Skip to content

Commit 98ed871

Browse files
woodruffwwoodruffw
authored
chore(ci): apply security fixes, add zizmor workflow (#716)
1 parent a376f32 commit 98ed871

File tree

8 files changed

+194
-68
lines changed

8 files changed

+194
-68
lines changed

.github/dependabot.yml

Lines changed: 30 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,32 @@
11
version: 2
22
updates:
3-
- package-ecosystem: "pip"
4-
directory: "/"
5-
schedule:
6-
interval: "monthly"
7-
groups:
8-
python:
9-
patterns:
10-
- "*"
11-
- package-ecosystem: "cargo"
12-
directory: "/"
13-
schedule:
14-
interval: "monthly"
15-
groups:
16-
rust:
17-
patterns:
18-
- "*"
3+
- package-ecosystem: "pip"
4+
directory: "/"
5+
schedule:
6+
interval: "monthly"
7+
cooldown:
8+
default-days: 14
9+
groups:
10+
python:
11+
patterns:
12+
- "*"
13+
- package-ecosystem: "cargo"
14+
directory: "/"
15+
schedule:
16+
interval: "monthly"
17+
cooldown:
18+
default-days: 14
19+
groups:
20+
rust:
21+
patterns:
22+
- "*"
23+
- package-ecosystem: "github-actions"
24+
directory: ".github/workflows"
25+
schedule:
26+
interval: "monthly"
27+
cooldown:
28+
default-days: 14
29+
groups:
30+
actions:
31+
patterns:
32+
- "*"

.github/workflows/check.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,12 +12,16 @@ concurrency:
1212
env:
1313
FORCE_COLOR: 1
1414

15+
permissions: {}
16+
1517
jobs:
1618
check:
1719
runs-on: "ubuntu-latest"
1820
name: "check"
1921
steps:
2022
- uses: actions/checkout@v4
23+
with:
24+
persist-credentials: false
2125
- uses: actions/setup-python@v5
2226
with:
2327
python-version: "3.12"

.github/workflows/linux.yml

Lines changed: 47 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ name: linux
22

33
on:
44
push:
5-
branches: [ main ]
5+
branches: [main]
66
pull_request:
77

88
concurrency:
@@ -12,6 +12,8 @@ concurrency:
1212
env:
1313
FORCE_COLOR: 1
1414

15+
permissions: {}
16+
1517
jobs:
1618
crate-build:
1719
needs:
@@ -28,6 +30,8 @@ jobs:
2830
sudo apt install -y --no-install-recommends libssl-dev pkg-config
2931
3032
- uses: actions/checkout@v4
33+
with:
34+
persist-credentials: false
3135

3236
- name: Emit rustc version
3337
run: |
@@ -64,11 +68,13 @@ jobs:
6468
packages: write
6569
steps:
6670
- uses: actions/checkout@v4
71+
with:
72+
persist-credentials: false
6773

6874
- name: Install Python
6975
uses: actions/setup-python@v5
7076
with:
71-
python-version: '3.11'
77+
python-version: "3.11"
7278

7379
- name: Set up Docker Buildx
7480
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
@@ -90,7 +96,7 @@ jobs:
9096
9197
- name: Build Image
9298
id: build-image
93-
uses: docker/build-push-action@v5
99+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
94100
with:
95101
context: .
96102
file: build/${{ matrix.name }}.Dockerfile
@@ -110,8 +116,12 @@ jobs:
110116
111117
- name: Compress Image
112118
run: |
113-
echo ${{ steps.build-image.outputs.imageid }} > build/image-${{ matrix.name }}.linux_${{ matrix.arch }}
119+
echo ${STEPS_BUILD_IMAGE_OUTPUTS_IMAGEID} > build/image-${MATRIX_NAME}.linux_${MATRIX_ARCH}
114120
zstd -v -T0 -6 --rm build/image-*.tar
121+
env:
122+
STEPS_BUILD_IMAGE_OUTPUTS_IMAGEID: ${{ steps.build-image.outputs.imageid }}
123+
MATRIX_NAME: ${{ matrix.name }}
124+
MATRIX_ARCH: ${{ matrix.arch }}
115125

116126
- name: Upload Docker Image
117127
uses: actions/upload-artifact@v4
@@ -120,6 +130,7 @@ jobs:
120130
path: build/image-*
121131

122132
generate-matrix:
133+
name: Generate build matrix
123134
runs-on: ubuntu-latest
124135
outputs:
125136
python-build-matrix-0: ${{ steps.set-matrix.outputs.python-build-matrix-0 }}
@@ -130,16 +141,19 @@ jobs:
130141
steps:
131142
- uses: actions/checkout@v4
132143
with:
133-
fetch-depth: 0 # fetch history for subsequent `git diff`
144+
fetch-depth: 0
145+
persist-credentials: false
134146

135147
- name: Set up Python
136148
uses: astral-sh/setup-uv@v4
137149

138150
- name: Get pull request labels
139151
id: get-labels
152+
env:
153+
PULL_REQUEST_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }}
140154
run: |
141155
# Convert GitHub labels array to comma-separated string
142-
LABELS=$(echo '${{ toJson(github.event.pull_request.labels.*.name) }}' | jq -r 'join(",")')
156+
LABELS=$(echo "${PULL_REQUEST_LABELS}" | jq -r 'join(",")')
143157
echo "labels=$LABELS" >> $GITHUB_OUTPUT
144158
145159
- name: Check if the `pythonbuild` crate changed
@@ -159,7 +173,7 @@ jobs:
159173
run: |
160174
uv run ci-matrix.py \
161175
--platform linux \
162-
--labels '${{ steps.get-labels.outputs.labels }}' \
176+
--labels '${STEPS_GET_LABELS_OUTPUTS_LABELS}' \
163177
--max-shards 2 \
164178
${{ (steps.check-pythonbuild.outputs.changed == 'true' || github.ref == 'refs/heads/main') && '--force-crate-build' || '' }} \
165179
> matrix.json
@@ -179,6 +193,8 @@ jobs:
179193
# Build matrix is empty
180194
echo "any_builds=false" >> $GITHUB_OUTPUT
181195
fi
196+
env:
197+
STEPS_GET_LABELS_OUTPUTS_LABELS: ${{ steps.get-labels.outputs.labels }}
182198

183199
build-0:
184200
needs:
@@ -198,11 +214,12 @@ jobs:
198214
- uses: actions/checkout@v4
199215
with:
200216
fetch-depth: 0
217+
persist-credentials: false
201218

202219
- name: Install Python
203220
uses: actions/setup-python@v5
204221
with:
205-
python-version: '3.11'
222+
python-version: "3.11"
206223

207224
- name: Download pythonbuild
208225
uses: actions/download-artifact@v4
@@ -247,7 +264,11 @@ jobs:
247264
# Touch mtimes of all images so they are newer than autogenerated files above.
248265
touch build/image-*
249266
250-
./build-linux.py --target-triple ${{ matrix.target_triple }} --python cpython-${{ matrix.python }} --options ${{ matrix.build_options }}
267+
./build-linux.py --target-triple ${MATRIX_TARGET_TRIPLE} --python cpython-${MATRIX_PYTHON} --options ${MATRIX_BUILD_OPTIONS}
268+
env:
269+
MATRIX_TARGET_TRIPLE: ${{ matrix.target_triple }}
270+
MATRIX_PYTHON: ${{ matrix.python }}
271+
MATRIX_BUILD_OPTIONS: ${{ matrix.build_options }}
251272

252273
- name: Generate attestations
253274
uses: actions/attest-build-provenance@v2
@@ -267,8 +288,8 @@ jobs:
267288
run: |
268289
chmod +x build/pythonbuild
269290
270-
if [ "${{ matrix.run }}" == "true" ]; then
271-
if [ "${{ matrix.libc }}" == "musl" ]; then
291+
if [ "${MATRIX_RUN}" == "true" ]; then
292+
if [ "${MATRIX_LIBC}" == "musl" ]; then
272293
sudo apt install musl-dev
273294
274295
# GitHub's setup-python action sets `LD_LIBRARY_PATH` which overrides `RPATH`
@@ -279,6 +300,9 @@ jobs:
279300
fi
280301
281302
build/pythonbuild validate-distribution ${EXTRA_ARGS} dist/*.tar.zst
303+
env:
304+
MATRIX_RUN: ${{ matrix.run }}
305+
MATRIX_LIBC: ${{ matrix.libc }}
282306

283307
build-1:
284308
needs:
@@ -298,11 +322,12 @@ jobs:
298322
- uses: actions/checkout@v4
299323
with:
300324
fetch-depth: 0
325+
persist-credentials: false
301326

302327
- name: Install Python
303328
uses: actions/setup-python@v5
304329
with:
305-
python-version: '3.11'
330+
python-version: "3.11"
306331

307332
- name: Download pythonbuild
308333
uses: actions/download-artifact@v4
@@ -347,7 +372,11 @@ jobs:
347372
# Touch mtimes of all images so they are newer than autogenerated files above.
348373
touch build/image-*
349374
350-
./build-linux.py --target-triple ${{ matrix.target_triple }} --python cpython-${{ matrix.python }} --options ${{ matrix.build_options }}
375+
./build-linux.py --target-triple ${MATRIX_TARGET_TRIPLE} --python cpython-${MATRIX_PYTHON} --options ${MATRIX_BUILD_OPTIONS}
376+
env:
377+
MATRIX_TARGET_TRIPLE: ${{ matrix.target_triple }}
378+
MATRIX_PYTHON: ${{ matrix.python }}
379+
MATRIX_BUILD_OPTIONS: ${{ matrix.build_options }}
351380

352381
- name: Generate attestations
353382
uses: actions/attest-build-provenance@v2
@@ -367,8 +396,8 @@ jobs:
367396
run: |
368397
chmod +x build/pythonbuild
369398
370-
if [ "${{ matrix.run }}" == "true" ]; then
371-
if [ "${{ matrix.libc }}" == "musl" ]; then
399+
if [ "${MATRIX_RUN}" == "true" ]; then
400+
if [ "${MATRIX_LIBC}" == "musl" ]; then
372401
sudo apt install musl-dev
373402
374403
# GitHub's setup-python action sets `LD_LIBRARY_PATH` which overrides `RPATH`
@@ -379,3 +408,6 @@ jobs:
379408
fi
380409
381410
build/pythonbuild validate-distribution ${EXTRA_ARGS} dist/*.tar.zst
411+
env:
412+
MATRIX_RUN: ${{ matrix.run }}
413+
MATRIX_LIBC: ${{ matrix.libc }}

.github/workflows/macos.yml

Lines changed: 27 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ concurrency:
1212
env:
1313
FORCE_COLOR: 1
1414

15+
permissions: {}
16+
1517
jobs:
1618
crate-build:
1719
needs:
@@ -23,6 +25,8 @@ jobs:
2325
name: crate / ${{ matrix.arch }}
2426
steps:
2527
- uses: actions/checkout@v4
28+
with:
29+
persist-credentials: false
2630

2731
- name: Emit rustc version
2832
run: |
@@ -47,6 +51,7 @@ jobs:
4751
path: target/release/pythonbuild
4852

4953
generate-matrix:
54+
name: Generate build matrix
5055
runs-on: ubuntu-latest
5156
outputs:
5257
matrix: ${{ steps.set-matrix.outputs.matrix }}
@@ -55,16 +60,19 @@ jobs:
5560
steps:
5661
- uses: actions/checkout@v4
5762
with:
58-
fetch-depth: 0 # fetch history for subsequent `git diff`
63+
fetch-depth: 0
64+
persist-credentials: false
5965

6066
- name: Set up Python
6167
uses: astral-sh/setup-uv@v4
6268

6369
- name: Get pull request labels
6470
id: get-labels
71+
env:
72+
PULL_REQUEST_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }}
6573
run: |
6674
# Convert GitHub labels array to comma-separated string
67-
LABELS=$(echo '${{ toJson(github.event.pull_request.labels.*.name) }}' | jq -r 'join(",")')
75+
LABELS=$(echo "${PULL_REQUEST_LABELS}" | jq -r 'join(",")')
6876
echo "labels=$LABELS" >> $GITHUB_OUTPUT
6977
7078
- name: Check if the `pythonbuild` crate changed
@@ -82,12 +90,12 @@ jobs:
8290
- name: Generate build matrix
8391
id: set-matrix
8492
run: |
85-
uv run ci-matrix.py --platform darwin --labels '${{ steps.get-labels.outputs.labels }}' ${{ (steps.check-pythonbuild.outputs.changed == 'true' || github.ref == 'refs/heads/main') && '--force-crate-build' || '' }} > matrix.json
86-
93+
uv run ci-matrix.py --platform darwin --labels '${STEPS_GET_LABELS_OUTPUTS_LABELS}' ${{ (steps.check-pythonbuild.outputs.changed == 'true' || github.ref == 'refs/heads/main') && '--force-crate-build' || '' }} > matrix.json
94+
8795
# Extract python-build matrix
8896
echo "matrix=$(jq -c '."python-build"' matrix.json)" >> $GITHUB_OUTPUT
8997
echo "crate-build-matrix=$(jq -c '."crate-build"' matrix.json)" >> $GITHUB_OUTPUT
90-
98+
9199
# Display the matrix for debugging too
92100
cat matrix.json | jq
93101
@@ -98,6 +106,8 @@ jobs:
98106
# Build matrix is empty
99107
echo "any_builds=false" >> $GITHUB_OUTPUT
100108
fi
109+
env:
110+
STEPS_GET_LABELS_OUTPUTS_LABELS: ${{ steps.get-labels.outputs.labels }}
101111

102112
build:
103113
needs:
@@ -116,11 +126,12 @@ jobs:
116126
- uses: actions/checkout@v4
117127
with:
118128
fetch-depth: 0
129+
persist-credentials: false
119130

120131
- name: Install Python
121132
uses: actions/setup-python@v5
122133
with:
123-
python-version: '3.11'
134+
python-version: "3.11"
124135

125136
- name: Download pythonbuild
126137
uses: actions/download-artifact@v4
@@ -131,16 +142,20 @@ jobs:
131142
- name: Build
132143
if: ${{ ! matrix.dry-run }}
133144
run: |
134-
if [ "${{ matrix.target_triple }}" = "aarch64-apple-darwin" ]; then
145+
if [ "${MATRIX_TARGET_TRIPLE}" = "aarch64-apple-darwin" ]; then
135146
export APPLE_SDK_PATH=/Applications/Xcode_15.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.sdk
136-
elif [ "${{ matrix.target_triple }}" = "x86_64-apple-darwin" ]; then
147+
elif [ "${MATRIX_TARGET_TRIPLE}" = "x86_64-apple-darwin" ]; then
137148
export APPLE_SDK_PATH=/Applications/Xcode_15.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.sdk
138149
else
139-
echo "unhandled target triple: ${{ matrix.target_triple }}"
150+
echo "unhandled target triple: ${MATRIX_TARGET_TRIPLE}"
140151
exit 1
141152
fi
142153
143-
./build-macos.py --target-triple ${{ matrix.target_triple }} --python cpython-${{ matrix.python }} --options ${{ matrix.build_options }}
154+
./build-macos.py --target-triple ${MATRIX_TARGET_TRIPLE} --python cpython-${MATRIX_PYTHON} --options ${MATRIX_BUILD_OPTIONS}
155+
env:
156+
MATRIX_TARGET_TRIPLE: ${{ matrix.target_triple }}
157+
MATRIX_PYTHON: ${{ matrix.python }}
158+
MATRIX_BUILD_OPTIONS: ${{ matrix.build_options }}
144159

145160
- name: Generate attestations
146161
uses: actions/attest-build-provenance@v2
@@ -159,9 +174,10 @@ jobs:
159174
if: ${{ ! matrix.dry-run }}
160175
uses: actions/checkout@v4
161176
with:
162-
repository: 'phracker/MacOSX-SDKs'
177+
repository: phracker/MacOSX-SDKs
163178
ref: master
164179
path: macosx-sdks
180+
persist-credentials: false
165181

166182
- name: Validate Distribution
167183
if: ${{ ! matrix.dry-run }}

0 commit comments

Comments
 (0)