diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml index 3167aed..d754018 100644 --- a/.github/workflows/build-all.yml +++ b/.github/workflows/build-all.yml @@ -6,6 +6,8 @@ on: env: IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} +permissions: {} + jobs: versions: runs-on: ubuntu-latest @@ -14,6 +16,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 fetch-tags: true - name: Collect available versions @@ -37,11 +40,14 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ matrix.revision }} - name: Compute implementation name id: impl - run: echo "name=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT + env: + GH_REPOSITORY: ${{ github.repository }} + run: echo "name=$(echo ${GH_REPOSITORY} | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT - name: Install bowtie uses: bowtie-json-schema/bowtie@main @@ -65,20 +71,26 @@ jobs: echo "DOCKER_HOST=unix://$(podman info --format '{{.Host.RemoteSocket.Path}}')" >> $GITHUB_ENV - name: Smoke Test + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} run: | - bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format json - bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format markdown >> $GITHUB_STEP_SUMMARY + bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format json + bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format markdown >> $GITHUB_STEP_SUMMARY - name: Collect current version id: current-version + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} run: | version=$(bowtie info \ - --implementation "localhost/${{ steps.build_image.outputs.image-with-tag }}" \ + --implementation "localhost/${IMAGE_WITH_TAG}" \ --format json | jq -r '.version // empty') echo "value=${version}" >> $GITHUB_OUTPUT - name: Print collected version - run: echo "current_version=${{ steps.current-version.outputs.value }}" + env: + CURRENT_VERSION: ${{ steps.current-version.outputs.value }} + run: echo "current_version=${CURRENT_VERSION}" - name: Log in to ghcr.io uses: redhat-actions/podman-login@v1 @@ -88,7 +100,10 @@ jobs: registry: ${{ env.IMAGE_REGISTRY }} - name: Add tag with version to the image - run: podman tag ${{ steps.build_image.outputs.image-with-tag }} ${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }} + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} + IMAGE_WITH_VERSION: "${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }}" + run: podman tag ${IMAGE_WITH_TAG} ${IMAGE_WITH_VERSION} - name: Publish id: push diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eed4251..f6d8117 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,6 +14,8 @@ concurrency: group: images-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: meta: runs-on: ubuntu-latest @@ -22,19 +24,25 @@ jobs: implementation-name: ${{ steps.impl.outputs.name }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install bowtie uses: bowtie-json-schema/bowtie@main - name: Compute implementation name id: impl - run: echo "name=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT + env: + GH_REPOSITORY: ${{ github.repository }} + run: echo "name=$(echo ${GH_REPOSITORY} | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT - name: Compute latest implementation version id: version + env: + IMPL_NAME: ${{ steps.impl.outputs.name }} run: | version=$(bowtie info \ - --implementation ${{ steps.impl.outputs.name }} \ + --implementation ${IMPL_NAME} \ --format json | jq -r '.version // empty') echo "value=${version}" >> $GITHUB_OUTPUT @@ -54,6 +62,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install bowtie uses: bowtie-json-schema/bowtie@main @@ -82,20 +92,27 @@ jobs: enable-cache: true - name: Smoke Test + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} run: | - bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format json - bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format markdown >> $GITHUB_STEP_SUMMARY + bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format json + bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format markdown >> $GITHUB_STEP_SUMMARY - name: Collect current version id: current-version + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} run: | version=$(bowtie info \ - --implementation "localhost/${{ steps.build_image.outputs.image-with-tag }}" \ + --implementation "localhost/${IMAGE_WITH_TAG}" \ --format json | jq -r '.version // empty') echo "value=${version}" >> $GITHUB_OUTPUT - name: Print collected versions - run: echo "latest_version=${{ needs.meta.outputs.latest-version }}; current_version=${{ steps.current-version.outputs.value }}" + env: + LATEST_VERSION: ${{ needs.meta.outputs.latest-version }} + CURRENT_VERSION: ${{ steps.current-version.outputs.value }} + run: echo "latest_version=${LATEST_VERSION}; current_version=${CURRENT_VERSION}" - name: Log in to ghcr.io uses: redhat-actions/podman-login@v1 @@ -106,7 +123,10 @@ jobs: if: github.event_name == 'push' && github.ref == 'refs/heads/main' - name: Add tag with version to the image - run: podman tag ${{ steps.build_image.outputs.image-with-tag }} ${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }} + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} + IMAGE_WITH_VERSION: "${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }}" + run: podman tag ${IMAGE_WITH_TAG} ${IMAGE_WITH_VERSION} if: github.event_name == 'push' && github.ref == 'refs/heads/main' - name: Publish @@ -138,6 +158,7 @@ jobs: env: TAG: v${{ needs.meta.outputs.latest-version }} COMMIT: ${{ github.event.before }} + GH_REPOSITORY: ${{ github.repository }} steps: @@ -150,7 +171,7 @@ jobs: --method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" - /repos/${{ github.repository }}/git/refs + /repos/${GH_REPOSITORY}/git/refs -f "ref=refs/tags/$TAG" -f "sha=$COMMIT" @@ -162,7 +183,7 @@ jobs: --method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" - /repos/${{ github.repository }}/releases + /repos/${GH_REPOSITORY}/releases -f "tag_name=$TAG" -f "name=$TAG" -f "body=Automatic release for $TAG" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0999049..9ca8d1a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -14,6 +14,10 @@ repos: - id: mixed-line-ending args: [--fix, lf] - id: trailing-whitespace + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.4.1 + hooks: + - id: zizmor # test harness specific hooks - repo: https://github.com/dustinsand/pre-commit-jvm