Skip to content

Commit ca0a56b

Browse files
OptimumCodeOptimumCode
authored
Add zizmor pre-commit hook and update workflow to comply with zizmor rules (#3)
1 parent 401d87b commit ca0a56b

File tree

3 files changed

+55
-15
lines changed

3 files changed

+55
-15
lines changed

.github/workflows/build-all.yml

Lines changed: 21 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@ on:
66
env:
77
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
88

9+
permissions: {}
10+
911
jobs:
1012
versions:
1113
runs-on: ubuntu-latest
@@ -14,6 +16,7 @@ jobs:
1416
steps:
1517
- uses: actions/checkout@v4
1618
with:
19+
persist-credentials: false
1720
fetch-depth: 0
1821
fetch-tags: true
1922
- name: Collect available versions
@@ -37,11 +40,14 @@ jobs:
3740
steps:
3841
- uses: actions/checkout@v4
3942
with:
43+
persist-credentials: false
4044
ref: ${{ matrix.revision }}
4145

4246
- name: Compute implementation name
4347
id: impl
44-
run: echo "name=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT
48+
env:
49+
GH_REPOSITORY: ${{ github.repository }}
50+
run: echo "name=$(echo ${GH_REPOSITORY} | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT
4551

4652
- name: Install bowtie
4753
uses: bowtie-json-schema/bowtie@main
@@ -65,20 +71,26 @@ jobs:
6571
echo "DOCKER_HOST=unix://$(podman info --format '{{.Host.RemoteSocket.Path}}')" >> $GITHUB_ENV
6672
6773
- name: Smoke Test
74+
env:
75+
IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }}
6876
run: |
69-
bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format json
70-
bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format markdown >> $GITHUB_STEP_SUMMARY
77+
bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format json
78+
bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format markdown >> $GITHUB_STEP_SUMMARY
7179
7280
- name: Collect current version
7381
id: current-version
82+
env:
83+
IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }}
7484
run: |
7585
version=$(bowtie info \
76-
--implementation "localhost/${{ steps.build_image.outputs.image-with-tag }}" \
86+
--implementation "localhost/${IMAGE_WITH_TAG}" \
7787
--format json | jq -r '.version // empty')
7888
echo "value=${version}" >> $GITHUB_OUTPUT
7989
8090
- name: Print collected version
81-
run: echo "current_version=${{ steps.current-version.outputs.value }}"
91+
env:
92+
CURRENT_VERSION: ${{ steps.current-version.outputs.value }}
93+
run: echo "current_version=${CURRENT_VERSION}"
8294

8395
- name: Log in to ghcr.io
8496
uses: redhat-actions/podman-login@v1
@@ -88,7 +100,10 @@ jobs:
88100
registry: ${{ env.IMAGE_REGISTRY }}
89101

90102
- name: Add tag with version to the image
91-
run: podman tag ${{ steps.build_image.outputs.image-with-tag }} ${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }}
103+
env:
104+
IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }}
105+
IMAGE_WITH_VERSION: "${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }}"
106+
run: podman tag ${IMAGE_WITH_TAG} ${IMAGE_WITH_VERSION}
92107

93108
- name: Publish
94109
id: push

.github/workflows/build.yml

Lines changed: 30 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ concurrency:
1414
group: images-${{ github.ref }}
1515
cancel-in-progress: true
1616

17+
permissions: {}
18+
1719
jobs:
1820
meta:
1921
runs-on: ubuntu-latest
@@ -22,19 +24,25 @@ jobs:
2224
implementation-name: ${{ steps.impl.outputs.name }}
2325
steps:
2426
- uses: actions/checkout@v4
27+
with:
28+
persist-credentials: false
2529

2630
- name: Install bowtie
2731
uses: bowtie-json-schema/bowtie@main
2832

2933
- name: Compute implementation name
3034
id: impl
31-
run: echo "name=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT
35+
env:
36+
GH_REPOSITORY: ${{ github.repository }}
37+
run: echo "name=$(echo ${GH_REPOSITORY} | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT
3238

3339
- name: Compute latest implementation version
3440
id: version
41+
env:
42+
IMPL_NAME: ${{ steps.impl.outputs.name }}
3543
run: |
3644
version=$(bowtie info \
37-
--implementation ${{ steps.impl.outputs.name }} \
45+
--implementation ${IMPL_NAME} \
3846
--format json | jq -r '.version // empty')
3947
echo "value=${version}" >> $GITHUB_OUTPUT
4048
@@ -54,6 +62,8 @@ jobs:
5462

5563
steps:
5664
- uses: actions/checkout@v4
65+
with:
66+
persist-credentials: false
5767

5868
- name: Install bowtie
5969
uses: bowtie-json-schema/bowtie@main
@@ -82,20 +92,27 @@ jobs:
8292
enable-cache: true
8393

8494
- name: Smoke Test
95+
env:
96+
IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }}
8597
run: |
86-
bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format json
87-
bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format markdown >> $GITHUB_STEP_SUMMARY
98+
bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format json
99+
bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format markdown >> $GITHUB_STEP_SUMMARY
88100
89101
- name: Collect current version
90102
id: current-version
103+
env:
104+
IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }}
91105
run: |
92106
version=$(bowtie info \
93-
--implementation "localhost/${{ steps.build_image.outputs.image-with-tag }}" \
107+
--implementation "localhost/${IMAGE_WITH_TAG}" \
94108
--format json | jq -r '.version // empty')
95109
echo "value=${version}" >> $GITHUB_OUTPUT
96110
97111
- name: Print collected versions
98-
run: echo "latest_version=${{ needs.meta.outputs.latest-version }}; current_version=${{ steps.current-version.outputs.value }}"
112+
env:
113+
LATEST_VERSION: ${{ needs.meta.outputs.latest-version }}
114+
CURRENT_VERSION: ${{ steps.current-version.outputs.value }}
115+
run: echo "latest_version=${LATEST_VERSION}; current_version=${CURRENT_VERSION}"
99116

100117
- name: Log in to ghcr.io
101118
uses: redhat-actions/podman-login@v1
@@ -106,7 +123,10 @@ jobs:
106123
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
107124

108125
- name: Add tag with version to the image
109-
run: podman tag ${{ steps.build_image.outputs.image-with-tag }} ${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }}
126+
env:
127+
IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }}
128+
IMAGE_WITH_VERSION: "${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }}"
129+
run: podman tag ${IMAGE_WITH_TAG} ${IMAGE_WITH_VERSION}
110130
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
111131

112132
- name: Publish
@@ -138,6 +158,7 @@ jobs:
138158
env:
139159
TAG: v${{ needs.meta.outputs.latest-version }}
140160
COMMIT: ${{ github.event.before }}
161+
GH_REPOSITORY: ${{ github.repository }}
141162

142163
steps:
143164

@@ -150,7 +171,7 @@ jobs:
150171
--method POST
151172
-H "Accept: application/vnd.github+json"
152173
-H "X-GitHub-Api-Version: 2022-11-28"
153-
/repos/${{ github.repository }}/git/refs
174+
/repos/${GH_REPOSITORY}/git/refs
154175
-f "ref=refs/tags/$TAG"
155176
-f "sha=$COMMIT"
156177
@@ -162,7 +183,7 @@ jobs:
162183
--method POST
163184
-H "Accept: application/vnd.github+json"
164185
-H "X-GitHub-Api-Version: 2022-11-28"
165-
/repos/${{ github.repository }}/releases
186+
/repos/${GH_REPOSITORY}/releases
166187
-f "tag_name=$TAG"
167188
-f "name=$TAG"
168189
-f "body=Automatic release for $TAG"

.pre-commit-config.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,10 @@ repos:
1414
- id: mixed-line-ending
1515
args: [--fix, lf]
1616
- id: trailing-whitespace
17+
- repo: https://github.com/woodruffw/zizmor-pre-commit
18+
rev: v1.4.1
19+
hooks:
20+
- id: zizmor
1721

1822
# test harness specific hooks
1923
- repo: https://github.com/dustinsand/pre-commit-jvm

0 commit comments

Comments
 (0)