ci: update cid github actions workflow from 0.0.24 to 0.0.25

cidverse · Oct 9, 2024 · 213e1b1 · 213e1b1
1 parent 321a733
commit 213e1b1
Show file tree

Hide file tree

Showing 3 changed files with 113 additions and 43 deletions.
diff --git a/.github/workflows/cid-ossf.yml b/.github/workflows/cid-ossf.yml
@@ -1,4 +1,4 @@
-# cid-workflow-version: 0.0.24
+# cid-workflow-version: 0.0.25
 
 # This file is generated by the CID Workflow GitHub App.
 # DO NOT EDIT!
@@ -36,7 +36,7 @@ jobs:
       contents: read # required in private repos
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-telemetry: true
           disable-sudo: true
@@ -65,7 +65,7 @@ jobs:
             fulcio.sigstore.dev:443
             tuf-repo-cdn.sigstore.dev:443
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           persist-credentials: false
       - name: OSSF Analysis
@@ -75,7 +75,7 @@ jobs:
           results_format: sarif
           publish_results: true # publish results to OpenSSF REST API
       - name: Upload Analysis Result
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif

diff --git a/.github/workflows/cid-pullrequest.yml b/.github/workflows/cid-pullrequest.yml
@@ -1,4 +1,4 @@
-# cid-workflow-version: 0.0.24
+# cid-workflow-version: 0.0.25
 
 # This file is generated by the CID Workflow GitHub App.
 # DO NOT EDIT!
@@ -73,6 +73,7 @@ env:
     uploads.github.com:443
   EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: ""
   EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: ""
+  EGRESS_POLICY_ALLOWED_ENDPOINTS_LINT: ""
   EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >-
     api.sonarcloud.io:443
     scanner.sonarcloud.io:443
@@ -86,12 +87,12 @@ jobs:
   # info
   info:
     name: Info
-    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    runs-on: ubuntu-24.04 # https://github.com/actions/runner-images
     timeout-minutes: 30
     if: ${{ github.event.inputs.loglevel == 'debug' }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-telemetry: true
           disable-sudo: true
@@ -102,7 +103,7 @@ jobs:
         with:
           version: ${{ env.CID_VERSION }}
       - name: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
       - name: info
@@ -118,13 +119,13 @@ jobs:
   # build
   build:
     name: Build
-    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    runs-on: ubuntu-24.04 # https://github.com/actions/runner-images
     permissions:
       id-token: write # provenance signing
     timeout-minutes: 30
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-telemetry: true
           disable-sudo: true
@@ -135,7 +136,7 @@ jobs:
         with:
           version: ${{ env.CID_VERSION }}
       - name: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
       - name: build
@@ -145,7 +146,7 @@ jobs:
         run: |
           cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build
       - name: upload artifacts
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: build-${{ github.run_id }}
           path: .dist
@@ -155,11 +156,11 @@ jobs:
   # test
   test:
     name: Test
-    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
+    runs-on: ubuntu-24.04 # https://github.com/actions/runner-images
     timeout-minutes: 30
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-telemetry: true
           disable-sudo: true
@@ -170,7 +171,7 @@ jobs:
         with:
           version: ${{ env.CID_VERSION }}
       - name: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
       - name: test
@@ -180,7 +181,41 @@ jobs:
         run: |
           cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test
       - name: upload artifacts
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: test-${{ github.run_id }}
+          path: .dist
+          retention-days: 1
+          if-no-files-found: ignore
+  # lint
+  lint:
+    name: Lint
+    runs-on: ubuntu-24.04 # https://github.com/actions/runner-images
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-telemetry: true
+          disable-sudo: true
+          egress-policy: ${{ env.EGRESS_POLICY }}
+          allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_LINT }}
+      - name: prepare environment
+        uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
+        with:
+          version: ${{ env.CID_VERSION }}
+      - name: checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          fetch-depth: 0
+      - name: lint
+        env:
+          CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
+          CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
+        run: |
+          cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage lint
+      - name: upload artifacts
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: test-${{ github.run_id }}
           path: .dist
@@ -189,14 +224,14 @@ jobs:
   # scan
   scan:
     name: Scan
-    runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
-    needs: [build, test]
+    runs-on: ubuntu-24.04 # https://github.com/actions/runner-images
+    needs: [build, test, lint]
     permissions:
       security-events: write
     timeout-minutes: 30
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-telemetry: true
           disable-sudo: true
@@ -207,7 +242,7 @@ jobs:
         with:
           version: ${{ env.CID_VERSION }}
       - name: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
       - name: download artifacts > build