Skip to content

Commit a6c04c3

Browse files
lopopololopopolo
authored
Merge pull request #121 from artichoke/dev/lopopolo-zizmor-green
Address zizmor security issues in GitHub Actions setup
2 parents 740c081 + 900d5e7 commit a6c04c3

File tree

10 files changed

+315
-111
lines changed

10 files changed

+315
-111
lines changed

.github/workflows/audit.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ name: Audit
99
- trunk
1010
schedule:
1111
- cron: "0 0 * * TUE"
12+
permissions: {}
1213
jobs:
1314
ruby:
1415
name: Audit Ruby Dependencies
@@ -17,6 +18,8 @@ jobs:
1718
steps:
1819
- name: Checkout repository
1920
uses: actions/[email protected]
21+
with:
22+
persist-credentials: false
2023

2124
- name: Install Ruby toolchain
2225
uses: ruby/setup-ruby@2654679fe7f7c29875c669398a8ec0791b8a64a1 # v1.215.0

.github/workflows/block-merge.yaml

+4
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,14 @@ name: Merge
33
"on":
44
pull_request:
55
types: [opened, labeled, unlabeled, synchronize]
6+
permissions: {}
67
jobs:
78
labels:
89
name: Labels
910
runs-on: ubuntu-latest
11+
permissions:
12+
issues: write
13+
pull-requests: write
1014

1115
steps:
1216
- uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # v5.5

.github/workflows/ci.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ name: CI
99
- trunk
1010
schedule:
1111
- cron: "0 0 * * TUE"
12+
permissions: {}
1213
jobs:
1314
test-setup-audit-toolchain:
1415
name: Test setup audit toolchain action
@@ -18,6 +19,7 @@ jobs:
1819
uses: actions/[email protected]
1920
with:
2021
path: setup-rust-action
22+
persist-credentials: false
2123

2224
- name: Setup stable audit toolchain
2325
uses: ./setup-rust-action/audit
@@ -34,6 +36,7 @@ jobs:
3436
uses: actions/[email protected]
3537
with:
3638
path: setup-rust-action
39+
persist-credentials: false
3740

3841
- name: Setup nightly build and test toolchain
3942
uses: ./setup-rust-action/build-and-test
@@ -89,6 +92,7 @@ jobs:
8992
uses: actions/[email protected]
9093
with:
9194
path: setup-rust-action
95+
persist-credentials: false
9296

9397
- name: Setup stable build and test toolchain
9498
uses: ./setup-rust-action/check-minimal-versions
@@ -134,6 +138,7 @@ jobs:
134138
uses: actions/[email protected]
135139
with:
136140
path: setup-rust-action
141+
persist-credentials: false
137142

138143
- name: Setup stable audit toolchain
139144
uses: ./setup-rust-action/code-coverage
@@ -150,6 +155,7 @@ jobs:
150155
uses: actions/[email protected]
151156
with:
152157
path: setup-rust-action
158+
persist-credentials: false
153159

154160
- name: Setup stable build and test toolchain
155161
uses: ./setup-rust-action/lint-and-format
@@ -231,6 +237,7 @@ jobs:
231237
uses: actions/[email protected]
232238
with:
233239
path: setup-rust-action
240+
persist-credentials: false
234241

235242
- name: Setup stable audit toolchain
236243
uses: ./setup-rust-action/miri
@@ -247,6 +254,7 @@ jobs:
247254
uses: actions/[email protected]
248255
with:
249256
path: setup-rust-action
257+
persist-credentials: false
250258

251259
- name: Setup nightly rustdoc toolchain
252260
uses: ./setup-rust-action/rustdoc
@@ -261,6 +269,8 @@ jobs:
261269
steps:
262270
- name: Checkout repository
263271
uses: actions/[email protected]
272+
with:
273+
persist-credentials: false
264274

265275
- name: Install Ruby toolchain
266276
uses: ruby/setup-ruby@2654679fe7f7c29875c669398a8ec0791b8a64a1 # v1.215.0
@@ -277,6 +287,8 @@ jobs:
277287
steps:
278288
- name: Checkout repository
279289
uses: actions/[email protected]
290+
with:
291+
persist-credentials: false
280292

281293
- name: Lint and check formatting with prettier
282294
run: npx prettier --check '**/*'

.github/workflows/repo-labels.yaml

+6
Original file line numberDiff line numberDiff line change
@@ -15,12 +15,18 @@
1515
schedule:
1616
- cron: "0 0 * * TUE"
1717
name: Create Repository Labels
18+
permissions: {}
1819
jobs:
1920
labels:
2021
name: Synchronize repository labels
2122
runs-on: ubuntu-latest
23+
permissions:
24+
contents: read
25+
issues: write
2226
steps:
2327
- uses: actions/[email protected]
28+
with:
29+
persist-credentials: false
2430

2531
- name: Sync GitHub Issue Labels
2632
uses: crazy-max/ghaction-github-labeler@b54af0c25861143e7c8813d7cbbf46d2c341680c # v5.1.0

audit/action.yaml

+38-12
Original file line numberDiff line numberDiff line change
@@ -7,31 +7,57 @@ inputs:
77
description: "Rustup toolchain"
88
required: true
99
default: "stable"
10+
override-dir:
11+
description: "Directory to set the rustup override for"
12+
required: false
13+
default: "."
1014

1115
runs:
1216
using: "composite"
1317
steps:
14-
- name: Install ${{ inputs.toolchain }} toolchain
18+
- name: Install toolchain
1519
shell: bash
16-
run: rustup toolchain install "${{ inputs.toolchain }}" --profile minimal
20+
working-directory: ${{ inputs.override-dir }}
21+
env:
22+
TOOLCHAIN: ${{ inputs.toolchain }}
23+
run: |
24+
rustup toolchain install "$TOOLCHAIN" --profile minimal
1725
18-
- name: Update ${{ inputs.toolchain }} toolchain
26+
- name: Update toolchain
1927
shell: bash
20-
run: rustup update "${{ inputs.toolchain }}"
28+
working-directory: ${{ inputs.override-dir }}
29+
env:
30+
TOOLCHAIN: ${{ inputs.toolchain }}
31+
run: |
32+
rustup update "$TOOLCHAIN"
2133
22-
- name: Set default toolchain to ${{ inputs.toolchain }}
34+
- name: Set default toolchain override
2335
shell: bash
24-
# https://rust-lang.github.io/rustup/overrides.html
25-
run: echo 'RUSTUP_TOOLCHAIN=${{ inputs.toolchain }}' >> "$GITHUB_ENV"
36+
working-directory: ${{ inputs.override-dir }}
37+
env:
38+
TOOLCHAIN: ${{ inputs.toolchain }}
39+
run: |
40+
# https://rust-lang.github.io/rustup/overrides.html
41+
rustup override set "$TOOLCHAIN"
2642
2743
- name: Show rustup version
2844
shell: bash
29-
run: rustup -Vv
45+
working-directory: ${{ inputs.override-dir }}
46+
run: |
47+
rustup -Vv
3048
31-
- name: Show ${{ inputs.toolchain }} rustc version
49+
- name: Show rustc version
3250
shell: bash
33-
run: rustc +${{ inputs.toolchain }} -Vv
51+
working-directory: ${{ inputs.override-dir }}
52+
env:
53+
TOOLCHAIN: ${{ inputs.toolchain }}
54+
run: |
55+
rustc +"$TOOLCHAIN" -Vv
3456
35-
- name: Show ${{ inputs.toolchain }} cargo version
57+
- name: Show cargo version
3658
shell: bash
37-
run: cargo +${{ inputs.toolchain }} version --verbose
59+
working-directory: ${{ inputs.override-dir }}
60+
env:
61+
TOOLCHAIN: ${{ inputs.toolchain }}
62+
run: |
63+
cargo +"$TOOLCHAIN" version --verbose

build-and-test/action.yaml

+47-15
Original file line numberDiff line numberDiff line change
@@ -11,48 +11,80 @@ inputs:
1111
description: "Target triple"
1212
required: false
1313
default: ""
14+
override-dir:
15+
description: "Directory to set the rustup override for"
16+
required: false
17+
default: "."
1418

1519
runs:
1620
using: "composite"
1721
steps:
18-
- name: Install ${{ inputs.toolchain }} toolchain
22+
- name: Install toolchain
1923
shell: bash
20-
run: rustup toolchain install "${{ inputs.toolchain }}" --profile minimal
24+
working-directory: ${{ inputs.override-dir }}
25+
env:
26+
TOOLCHAIN: ${{ inputs.toolchain }}
27+
run: |
28+
rustup toolchain install "$TOOLCHAIN" --profile minimal
2129
22-
- name: Update ${{ inputs.toolchain }} toolchain
30+
- name: Update toolchain
2331
shell: bash
24-
run: rustup update "${{ inputs.toolchain }}"
32+
working-directory: ${{ inputs.override-dir }}
33+
env:
34+
TOOLCHAIN: ${{ inputs.toolchain }}
35+
run: |
36+
rustup update "$TOOLCHAIN"
2537
2638
- name: Install additional target
2739
shell: bash
40+
working-directory: ${{ inputs.override-dir }}
2841
if: inputs.target != ''
29-
run: rustup target add --toolchain "${{ inputs.toolchain }}" "${{ inputs.target }}"
42+
env:
43+
TOOLCHAIN: ${{ inputs.toolchain }}
44+
TARGET: ${{ inputs.target }}
45+
run: |
46+
rustup target add --toolchain "$TOOLCHAIN" "$TARGET"
3047
31-
- name: Set default toolchain to ${{ inputs.toolchain }}
48+
- name: Set default toolchain
3249
shell: bash
33-
# https://rust-lang.github.io/rustup/overrides.html
34-
run: echo 'RUSTUP_TOOLCHAIN=${{ inputs.toolchain }}' >> "$GITHUB_ENV"
50+
working-directory: ${{ inputs.override-dir }}
51+
env:
52+
TOOLCHAIN: ${{ inputs.toolchain }}
53+
run: |
54+
# https://rust-lang.github.io/rustup/overrides.html
55+
rustup override set "$TOOLCHAIN"
3556
3657
- name: Show rustup version
3758
shell: bash
38-
run: rustup -Vv
59+
working-directory: ${{ inputs.override-dir }}
60+
run: |
61+
rustup -Vv
3962
40-
- name: Show ${{ inputs.toolchain }} rustc version
63+
- name: Show rustc version
4164
shell: bash
42-
run: rustc +${{ inputs.toolchain }} -Vv
65+
working-directory: ${{ inputs.override-dir }}
66+
env:
67+
TOOLCHAIN: ${{ inputs.toolchain }}
68+
run: |
69+
rustc +"$TOOLCHAIN" -Vv
4370
44-
- name: Show ${{ inputs.toolchain }} cargo version
71+
- name: Show cargo version
4572
shell: bash
46-
run: cargo +${{ inputs.toolchain }} version --verbose
73+
working-directory: ${{ inputs.override-dir }}
74+
env:
75+
TOOLCHAIN: ${{ inputs.toolchain }}
76+
run: |
77+
cargo +"$TOOLCHAIN" version --verbose
4778
4879
- name: Check if Cargo.lock is present
4980
shell: bash
81+
working-directory: ${{ inputs.override-dir }}
5082
id: lockfile
5183
run: |
5284
if [[ -f Cargo.lock ]]; then
53-
echo "present=true" >> $GITHUB_OUTPUT
85+
echo "present=true" >> "$GITHUB_OUTPUT"
5486
else
55-
echo "present=false" >> $GITHUB_OUTPUT
87+
echo "present=false" >> "$GITHUB_OUTPUT"
5688
fi
5789
5890
- name: Setup Rust caching

0 commit comments

Comments
 (0)