Skip to content

Commit

Permalink
Merge pull request #1679 from zcash/ci-zizmor
Browse files Browse the repository at this point in the history 
CI: Check workflows and actions with zizmor
  • Loading branch information
@nuttycom
nuttycom authored Feb 7, 2025
2 parents 4ded512 + 81be266 commit c4f241f
Show file tree
Hide file tree
Showing 5 changed files with 91 additions and 8 deletions.
9 changes: 7 additions & 2 deletions .github/actions/prepare/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,10 @@ runs:
shell: bash
run: echo "feature=test-dependencies" >> $GITHUB_OUTPUT
if: inputs.test-dependencies == 'true'
- name: Prepare feature flags

# `steps.test.outputs.feature` cannot expand into attacker-controllable code
# because the previous step only enables it to have one of two fixed values.
- name: Prepare feature flags # zizmor: ignore[template-injection]
id: prepare
shell: bash
run: >
Expand All @@ -34,6 +37,8 @@ runs:
unstable
unstable-serialization
unstable-spanning-tree
${{ inputs.extra-features }}
${EXTRA_FEATURES}
${{ steps.test.outputs.feature }}
'" >> $GITHUB_OUTPUT
env:
EXTRA_FEATURES: ${{ inputs.extra-features }}
12 changes: 10 additions & 2 deletions .github/workflows/audits.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@stable
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}
- run: cargo install cargo-vet --version ~0.10
- run: cargo vet --locked

Expand All @@ -25,6 +29,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check licenses
Expand All @@ -39,4 +45,6 @@ jobs:
steps:
- name: Determine whether all required-pass steps succeeded
run: |
echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all'
env:
NEEDS: ${{ toJSON(needs) }}
6 changes: 5 additions & 1 deletion .github/workflows/book.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- uses: dtolnay/rust-toolchain@nightly
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}

- name: Build latest rustdocs
run: >
Expand Down
41 changes: 38 additions & 3 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
with:
Expand Down Expand Up @@ -92,6 +94,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
with:
Expand Down Expand Up @@ -141,6 +145,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
with:
Expand Down Expand Up @@ -194,6 +200,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
with:
Expand Down Expand Up @@ -225,6 +233,8 @@ jobs:
os: [ubuntu-latest, windows-latest, macOS-latest]
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- uses: actions/cache@v4
Expand All @@ -238,7 +248,10 @@ jobs:
key: ${{ runner.os }}-cargo-latest
- uses: dtolnay/rust-toolchain@stable
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
shell: sh
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}
- name: Remove lockfile to build with latest dependencies
run: rm Cargo.lock
- name: Build crates
Expand All @@ -261,6 +274,7 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
path: crates
# We use a synthetic crate to ensure no dev-dependencies are enabled, which can
# be incompatible with some of these targets.
Expand Down Expand Up @@ -297,6 +311,7 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
path: crates
# We use a synthetic crate to ensure no dev-dependencies are enabled, which can
# be incompatible with some of these targets.
Expand Down Expand Up @@ -335,6 +350,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
# Build benchmarks to prevent bitrot
- name: Build benchmarks
run: cargo build --all --benches
Expand All @@ -344,6 +361,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- name: Run clippy
Expand All @@ -363,11 +382,15 @@ jobs:
continue-on-error: true
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- uses: dtolnay/rust-toolchain@beta
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}
- name: Run Clippy (beta)
uses: actions-rs/clippy-check@v1
continue-on-error: true
Expand All @@ -389,6 +412,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- uses: actions/cache@v4
Expand Down Expand Up @@ -418,6 +443,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- run: cargo fetch
Expand All @@ -434,6 +461,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Check formatting
run: cargo fmt --all -- --check

Expand All @@ -442,6 +471,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- id: prepare
uses: ./.github/actions/prepare
- name: Install protoc
Expand All @@ -464,6 +495,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Extract UUIDs
id: extract
run: |
Expand Down Expand Up @@ -509,4 +542,6 @@ jobs:
steps:
- name: Determine whether all required-pass steps succeeded
run: |
echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all'
env:
NEEDS: ${{ toJSON(needs) }}
31 changes: 31 additions & 0 deletions .github/workflows/zizmor.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: GitHub Actions Security Analysis with zizmor 🌈

on:
push:
branches: ["main"]
pull_request:
branches: ["*"]

jobs:
zizmor:
name: zizmor latest via Cargo
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v4
- name: Run zizmor 🌈
run: uvx zizmor --format sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
with:
sarif_file: results.sarif
category: zizmor

0 comments on commit c4f241f

Please sign in to comment.