mirror
/
hurl
mirror of https://github.com/Orange-OpenSource/hurl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix Zizmor

This commit is contained in:
Filipe PINTO 2025-01-20 10:42:47 +01:00 committed by hurl-bot
parent fee90a8dfd
commit 2472aa90e9
No known key found for this signature in database
GPG Key ID: 1283A2B4A0DCAF8D
12 changed files with 154 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/accept-pull-request.yml vendored
View File

@ -69,6 +69,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: true
ref: ${{ env.BASE_REF }}
token: ${{ secrets.HURL_BOT_TOKEN }}
fetch-depth: 0

2
.github/workflows/auto-close-inactive-pr.yml vendored
View File

@ -18,6 +18,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
- name: Auto close inactive PR
run: .github/workflows/bin/auto-close-inactive-pr.sh --github-project-path "${REPO}" --github-token "${GITHUB_TOKEN}" --max-days-of-inactivity 15

5
.github/workflows/check.yml vendored
View File

@ -13,6 +13,8 @@ on:
env:
CARGO_TERM_COLOR: always
permissions: {}
jobs:
checks:
@ -22,6 +24,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Shellcheck
@ -62,7 +65,7 @@ jobs:
- name: Zizmor
env:
GITHUB_TOKEN: ${{ secrets.HURL_BOT_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
if: always()
run: |
pip install zizmor

2
.github/workflows/coverage.yml vendored
View File

@ -18,6 +18,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
- name: Install Prerequisites
run: bin/install_prerequisites_ubuntu.sh

159
.github/workflows/extra-package.yml vendored
View File

@ -1,78 +1,81 @@
name: extra-package
on:
workflow_dispatch:
inputs:
set-release-version:
description: 'Desired release version (x.y.z)'
required: true
type: string
push-to-chocolatey:
description: 'Push to chocolatey'
type: boolean
default: false
push-to-winget:
description: 'Push to winget'
type: boolean
default: false
concurrency: extra-package
jobs:
check-release:
env:
GH_TOKEN: ${{ github.token }}
RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
name: Check-release
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
fetch-depth: 1
ref: ${{ github.event.inputs.set-release-version }}
- name: Check if branch is a published release
run: |
if gh release list --exclude-drafts --exclude-pre-releases | grep -E "^${RELEASE_VERSION}" ; then
echo "✅ Desired release ${RELEASE_VERSION} is a published release"
else
echo "❌ You have to run this workflow for a published release (excluding draft and pre-release), but the desired one [${RELEASE_VERSION}] is not."
exit 1
fi
push-to-chocolatey:
if: github.event.inputs.push-to-chocolatey == 'true'
needs: check-release
env:
RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
CHOCOLATEY_TOKEN: ${{ secrets.LEPAPAREIL_CHOCOLATEY_TOKEN }}
name: Push to chocolatey
runs-on: windows-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
fetch-depth: 1
ref: ${{ github.event.inputs.set-release-version }}
- name: Push to chocolatey
run: .\bin\release\push_package_to_chocolatey.ps1 $env:RELEASE_VERSION $env:CHOCOLATEY_TOKEN
push-to-winget:
if: github.event.inputs.push-to-winget == 'true'
needs: check-release
env:
RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
WINGET_TOKEN: ${{ secrets.LEPAPAREIL_WINGET_TOKEN }}
name: Push to winget
runs-on: windows-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
fetch-depth: 1
ref: ${{ github.event.inputs.set-release-version }}
- name: Push to winget
run: |
Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile .\wingetcreate.exe
.\wingetcreate.exe version
.\bin\release\push_package_to_winget.ps1 "$env:RELEASE_VERSION" "$env:LEPAPAREIL_WINGET_TOKEN"
name: extra-package
on:
workflow_dispatch:
inputs:
set-release-version:
description: 'Desired release version (x.y.z)'
required: true
type: string
push-to-chocolatey:
description: 'Push to chocolatey'
type: boolean
default: false
push-to-winget:
description: 'Push to winget'
type: boolean
default: false
concurrency: extra-package
jobs:
check-release:
env:
GH_TOKEN: ${{ github.token }}
RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
name: Check-release
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: true
fetch-depth: 1
ref: ${{ github.event.inputs.set-release-version }}
- name: Check if branch is a published release
run: |
if gh release list --exclude-drafts --exclude-pre-releases | grep -E "^${RELEASE_VERSION}" ; then
echo "✅ Desired release ${RELEASE_VERSION} is a published release"
else
echo "❌ You have to run this workflow for a published release (excluding draft and pre-release), but the desired one [${RELEASE_VERSION}] is not."
exit 1
fi
push-to-chocolatey:
if: github.event.inputs.push-to-chocolatey == 'true'
needs: check-release
env:
RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
CHOCOLATEY_TOKEN: ${{ secrets.LEPAPAREIL_CHOCOLATEY_TOKEN }}
name: Push to chocolatey
runs-on: windows-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
fetch-depth: 1
ref: ${{ github.event.inputs.set-release-version }}
- name: Push to chocolatey
run: .\bin\release\push_package_to_chocolatey.ps1 $env:RELEASE_VERSION $env:CHOCOLATEY_TOKEN
push-to-winget:
if: github.event.inputs.push-to-winget == 'true'
needs: check-release
env:
RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
WINGET_TOKEN: ${{ secrets.LEPAPAREIL_WINGET_TOKEN }}
name: Push to winget
runs-on: windows-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: true
fetch-depth: 1
ref: ${{ github.event.inputs.set-release-version }}
- name: Push to winget
run: |
Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile .\wingetcreate.exe
.\wingetcreate.exe version
.\bin\release\push_package_to_winget.ps1 "$env:RELEASE_VERSION" "$env:LEPAPAREIL_WINGET_TOKEN"

14
.github/workflows/package.yml vendored
View File

@ -14,6 +14,8 @@ on:
env:
CARGO_TERM_COLOR: always
permissions: {}
jobs:
package-generic-linux-x64:
runs-on: ubuntu-20.04
@ -21,6 +23,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install prerequisites
run: bin/install_prerequisites_ubuntu.sh
@ -64,6 +67,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3.3.0
@ -113,6 +117,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Retrieve release-generic-linux-x64-artifacts
uses: actions/download-artifact@v4.1.8
@ -166,6 +171,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Retrieve release-generic-linux-x64-artifacts
uses: actions/download-artifact@v4.1.8
@ -217,6 +223,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Retrieve release-generic-linux-x64-artifacts
uses: actions/download-artifact@v4.1.8
@ -268,6 +275,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Retrieve release-generic-linux-x64-artifacts
uses: actions/download-artifact@v4.1.8
@ -321,6 +329,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3.8.0
@ -392,6 +401,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install Prerequisites
run: bin/install_prerequisites_ubuntu.sh
@ -443,6 +453,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install Prerequisites
run: |
@ -492,6 +503,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install Prerequisites
run: |
@ -547,6 +559,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install Rust
run: |
@ -606,6 +619,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- uses: actions/download-artifact@v4.1.8
with:

6
.github/workflows/release.yml vendored
View File

@ -56,6 +56,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: true
- name: Check release pull request existence
id: check-release-pull-request-existence
@ -172,6 +174,8 @@ jobs:
- name: Checkout repository
if: github.ref_name == 'master'
uses: actions/checkout@v4.2.2
with:
persist-credentials: true
- name: Create release branch
if: github.ref_name == 'master'
@ -189,6 +193,7 @@ jobs:
- name: Checkout new release branch
uses: actions/checkout@v4.2.2
with:
persist-credentials: true
ref: ${{ needs.set-context.outputs.release_branch }}
- name: Check CHANGELOG
@ -298,6 +303,7 @@ jobs:
- name: Checkout new release branch
uses: actions/checkout@v4.2.2
with:
persist-credentials: true
ref: ${{ needs.set-context.outputs.release_branch }}
- name: Init git bot context

15
.github/workflows/test.yml vendored
View File

@ -14,6 +14,8 @@ on:
env:
CARGO_TERM_COLOR: always
permissions: {}
jobs:
benchsuite:
runs-on: ubuntu-latest
@ -21,6 +23,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install Prerequisites
run: bin/install_prerequisites_ubuntu.sh
@ -54,6 +57,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install Rust
run: bin/install_rust.sh
@ -75,6 +79,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install Prerequisites
run: bin/install_prerequisites_ubuntu.sh
@ -119,6 +124,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install Prerequisites
run: bin/install_prerequisites_ubuntu.sh
@ -160,6 +166,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Build, Test units and Integration tests
uses: addnab/docker-run-action@v3
@ -201,6 +208,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Build, Test units and Integration tests
uses: addnab/docker-run-action@v3
@ -249,6 +257,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Build, Test units and Integration tests
uses: addnab/docker-run-action@v3
@ -299,6 +308,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install Prerequisites
run: |
@ -347,6 +357,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install Prerequisites
run: |
@ -398,6 +409,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Install Rust
run: |
@ -439,7 +451,8 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
ref: ${{ inputs.branch }}
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Setup wsl Ubuntu
uses: Vampire/setup-wsl@v4.1.0
with:

1
.github/workflows/update-actions.yml vendored
View File

@ -20,6 +20,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: true
ref: master
token: ${{ secrets.HURL_BOT_TOKEN }}

8
.github/workflows/update-branch-version.yml vendored
View File

@ -42,6 +42,7 @@ jobs:
GITHUB_CONTEXT: ${{ toJson(github) }}
GITHUB_TOKEN: ${{ secrets.HURL_BOT_TOKEN }}
REPO: ${{ github.repository }}
NEW_VERSION: ${{ inputs.new_version }}
outputs:
pr_number: ${{ steps.create-new-version-pr.outputs.pr_number }}
name: update-branch-version
@ -50,6 +51,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: true
ref: ${{ inputs.branch }}
- name: Init bot branch name
@ -62,13 +64,13 @@ jobs:
hurl_packages="hurl_core hurl hurlfmt"
for package in ${hurl_packages} ; do
cargo_toml="packages/${package}/Cargo.toml"
sed -i "s/^version.*/version = \"${{ inputs.new_version }}\"/" "${cargo_toml}"
sed -i "s/^version.*/version = \"${NEW_VERSION}\"/" "${cargo_toml}"
echo "----------------------------"
echo " > package version for ${cargo_toml}"
echo " $(grep "^version =" "${cargo_toml}")"
for dep_package in ${hurl_packages} ; do
if [ $(grep -c "^${dep_package} =" "${cargo_toml}") -gt 0 ] ; then
sed -i "s/^${dep_package} = { version .*/${dep_package} = { version = \"${{ inputs.new_version }}\", path = \"..\/${dep_package}\" }/" "${cargo_toml}"
sed -i "s/^${dep_package} = { version .*/${dep_package} = { version = \"${NEW_VERSION}\", path = \"..\/${dep_package}\" }/" "${cargo_toml}"
echo " > ${dep_package} dep package version for ${cargo_toml}"
echo " $(grep "^${dep_package} =" "${cargo_toml}")"
fi
@ -104,7 +106,7 @@ jobs:
- name: Push commits
run: |
git checkout -b "${BOT_UPDATE_VERSION_BRANCH_NAME}"
git commit -am "Update hurl version to ${{ inputs.new_version }}"
git commit -am "Update hurl version to ${NEW_VERSION}"
git push --set-upstream origin "${BOT_UPDATE_VERSION_BRANCH_NAME}" && git_exit_code=0 || git_exit_code=$?
if [ ${git_exit_code} -eq 0 ] ; then
echo " - ✅ commits pushed to ${BOT_UPDATE_VERSION_BRANCH_NAME} branch."

1
.github/workflows/update-crates.yml vendored
View File

@ -20,6 +20,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
persist-credentials: true
ref: master
- name: Crates update

31
bin/check/zizmor.sh
View File

@ -5,6 +5,7 @@ set -Eeuo pipefail
function init_terminal_colors(){
color_red=$(echo -ne "\033[1;31m")
color_green=$(echo -ne "\033[1;32m")
color_yellow=$(echo -ne "\033[1;33m")
color_reset=$(echo -ne "\033[0m")
}
@ -72,18 +73,32 @@ function consume_args(){
}
# main
echo "disabled, waiting for debug fork token"
exit 0
init_terminal_colors
consume_args "$@"
zizmor --version
error_count=0
for file in "${files[@]}" ; do
zizmor \
--min-severity low \
--min-confidence medium \
--gh-token "${github_token}" \
"${file}" || error_count=$((error_count+1))
# disable excessive-permissions on git jobs for now because all yml permissions have to be rewrited from scratch"
conf="/tmp/conf"
cat <<- "EOF" > "${conf}"
rules:
excessive-permissions:
ignore:
- accept-pull-request.yml
- auto-close-inactive-pr.yml
- coverage.yml
- extra-package.yml
- release.yml
- update-actions.yml
- update-branch-version.yml
- update-crates.yml
EOF
for file in "${files[@]}" ; do
# disable release.yml for now because output vars have to be rewrited from scratch"
if [[ "${file}" =~ release.yml ]] ; then
echo "${color_yellow}$file is disabled for now because output vars have to be rewrited from scratch${color_reset}"
continue
fi
zizmor --config "${conf}" --gh-token "${github_token}" "${file}" || error_count=$((error_count+1))
done
if [[ $error_count -gt 0 ]] ; then
echo "${color_red}There are problems with github workflows${color_reset}"