Skip to content

Commit

Permalink
ci: Pin deps and limit token permissions (#1852)
Browse files Browse the repository at this point in the history
* ci: Pin deps

Fixes #1843

* permissions: read-all

* Fix

* Again

* Again

* pin rustup

* Cannot pin ilammy/msvc-dev-cmd

* Again

* rustup

* Again

* Again

* Fix merge

* Again

---------

Signed-off-by: Lars Eggert <lars@eggert.org>
  • Loading branch information
larseggert authored Apr 24, 2024
1 parent 17c45d8 commit 0a84268
Show file tree
Hide file tree
Showing 11 changed files with 52 additions and 29 deletions.
4 changes: 2 additions & 2 deletions .github/actions/nss/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,14 +49,14 @@ runs:
#
# - name: Checkout NSPR
# if: env.BUILD_NSS == '1'
# uses: actions/checkout@v4
# uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
# with:
# repository: "nss-dev/nspr"
# path: ${{ github.workspace }}/nspr

# - name: Checkout NSS
# if: env.BUILD_NSS == '1'
# uses: actions/checkout@v4
# uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
# with:
# repository: "nss-dev/nss"
# path: ${{ github.workspace }}/nss
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/pr-comment-data-export/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ runs:
echo "${{ inputs.log-url }}" > comment-data/log-url
fi
- if: github.event_name == 'pull_request'
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ inputs.name }}
path: comment-data
Expand Down
4 changes: 2 additions & 2 deletions .github/actions/quic-interop-runner/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ runs:
using: "composite"
steps:
- name: Checkout quic-interop/quic-interop-runner repository
uses: actions/checkout@v4
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
repository: 'quic-interop/quic-interop-runner'
path: 'quic-interop-runner'
Expand Down Expand Up @@ -74,7 +74,7 @@ runs:
python run.py $ARGS 2>&1 | tee ../summary.txt || true
shell: bash

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
id: upload-logs
with:
name: '${{ inputs.client }} vs. ${{ inputs.server }} logs'
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/actionlint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,16 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true

permissions: read-all

jobs:
actionlint:
runs-on: ubuntu-latest
defaults:
run:
shell: bash
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
- name: Download actionlint
id: get_actionlint
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/bench-comment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ on:
types:
- completed

permissions: read-all

jobs:
comment:
permissions:
Expand All @@ -21,7 +23,7 @@ jobs:
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
- uses: ./.github/actions/pr-comment
with:
name: bench
Expand Down
12 changes: 7 additions & 5 deletions .github/workflows/bench.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ env:
RUSTFLAGS: -C link-arg=-fuse-ld=lld -C link-arg=-Wl,--no-rosegment, -C force-frame-pointers=yes
PERF_OPT: record -F997 --call-graph fp -g

permissions: read-all

jobs:
bench:
name: Benchmark
Expand All @@ -24,10 +26,10 @@ jobs:

steps:
- name: Checkout neqo
uses: actions/checkout@v4
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3

- name: Checkout msquic
uses: actions/checkout@v4
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
repository: microsoft/msquic
ref: main
Expand Down Expand Up @@ -60,7 +62,7 @@ jobs:
- name: Download cached main-branch results
id: criterion-cache
uses: actions/cache/restore@v4
uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ./target/criterion
key: criterion-${{ runner.name }}-${{ github.sha }}
Expand Down Expand Up @@ -220,14 +222,14 @@ jobs:
- name: Cache main-branch results
if: github.ref == 'refs/heads/main'
uses: actions/cache/save@v4
uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ./target/criterion
key: criterion-${{ runner.name }}-${{ github.sha }}

- name: Export perf data
id: export
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ github.event.repository.name }}-${{ github.sha }}
path: |
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true

permissions: read-all

jobs:
check:
name: Build & test
Expand All @@ -39,7 +41,7 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3

- name: Install dependencies (Linux)
if: runner.os == 'Linux'
Expand Down Expand Up @@ -73,6 +75,8 @@ jobs:
- name: Set up MSVC build environment (Windows)
if: runner.os == 'Windows'
uses: ilammy/msvc-dev-cmd@v1
# TODO: Would like to pin this, but the Mozilla org allowlist requires "ilammy/msvc-dev-cmd@v1*"
# uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0

- name: Set up NSS/NSPR build environment (Windows)
if: runner.os == 'Windows'
Expand Down Expand Up @@ -147,7 +151,7 @@ jobs:
if: success() || failure()

- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v4
uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
with:
file: lcov.info
fail_ci_if_error: false
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/mutants.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,13 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true

permissions: read-all

jobs:
mutants:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
fetch-depth: 0

Expand Down Expand Up @@ -61,7 +63,7 @@ jobs:
} > "$GITHUB_STEP_SUMMARY"
- name: Archive mutants.out
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: always()
with:
name: mutants.out
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/qns-comment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ on:
types:
- completed

permissions: read-all

jobs:
comment:
permissions:
Expand All @@ -20,7 +22,7 @@ jobs:
if: |
github.event.workflow_run.event == 'pull_request'
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
- uses: ./.github/actions/pr-comment
with:
name: qns
Expand Down
18 changes: 10 additions & 8 deletions .github/workflows/qns.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true

permissions: read-all

env:
LATEST: neqo-latest
DELIM: ' vs. '
Expand All @@ -25,15 +27,15 @@ jobs:
permissions:
packages: write
steps:
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}

- uses: docker/metadata-action@v5
- uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
id: meta
with:
images: ghcr.io/${{ github.repository }}-qns
Expand All @@ -46,7 +48,7 @@ jobs:
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
- uses: docker/build-push-action@v5
- uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
if: github.event_name != 'pull_request'
with:
push: true
Expand All @@ -57,7 +59,7 @@ jobs:
cache-to: type=gha,mode=max
platforms: 'linux/amd64, linux/arm64'

- uses: docker/build-push-action@v5
- uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
if: github.event_name == 'pull_request'
id: docker_build_and_push
with:
Expand All @@ -69,7 +71,7 @@ jobs:
platforms: 'linux/amd64'
outputs: type=docker,dest=/tmp/${{ env.LATEST }}.tar

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: github.event_name == 'pull_request'
with:
name: '${{ env.LATEST }} Docker image'
Expand Down Expand Up @@ -155,7 +157,7 @@ jobs:
needs: run-qns
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
- uses: actions/download-artifact@v4
with:
pattern: '*results'
Expand Down
15 changes: 11 additions & 4 deletions qns/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM martenseemann/quic-network-simulator-endpoint:latest AS buildimage
FROM martenseemann/quic-network-simulator-endpoint@sha256:12596544531465e77bdede50dd1e85b2c46c00f1634b3445eed277ca177666db AS buildimage

RUN apt-get update && apt-get install -y --no-install-recommends \
curl git mercurial coreutils \
Expand All @@ -13,8 +13,15 @@ ENV RUSTUP_HOME=/usr/local/rustup \
CARGO_HOME=/usr/local/cargo \
PATH=/usr/local/cargo/bin:$PATH

RUN curl https://sh.rustup.rs -sSf | \
sh -s -- -y -q --no-modify-path --profile minimal --default-toolchain $RUST_VERSION
ADD --checksum=sha256:a3d541a5484c8fa2f1c21478a6f6c505a778d473c21d60a18a4df5185d320ef8 \
https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init x86_64_rustup

ADD --checksum=sha256:76cd420cb8a82e540025c5f97bda3c65ceb0b0661d5843e6ef177479813b0367 \
https://static.rust-lang.org/rustup/dist/aarch64-unknown-linux-gnu/rustup-init aarch64_rustup

RUN mv $(uname -m)_rustup rustup-init && \
chmod +x rustup-init && \
./rustup-init -y -q --no-modify-path --profile minimal --default-toolchain $RUST_VERSION

ENV NSS_DIR=/nss \
NSPR_DIR=/nspr \
Expand All @@ -35,7 +42,7 @@ RUN set -eux; \

# Copy only binaries to the final image to keep it small.

FROM martenseemann/quic-network-simulator-endpoint:latest
FROM martenseemann/quic-network-simulator-endpoint@sha256:12596544531465e77bdede50dd1e85b2c46c00f1634b3445eed277ca177666db

ENV LD_LIBRARY_PATH=/neqo/lib
COPY --from=buildimage /neqo/target/release/neqo-client /neqo/target/release/neqo-server /neqo/bin/
Expand Down

0 comments on commit 0a84268

Please sign in to comment.