Skip to content

Commit

Permalink
🔒 Resolve all failed zizmor checks (#1234)
Browse files Browse the repository at this point in the history 
* Run [zizmor](https://woodruffw.github.io/zizmor) against all our Github
  actions
* Resolve all failed checks
  • Loading branch information
@rblaine95
rblaine95 authored Dec 14, 2024
1 parent 059be4c commit c3e5275
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 23 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/codacy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ jobs:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false

# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
- name: Run Codacy Analysis CLI
Expand Down
43 changes: 35 additions & 8 deletions .github/workflows/continuous-deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,8 @@ jobs:
steps:
- name: Check out code
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
Expand Down Expand Up @@ -176,6 +178,7 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Set up Mise
uses: jdx/mise-action@v2
with:
Expand Down Expand Up @@ -220,6 +223,7 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Set up Mise
uses: jdx/mise-action@v2
with:
Expand All @@ -245,11 +249,14 @@ jobs:
- name: Set branch name
id: set_branch_name
run: |
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "BRANCH_NAME=${{ github.head_ref }}" >> $GITHUB_ENV
if [[ "${EVENT_NAME}" == "pull_request" ]]; then
echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV
else
echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV
fi
env:
EVENT_NAME: ${{ github.event_name }}
HEAD_REF: ${{ github.head_ref }}
- name: Check if branch exists
id: check_branch
run: |
Expand All @@ -269,6 +276,7 @@ jobs:
token: ${{ secrets.CHARTS_PAT }}
path: tilt/.charts
ref: ${{ env.branch_name }}
persist-credentials: false
- name: Start Test Harness
run: mise run tilt:ci
shell: bash
Expand Down Expand Up @@ -425,6 +433,7 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Install dependencies
run: pip install coverage
- name: Download all .coverage artifacts
Expand Down Expand Up @@ -471,6 +480,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Set up Mise
uses: jdx/mise-action@v2
Expand All @@ -493,10 +504,12 @@ jobs:
id: set_branch_name
run: |
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "BRANCH_NAME=${{ github.head_ref }}" >> $GITHUB_ENV
echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV
else
echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV
fi
env:
HEAD_REF: ${{ github.head_ref }}

- name: Check if branch exists
id: check_branch
Expand All @@ -518,6 +531,7 @@ jobs:
token: ${{ secrets.CHARTS_PAT }}
path: charts
ref: ${{ env.branch_name }}
persist-credentials: false

- name: Install dependencies
run: sudo apt-get install -y postgresql-client
Expand Down Expand Up @@ -685,6 +699,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Set up Mise
uses: jdx/mise-action@v2
Expand All @@ -695,16 +711,20 @@ jobs:
install: true

- name: Authenticate GitHub CLI
run: echo "${{ secrets.CHARTS_PAT }}" | gh auth login --with-token
run: echo "${PAT}" | gh auth login --with-token
env:
PAT: ${{ secrets.CHARTS_PAT }}

- name: Set branch name
id: set_branch_name
run: |
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "BRANCH_NAME=${{ github.head_ref }}" >> $GITHUB_ENV
echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV
else
echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV
fi
env:
HEAD_REF: ${{ github.head_ref }}

- name: Check if branch exists
id: check_branch
Expand All @@ -726,6 +746,7 @@ jobs:
token: ${{ secrets.CHARTS_PAT }}
path: charts
ref: ${{ env.branch_name }}
persist-credentials: false

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
Expand Down Expand Up @@ -818,7 +839,7 @@ jobs:
COMPLETION_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.succeeded}')
FAILURE_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.failed}')
if [ "$COMPLETION_STATUS" == "${{ env.PYTEST_COMPLETIONS }}" ] || [ "$FAILURE_STATUS" == "1" ]; then
if [ "$COMPLETION_STATUS" == "${PYTEST_COMPLETIONS}" ] || [ "$FAILURE_STATUS" == "1" ]; then
echo "Job $JOB_NAME has completed."
break
else
Expand All @@ -840,6 +861,7 @@ jobs:
env:
JOB_NAME: cloudapi-pytest
NAMESPACE: dev-cloudapi
PYTEST_COMPLETIONS: ${{ env.PYTEST_COMPLETIONS }}

- name: Wait for pytest regression and print logs
if: steps.pytest-init-regression.outcome == 'success' || steps.pytest-run-regression.outcome == 'success'
Expand All @@ -849,7 +871,7 @@ jobs:
COMPLETION_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.succeeded}')
FAILURE_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.failed}')
if [ "$COMPLETION_STATUS" == "${{ env.PYTEST_COMPLETIONS }}" ] || [ "$FAILURE_STATUS" == "1" ]; then
if [ "$COMPLETION_STATUS" == "${PYTEST_COMPLETIONS}" ] || [ "$FAILURE_STATUS" == "1" ]; then
echo "Job $JOB_NAME has completed."
break
else
Expand All @@ -871,6 +893,7 @@ jobs:
env:
JOB_NAME: cloudapi-pytest-regression
NAMESPACE: dev-cloudapi
PYTEST_COMPLETIONS: ${{ env.PYTEST_COMPLETIONS }}

- name: Copy k8s pytest results
if: steps.pytest.outcome == 'success' || steps.pytest-init-regression.outcome == 'success' || steps.pytest-run-regression.outcome == 'success'
Expand Down Expand Up @@ -1028,6 +1051,8 @@ jobs:
steps:
- name: Check out code
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
Expand Down Expand Up @@ -1082,6 +1107,8 @@ jobs:
-e GOVERNANCE_OAUTH_ENDPOINT=${{ secrets.GOVERNANCE_OAUTH_ENDPOINT }} \
--workdir /scripts \
--entrypoint /bin/sh \
ghcr.io/${{ github.repository_owner }}/xk6:${{ steps.meta.outputs.version }} \
ghcr.io/${{ github.repository_owner }}/xk6:${VERSION} \
/scripts/run_tests.sh
shell: bash
env:
VERSION: ${{ steps.meta.outputs.version }}
1 change: 1 addition & 0 deletions .github/workflows/sonarcloud.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0 # Required for proper blame data in SonarCloud
persist-credentials: false

- name: Overwrite .mise.toml # Simplify mise in this workflow
run: |
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/style-check.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false

- name: Overwrite .mise.toml # It's not needed in this workflow
run: |
Expand Down
36 changes: 21 additions & 15 deletions .github/workflows/validate-pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ on:

permissions:
contents: read
pull-requests: write

env:
# https://cbea.ms/git-commit/#limit-50
Expand All @@ -17,6 +16,8 @@ env:
jobs:
check-title:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Get PR info
id: pr
Expand All @@ -27,7 +28,7 @@ jobs:
const title = context.payload.pull_request.title;
core.setOutput('title', title);
// Get PR Comments, filtering for only this bot's comments
// Get PR Comments
const allComments = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
Expand All @@ -42,25 +43,29 @@ jobs:
comment.body.includes(process.env.BOT_COMMENT_IDENTIFIER)
);
core.setOutput('comments', botComments);
core.setOutput('comments_json', JSON.stringify(botComments));
// Get JSON of valid Gitmojis
// Get Gitmojis
const gitmojiResponse = await github.request('GET /repos/{owner}/{repo}/contents/{path}', {
owner: 'carloscuesta',
repo: 'gitmoji',
path: 'packages/gitmojis/src/gitmojis.json'
});
const gitmojis = JSON.parse(Buffer.from(gitmojiResponse.data.content, 'base64').toString()).gitmojis;
core.setOutput('gitmojis', gitmojis);
core.setOutput('gitmojis_json', JSON.stringify(gitmojis));
- name: PR title should start with emoji
env:
PR_TITLE: ${{ steps.pr.outputs.title }}
PR_COMMENTS: ${{ steps.pr.outputs.comments_json }}
GITMOJIS: ${{ steps.pr.outputs.gitmojis_json }}
uses: actions/github-script@v7
if: always()
with:
script: |
const prTitle = "${{ steps.pr.outputs.title }}";
const comments = ${{ steps.pr.outputs.comments }};
const gitmojis = ${{ steps.pr.outputs.gitmojis }};
const prTitle = process.env.PR_TITLE;
const comments = JSON.parse(process.env.PR_COMMENTS);
const gitmojis = JSON.parse(process.env.GITMOJIS);
const validEmojis = gitmojis.map(g => [g.emoji, g.code]);
const titleStartsWithValidEmoji = validEmojis.some(([emoji, code]) =>
Expand Down Expand Up @@ -96,18 +101,19 @@ jobs:
});
}
- name: PR title should not exceed ${{ env.MAX_PR_TITLE_LENGTH }} characters
- name: Check PR title length
env:
PR_TITLE: ${{ steps.pr.outputs.title }}
PR_COMMENTS: ${{ steps.pr.outputs.comments_json }}
MAX_LENGTH: ${{ env.MAX_PR_TITLE_LENGTH }}
uses: actions/github-script@v7
if: always()
with:
script: |
const prTitle = "${{ steps.pr.outputs.title }}";
const comments = ${{ steps.pr.outputs.comments }};
const MAX_LENGTH = ${{ env.MAX_PR_TITLE_LENGTH }};
const prTitle = process.env.PR_TITLE;
const comments = JSON.parse(process.env.PR_COMMENTS);
const MAX_LENGTH = parseInt(process.env.MAX_LENGTH, 10);
// Match either:
// 1. Unicode emoji at start (using Unicode properties)
// 2. GitHub emoji shortcode format (e.g. :fire:)
const emojiRegex = /^(?:[\p{Emoji_Presentation}\p{Extended_Pictographic}]|:[a-z0-9_+-]+:)/u;
// Remove emoji prefix and its trailing space for length check
Expand Down

0 comments on commit c3e5275

Please sign in to comment.