Skip to content

Commit

Permalink
add zizmor static analyzer
Browse files Browse the repository at this point in the history
  • Loading branch information
@ben-manes
ben-manes committed Jan 25, 2025
1 parent 88226ef commit 79efe53
Show file tree
Hide file tree
Showing 48 changed files with 269 additions and 118 deletions.
57 changes: 38 additions & 19 deletions .github/actions/run-gradle/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,24 +30,29 @@ runs:
using: composite
steps:
- name: Read Gradle JDK toolchain version
id: gradle_toolchain
shell: bash
run: |
toolchainVersion=$(grep -oP '(?<=^toolchainVersion=).*' gradle/gradle-daemon-jvm.properties)
echo "toolchainVersion=${toolchainVersion}" >> $GITHUB_ENV
- name: Set up JDK ${{ env.toolchainVersion }}
echo "version=${toolchainVersion}" >> $GITHUB_OUTPUT
- name: Set up JDK ${{ steps.gradle_toolchain.outputs.version }}
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
with:
java-version: ${{ env.toolchainVersion }}
java-version: ${{ steps.gradle_toolchain.version }}
distribution: temurin
- name: Prepare JDK toolchain
id: java_toolchain
env:
INPUTS_JAVA: ${{ inputs.java }}
INPUTS_GRAAL: ${{ inputs.graal }}
shell: bash
run: |
if [[ "${{ inputs.java }}" == "GraalVM" ]]; then
echo "JAVA_VENDOR=GraalVM Community" >> $GITHUB_ENV
echo "JAVA_VERSION=${{ inputs.graal }}" >> $GITHUB_ENV
if [[ "$INPUTS_JAVA" == "GraalVM" ]]; then
echo "vendor=GraalVM Community" >> $GITHUB_OUTPUT
echo "version=$INPUTS_GRAAL" >> $GITHUB_OUTPUT
else
echo "JAVA_VENDOR=Adoptium" >> $GITHUB_ENV
echo "JAVA_VERSION=${{ inputs.java }}" >> $GITHUB_ENV
echo "vendor=Adoptium" >> $GITHUB_OUTPUT
echo "version=$INPUTS_JAVA" >> $GITHUB_OUTPUT
fi
- name: Set up JDK
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
Expand All @@ -57,15 +62,18 @@ runs:
(inputs.early-access == inputs.java && format('{0}-ea', inputs.java) || inputs.java) }}
distribution: ${{ inputs.java == 'GraalVM' && 'graalvm' || 'temurin' }}
- name: Prepare JDK ${{ inputs.java }}
id: prepare_java
env:
INPUTS_JAVA: ${{ inputs.java }}
JDK_EA: ${{ inputs.early-access == inputs.java }}
shell: bash
run: |
if [[ "${{ inputs.java }}" == "GraalVM" ]]; then
echo "GRAALVM_HOME=$JAVA_HOME" >> $GITHUB_ENV
if [[ "$INPUTS_JAVA" == "GraalVM" ]]; then
echo "graalvm_home=$JAVA_HOME" >> $GITHUB_OUTPUT
fi
echo "JDK_CI=$JAVA_HOME" >> $GITHUB_ENV
echo "JDK_EA=${{ inputs.early-access == inputs.java }}" >> $GITHUB_ENV
echo "JAVA_TOOL_OPTIONS=-Dorg.gradle.workers.max=$((2 * $(nproc)))" >> $GITHUB_ENV
echo "ORG_GRADLE_PROJECT_org.gradle.java.installations.auto-download=false" >> $GITHUB_ENV
echo "early_access=$JDK_EA" >> $GITHUB_OUTPUT
echo "java_home=$JAVA_HOME" >> $GITHUB_OUTPUT
echo "tool_options=-Dorg.gradle.workers.max=$((2 * $(nproc)))" >> $GITHUB_OUTPUT
- name: Setup Gradle
uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
with:
Expand All @@ -79,14 +87,25 @@ runs:
cache-encryption-key: ${{ inputs.cache-encryption-key }}
- name: Run ${{ inputs.arguments }}
if: ${{ inputs.arguments != '' }}
env:
INPUTS_ARGUMENTS: ${{ inputs.arguments }}
JDK_CI: ${{ inputs.prepare_java.java_home }}
JDK_EA: ${{ inputs.prepare_java.early_access }}
JAVA_VENDOR: ${{ steps.java_toolchain.vendor }}
INPUTS_ATTEMPT_DELAY: ${{ inputs.attempt-delay }}
INPUTS_ATTEMPT_LIMIT: ${{ inputs.attempt-limit }}
JAVA_VERSION: ${{ steps.java_toolchain.version }}
GRAALVM_HOME: ${{ inputs.prepare_java.graalvm_home }}
JAVA_TOOL_OPTIONS: ${{ inputs.prepare_java.tool_options }}
ORG_GRADLE_PROJECT_org.gradle.java.installations.auto-download: false
shell: bash
run: |
echo "::add-matcher::.github/problem-matcher.json"
for ((i=1; i<=${{ inputs.attempt-limit }}; i++)); do
./gradlew --no-problems-report $(echo "${{ inputs.arguments }}" | tr -d '\n') && break
if [ $i -lt ${{ inputs.attempt-limit }} ]; then
echo "Attempt $i failed. Retrying in ${{ inputs.attempt-delay }} seconds..."
sleep ${{ inputs.attempt-delay }}
for ((i=1; i<=$INPUTS_ATTEMPT_LIMIT; i++)); do
./gradlew --no-problems-report $(echo "$INPUTS_ARGUMENTS" | tr -d '\n') && break
if [ $i -lt $INPUTS_ATTEMPT_LIMIT ]; then
echo "Attempt $i failed. Retrying in $INPUTS_ATTEMPT_DELAY seconds..."
sleep $INPUTS_ATTEMPT_DELAY
else
echo "All attempts failed."
exit 1
Expand Down
46 changes: 42 additions & 4 deletions .github/workflows/actionlint.yml
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
name: actionlint
permissions: read-all
permissions: {}
on: [ push, pull_request ]

jobs:
actionlint:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
Expand All @@ -14,11 +16,47 @@ jobs:
allowed-endpoints: >
api.github.com:443
github.com:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: actionlint
uses: reviewdog/action-actionlint@abd537417cf4991e1ba8e21a67b1119f4f53b8e0 # v1.64.1
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Run actionlint
uses: reviewdog/action-actionlint@abd537417cf4991e1ba8e21a67b1119f4f53b8e0 # v1.64.4
env:
SHELLCHECK_OPTS: -e SC2001 -e SC2035 -e SC2046 -e SC2061 -e SC2086 -e SC2156
with:
reporter: github-check
github_token: ${{ secrets.GITHUB_TOKEN }}

zizmor:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install uv
uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
- name: Run zizmor
run: uvx zizmor --pedantic --format sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
with:
sarif_file: results.sarif
category: zizmor
23 changes: 19 additions & 4 deletions .github/workflows/analysis.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: analysis
permissions: read-all
permissions: {}
on: [ push, pull_request ]

env:
Expand All @@ -22,6 +22,8 @@ env:
jobs:
forbiddenApis:
runs-on: ubuntu-latest
permissions:
contents: read
env:
JAVA_VERSION: 23
steps:
Expand All @@ -31,7 +33,10 @@ jobs:
disable-sudo: true
egress-policy: block
allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Forbidden Apis
uses: ./.github/actions/run-gradle
with:
Expand All @@ -41,6 +46,8 @@ jobs:

pmd:
runs-on: ubuntu-latest
permissions:
contents: read
env:
JAVA_VERSION: 23
steps:
Expand All @@ -50,7 +57,10 @@ jobs:
disable-sudo: true
egress-policy: block
allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Pmd
uses: ./.github/actions/run-gradle
with:
Expand All @@ -60,6 +70,8 @@ jobs:

spotbugs:
runs-on: ubuntu-latest
permissions:
contents: read
env:
JAVA_VERSION: 23
steps:
Expand All @@ -69,7 +81,10 @@ jobs:
disable-sudo: true
egress-policy: block
allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Spotbugs
uses: ./.github/actions/run-gradle
with:
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/benchmarks.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: benchmarks
permissions: read-all
permissions: {}
on: [ push, pull_request ]

env:
Expand All @@ -9,6 +9,8 @@ env:
jobs:
benchmarks:
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
matrix:
java: [ 11, 21, 25, GraalVM ]
Expand Down Expand Up @@ -39,7 +41,10 @@ jobs:
raw.githubusercontent.com:443
services.gradle.org:443
www.graalvm.org:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Compute JMH Benchmark
uses: ./.github/actions/run-gradle
with:
Expand Down
37 changes: 28 additions & 9 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
name: build
permissions: {}
on:
pull_request: {}
push:
branches: [master, v2.dev, v3.dev]
permissions: read-all

env:
DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
Expand Down Expand Up @@ -45,6 +45,8 @@ jobs:
name: Compile
timeout-minutes: 15
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
matrix:
java: [ 11, 23, 25, GraalVM ]
Expand All @@ -59,6 +61,8 @@ jobs:
allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Compile
uses: ./.github/actions/run-gradle
with:
Expand All @@ -75,6 +79,8 @@ jobs:
timeout-minutes: 60
runs-on: ubuntu-latest
needs: compile
permissions:
contents: read
strategy:
matrix:
suite:
Expand Down Expand Up @@ -173,6 +179,8 @@ jobs:
allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Run tests (${{ env.JAVA_VERSION }})
uses: ./.github/actions/run-gradle
with:
Expand All @@ -181,22 +189,25 @@ jobs:
cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
- name: Format Test Artifact Name
if: always() && (env.JAVA_VERSION == env.PUBLISH_JDK)
id: format_artifact
run: |
RAW_NAME=${{ matrix.suite }}-${{ env.JAVA_VERSION }}
RAW_NAME=${{ matrix.suite }}-$JAVA_VERSION
ARTIFACT_NAME=$(echo $RAW_NAME | sed 's/:/-/g')
echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> $GITHUB_ENV
echo "name=$ARTIFACT_NAME" >> $GITHUB_OUTPUT
- name: Compress test results
if: always() && (env.JAVA_VERSION == env.PUBLISH_JDK)
env:
ARTIFACT_NAME: ${{ steps.format_artifact.outputs.name }}
run: >
find . -path */jacoco/*.exec -o -path */results/*.xml
| tar czf ${{ env.ARTIFACT_NAME }}.tar.gz --files-from -
| tar czf $ARTIFACT_NAME.tar.gz --files-from -
- name: Upload test results
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
if: always() && (env.JAVA_VERSION == env.PUBLISH_JDK)
with:
retention-days: 1
name: ${{ env.ARTIFACT_NAME }}-results
path: ${{ env.ARTIFACT_NAME }}.tar.gz
name: ${{ steps.format_artifact.outputs.name }}-results
path: ${{ steps.format_artifact.outputs.name }}.tar.gz
- name: Cancel if failed
uses: andymckay/cancel-action@a955d435292c0d409d104b57d8e78435a93a6ef1 # 0.5
continue-on-error: true
Expand All @@ -207,6 +218,8 @@ jobs:
runs-on: ubuntu-latest
needs: tests
if: (github.event_name == 'push') && (github.event.repository.fork == false)
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
Expand All @@ -232,6 +245,7 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Download Tests Results
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
- name: Decompress
Expand All @@ -252,7 +266,7 @@ jobs:
cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
continue-on-error: true
- name: Publish to Codecov
uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
- name: Publish to Codacy
Expand Down Expand Up @@ -284,6 +298,7 @@ jobs:
needs: tests
if: github.event_name == 'push'
permissions:
contents: read
checks: write
steps:
- name: Harden Runner
Expand Down Expand Up @@ -315,7 +330,7 @@ jobs:
COLOR: 31c653
STATUS: ${{ fromJSON(steps.test-results.outputs.json).formatted.stats.runs }}
continue-on-error: true
run: curl -s -f https://badgen.net/badge/${{env.LABEL}}/${{env.STATUS}}/${{env.COLOR}} > badge.svg
run: curl -s -f https://badgen.net/badge/$LABEL/$STATUS/$COLOR > badge.svg
- name: Upload badge to Gist
uses: popsiclestick/gist-sync-action@88f8633178625914f2a01abf1a765f7272a580fa # v1.2.0
if: >
Expand All @@ -338,6 +353,7 @@ jobs:
&& github.event.repository.fork == false
&& endsWith(github.ref, github.event.repository.default_branch)
permissions:
contents: read
id-token: write
steps:
- name: Harden Runner
Expand All @@ -353,7 +369,10 @@ jobs:
jspecify.dev:443
lightbend.github.io:443
oauth2.sigstore.dev:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Publish Snapshot
uses: ./.github/actions/run-gradle
env:
Expand Down
Loading

0 comments on commit 79efe53

Please sign in to comment.