }} + persist-credentials: false + ref: ${{ inputs.branch }} - name: Setup wsl Ubuntu uses: Vampire/setup-wsl@v4.1.0 with: diff --git a/.github/workflows/update-actions.yml b/.github/workflows/update-actions.yml index 7c60ea6dfe4..6bb92fb6b36 100644 --- a/.github/workflows/update-actions.yml +++ b/.github/workflows/update-actions.yml @@ -20,6 +20,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: true ref: master token: ${{ secrets.HURL_BOT_TOKEN }} diff --git a/.github/workflows/update-branch-version.yml b/.github/workflows/update-branch-version.yml index 18dfb18eb92..f6554e41006 100644 --- a/.github/workflows/update-branch-version.yml +++ b/.github/workflows/update-branch-version.yml @@ -42,6 +42,7 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_TOKEN: ${{ secrets.HURL_BOT_TOKEN }} REPO: ${{ github.repository }} + NEW_VERSION: ${{ inputs.new_version }} outputs: pr_number: ${{ steps.create-new-version-pr.outputs.pr_number }} name: update-branch-version @@ -50,6 +51,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: true ref: ${{ inputs.branch }} - name: Init bot branch name @@ -62,13 +64,13 @@ jobs: hurl_packages="hurl_core hurl hurlfmt" for package in ${hurl_packages} ; do cargo_toml="packages/${package}/Cargo.toml" - sed -i "s/^version.*/version = \"${{ inputs.new_version }}\"/" "${cargo_toml}" + sed -i "s/^version.*/version = \"${NEW_VERSION}\"/" "${cargo_toml}" echo "----------------------------" echo " > package version for ${cargo_toml}" echo " $(grep "^version =" "${cargo_toml}")" for dep_package in ${hurl_packages} ; do if [ $(grep -c "^${dep_package} =" "${cargo_toml}") -gt 0 ] ; then - sed -i "s/^${dep_package} = { version .*/${dep_package} = { version = \"${{ inputs.new_version }}\", path = \"..\/${dep_package}\" }/" "${cargo_toml}" + sed -i "s/^${dep_package} = { version .*/${dep_package} = { version = \"${NEW_VERSION}\", path = \"..\/${dep_package}\" }/" "${cargo_toml}" echo " > ${dep_package} dep package version for ${cargo_toml}" echo " $(grep "^${dep_package} =" "${cargo_toml}")" fi @@ -104,7 +106,7 @@ jobs: - name: Push commits run: | git checkout -b "${BOT_UPDATE_VERSION_BRANCH_NAME}" - git commit -am "Update hurl version to ${{ inputs.new_version }}" + git commit -am "Update hurl version to ${NEW_VERSION}" git push --set-upstream origin "${BOT_UPDATE_VERSION_BRANCH_NAME}" && git_exit_code=0 || git_exit_code=$? if [ ${git_exit_code} -eq 0 ] ; then echo " - ✅ commits pushed to ${BOT_UPDATE_VERSION_BRANCH_NAME} branch." diff --git a/.github/workflows/update-crates.yml b/.github/workflows/update-crates.yml index 40af2332a86..199d6787152 100644 --- a/.github/workflows/update-crates.yml +++ b/.github/workflows/update-crates.yml @@ -20,6 +20,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.2 with: + persist-credentials: true ref: master - name: Crates update diff --git a/bin/check/zizmor.sh b/bin/check/zizmor.sh index 794a9e405a3..6ff72b38b08 100755 --- a/bin/check/zizmor.sh +++ b/bin/check/zizmor.sh @@ -5,6 +5,7 @@ set -Eeuo pipefail function init_terminal_colors(){ color_red=$(echo -ne "\033[1;31m") color_green=$(echo -ne "\033[1;32m") + color_yellow=$(echo -ne "\033[1;33m") color_reset=$(echo -ne "\033[0m") } @@ -72,18 +73,32 @@ function consume_args(){ } # main -echo "disabled, waiting for debug fork token" -exit 0 init_terminal_colors consume_args "$@" zizmor --version error_count=0 -for file in "${files[@]}" ; do - zizmor \ - --min-severity low \ - --min-confidence medium \ - --gh-token "${github_token}" \ - "${file}" || error_count=$((error_count+1)) +# disable excessive-permissions on git jobs for now because all yml permissions have to be rewrited from scratch" +conf="/tmp/conf" +cat <<- "EOF" > "${conf}" + rules: + excessive-permissions: + ignore: + - accept-pull-request.yml + - auto-close-inactive-pr.yml + - coverage.yml + - extra-package.yml + - release.yml + - update-actions.yml + - update-branch-version.yml + - update-crates.yml +EOF +for file in "${files[@]}" ; do + # disable release.yml for now because output vars have to be rewrited from scratch" + if [[ "${file}" =~ release.yml ]] ; then + echo "${color_yellow}$file is disabled for now because output vars have to be rewrited from scratch${color_reset}" + continue + fi + zizmor --config "${conf}" --gh-token "${github_token}" "${file}" || error_count=$((error_count+1)) done if [[ $error_count -gt 0 ]] ; then echo "${color_red}There are problems with github workflows${color_reset}"