From 6d0a455e023da407d5d215d13e9cae87a22d581f Mon Sep 17 00:00:00 2001 From: Jeff Epler Date: Sun, 3 Nov 2024 09:48:35 -0600 Subject: [PATCH 1/3] Fix various issues detected by zizmor --- .github/workflows/build-board-custom.yml | 23 ++++++++++++++++++----- .github/workflows/build-boards.yml | 1 + .github/workflows/build-mpy-cross.yml | 8 ++++++-- .github/workflows/build.yml | 20 ++++++++++++++------ .github/workflows/create-website-pr.yml | 1 + .github/workflows/pre-commit.yml | 1 + 6 files changed, 41 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build-board-custom.yml b/.github/workflows/build-board-custom.yml index b91ccbd2d28f3..39976cd7c1ecc 100644 --- a/.github/workflows/build-board-custom.yml +++ b/.github/workflows/build-board-custom.yml @@ -42,21 +42,29 @@ jobs: run: | git clone --filter=tree:0 https://github.com/adafruit/circuitpython.git $GITHUB_WORKSPACE - name: Checkout head / tag + env: + TAG: ${{ inputs.version == 'latest' && 'HEAD' || inputs.version }} run: | - git checkout ${{ inputs.version == 'latest' && 'HEAD' || inputs.version }} + git checkout "$TAG" - name: fork compatibility if: github.repository_owner != 'adafruit' + env: + REPO: ${{ github.repository }} run: | - git remote add fork https://github.com/${{github.repository}}.git + git remote add fork "https://github.com/$REPO.git" git fetch fork --filter=tree:0 - name: branch compatibility if: inputs.branch != 'main' && inputs.version == 'latest' && github.repository_owner == 'adafruit' + env: + BRANCH: ${{ inputs.branch }} run: | - git checkout ${{inputs.branch}} + git checkout "$BRANCH" - name: branch compatibility (fork) if: inputs.branch != '' && inputs.version == 'latest' && github.repository_owner != 'adafruit' + env: + BRANCH: ${{ inputs.branch }} run: | - git checkout -b fork-branch fork/${{inputs.branch}} + git checkout -b fork-branch "fork/$BRANCH" - name: Set up identifier if: inputs.debug || inputs.flags != '' run: | @@ -101,7 +109,12 @@ jobs: riscv64-unknown-elf-gcc --version || true mkfs.fat --version || true - name: Build board - run: make -j4 ${{ inputs.flags }} BOARD=${{ inputs.board }} DEBUG=${{ inputs.debug && '1' || '0' }} TRANSLATION=${{ inputs.language }} + env: + TRANSLATION: ${{ inputs.language }} + BOARD: ${{ inputs.board }} + FLAGS: ${{ inputs.flags }} + DEBUG: ${{ inputs.debug && '1' || '0' }} + run: make -j4 $FLAGS BOARD="$BOARD" DEBUG=$DEBUG TRANSLATION="$TRANSLATION" working-directory: ports/${{ steps.set-up-port.outputs.port }} - name: Upload artifact uses: actions/upload-artifact@v4 diff --git a/.github/workflows/build-boards.yml b/.github/workflows/build-boards.yml index be076e0789f86..7daa7ae7e322e 100644 --- a/.github/workflows/build-boards.yml +++ b/.github/workflows/build-boards.yml @@ -31,6 +31,7 @@ jobs: submodules: false show-progress: false fetch-depth: 1 + persist-credentials: false - name: Set up python uses: actions/setup-python@v5 diff --git a/.github/workflows/build-mpy-cross.yml b/.github/workflows/build-mpy-cross.yml index 9d94fb638ef5a..731cb8661f6d0 100644 --- a/.github/workflows/build-mpy-cross.yml +++ b/.github/workflows/build-mpy-cross.yml @@ -33,6 +33,7 @@ jobs: submodules: false show-progress: false fetch-depth: 1 + persist-credentials: false - name: Set up python uses: actions/setup-python@v5 with: @@ -57,9 +58,12 @@ jobs: run: make -C mpy-cross -j4 -f Makefile.${{ matrix.mpy-cross }} - name: Set output + env: + EX=${{ env[format('EX_{0}', matrix.mpy-cross)] || matrix.mpy-cross }} + OS=${{ env[format('OS_{0}', matrix.mpy-cross)] }}" run: | - echo >> $GITHUB_ENV "EX=${{ env[format('EX_{0}', matrix.mpy-cross)] || matrix.mpy-cross }}" - echo >> $GITHUB_ENV "OS=${{ env[format('OS_{0}', matrix.mpy-cross)] }}" + echo >> $GITHUB_ENV "EX=$EX" + echo >> $GITHUB_ENV "OS=$OS" - name: Upload artifact uses: actions/upload-artifact@v4 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0f8b1b7638170..7cc8d49a4efbb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,6 +33,7 @@ jobs: submodules: false show-progress: false fetch-depth: 1 + persist-credentials: false - name: Set up python uses: actions/setup-python@v5 with: @@ -66,7 +67,9 @@ jobs: EXCLUDE_COMMIT: ${{ github.event.pull_request.head.sha }} - name: Set head sha (pull) if: github.event_name == 'pull_request' - run: echo "HEAD_SHA=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV + env: + HEAD_SHA:${{ github.event.pull_request.head.sha }} + run: echo "HEAD_SHA=$HEAD_SHA" >> $GITHUB_ENV - name: Set base sha (pull) if: github.event_name == 'pull_request' run: git cat-file -e $SHA && echo "BASE_SHA=$SHA" >> $GITHUB_ENV || true @@ -74,7 +77,9 @@ jobs: SHA: ${{ steps.get-last-commit-with-checks.outputs.commit_sha || github.event.pull_request.base.sha }} - name: Set head sha (push) if: github.event_name == 'push' - run: echo "HEAD_SHA=${{ github.event.after }}" >> $GITHUB_ENV + env: + SHA: ${{ github.event.after }} + run: echo "HEAD_SHA=$SHA" >> $GITHUB_ENV - name: Set base sha (push) if: github.event_name == 'push' run: git cat-file -e $SHA && echo "BASE_SHA=$SHA" >> $GITHUB_ENV || true @@ -114,6 +119,7 @@ jobs: submodules: false show-progress: false fetch-depth: 1 + persist-credentials: false - name: Set up python uses: actions/setup-python@v5 with: @@ -149,9 +155,9 @@ jobs: (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository_owner == 'adafruit') || (github.event_name == 'release' && (github.event.action == 'published' || github.event.action == 'rerequested')) run: | - [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross-macos-universal s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-${{ env.CP_VERSION }}-universal --no-progress --region us-east-1 - [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross/build-arm64/mpy-cross-arm64 s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-${{ env.CP_VERSION }}-arm64 --no-progress --region us-east-1 - [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross/build/mpy-cross s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-${{ env.CP_VERSION }}-x64 --no-progress --region us-east-1 + [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross-macos-universal s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-"${CP_VERSION}"-universal --no-progress --region us-east-1 + [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross/build-arm64/mpy-cross-arm64 s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-"${CP_VERSION}"-arm64 --no-progress --region us-east-1 + [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross/build/mpy-cross s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-"${CP_VERSION}"-x64 --no-progress --region us-east-1 env: AWS_PAGER: '' AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -170,6 +176,7 @@ jobs: submodules: false show-progress: false fetch-depth: 1 + persist-credentials: false - name: Set up python uses: actions/setup-python@v5 with: @@ -188,7 +195,7 @@ jobs: name: stubs path: circuitpython-stubs/dist/* - name: Test Documentation Build (HTML) - run: sphinx-build -E -W -b html -D version=${{ env.CP_VERSION }} -D release=${{ env.CP_VERSION }} . _build/html + run: sphinx-build -E -W -b html -D version="$CP_VERSION" -D release="$CP_VERSION" . _build/html - uses: actions/upload-artifact@v4 with: name: docs-html @@ -271,6 +278,7 @@ jobs: submodules: false show-progress: false fetch-depth: 1 + persist-credentials: false - name: Set up submodules uses: ./.github/actions/deps/submodules - name: build mpy-cross diff --git a/.github/workflows/create-website-pr.yml b/.github/workflows/create-website-pr.yml index 8f4cce7691c1b..32c1792fa6c74 100644 --- a/.github/workflows/create-website-pr.yml +++ b/.github/workflows/create-website-pr.yml @@ -22,6 +22,7 @@ jobs: submodules: false show-progress: false fetch-depth: 1 + persist-credentials: false - name: Set up python uses: actions/setup-python@v5 with: diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index b3517d748f5e7..778270dc08c8f 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -22,6 +22,7 @@ jobs: submodules: false show-progress: false fetch-depth: 1 + persist-credentials: false - name: Set up python uses: actions/setup-python@v5 with: From e443f176f1e9c26b8b784fdd690fba234c4cad1b Mon Sep 17 00:00:00 2001 From: Jeff Epler Date: Mon, 4 Nov 2024 09:54:57 -0600 Subject: [PATCH 2/3] fix yaml syntax error --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7cc8d49a4efbb..7d37baebdc15d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -68,7 +68,7 @@ jobs: - name: Set head sha (pull) if: github.event_name == 'pull_request' env: - HEAD_SHA:${{ github.event.pull_request.head.sha }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: echo "HEAD_SHA=$HEAD_SHA" >> $GITHUB_ENV - name: Set base sha (pull) if: github.event_name == 'pull_request' From 20dc44dc3ac7cd69ab88404111c2694e62950a74 Mon Sep 17 00:00:00 2001 From: Jeff Epler Date: Mon, 4 Nov 2024 12:18:09 -0600 Subject: [PATCH 3/3] more yaml syntax fixes --- .github/workflows/build-mpy-cross.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-mpy-cross.yml b/.github/workflows/build-mpy-cross.yml index 731cb8661f6d0..831ad3082275b 100644 --- a/.github/workflows/build-mpy-cross.yml +++ b/.github/workflows/build-mpy-cross.yml @@ -59,8 +59,8 @@ jobs: - name: Set output env: - EX=${{ env[format('EX_{0}', matrix.mpy-cross)] || matrix.mpy-cross }} - OS=${{ env[format('OS_{0}', matrix.mpy-cross)] }}" + EX: ${{ env[format('EX_{0}', matrix.mpy-cross)] || matrix.mpy-cross }} + OS: ${{ env[format('OS_{0}', matrix.mpy-cross)] }}" run: | echo >> $GITHUB_ENV "EX=$EX" echo >> $GITHUB_ENV "OS=$OS"