diff --git a/.github/workflows/build-ci-container.yml b/.github/workflows/build-ci-container.yml index 28fc7de2ee065..39b674158e81b 100644 --- a/.github/workflows/build-ci-container.yml +++ b/.github/workflows/build-ci-container.yml @@ -28,6 +28,7 @@ jobs: - name: Checkout LLVM uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: .github/workflows/containers/github-action-ci/ - name: Change podman Root Direcotry run: | @@ -67,6 +68,7 @@ jobs: - name: Checkout LLVM uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: .github/workflows/containers/github-action-ci/ - name: Change podman Root Direcotry diff --git a/.github/workflows/ci-post-commit-analyzer.yml b/.github/workflows/ci-post-commit-analyzer.yml index d614dd07b3a49..abf8f3a033acc 100644 --- a/.github/workflows/ci-post-commit-analyzer.yml +++ b/.github/workflows/ci-post-commit-analyzer.yml @@ -42,6 +42,8 @@ jobs: steps: - name: Checkout Source uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Setup ccache uses: hendrikmuhs/ccache-action@v1 diff --git a/.github/workflows/commit-access-review.yml b/.github/workflows/commit-access-review.yml index f9195a1863dee..79d7624a7633d 100644 --- a/.github/workflows/commit-access-review.yml +++ b/.github/workflows/commit-access-review.yml @@ -16,6 +16,8 @@ jobs: steps: - name: Fetch LLVM sources uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install dependencies run: | diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 800e929157353..3e4b4d9b3965e 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -62,6 +62,7 @@ jobs: if: ${{ github.event_name == 'push' }} uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 1 - name: Get subprojects that have doc changes id: docs-changed-subprojects @@ -98,6 +99,7 @@ jobs: if: ${{ github.event_name == 'pull_request' }} uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 1 - name: Setup Python env uses: actions/setup-python@v5 diff --git a/.github/workflows/email-check.yaml b/.github/workflows/email-check.yaml index 8f32d020975f5..7459024cc071e 100644 --- a/.github/workflows/email-check.yaml +++ b/.github/workflows/email-check.yaml @@ -16,6 +16,7 @@ jobs: - name: Fetch LLVM sources uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - name: Extract author email diff --git a/.github/workflows/issue-subscriber.yml b/.github/workflows/issue-subscriber.yml index ef4fdf4418193..9eda3f7d00e60 100644 --- a/.github/workflows/issue-subscriber.yml +++ b/.github/workflows/issue-subscriber.yml @@ -16,6 +16,7 @@ jobs: - name: Checkout Automation Script uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: llvm/utils/git/ ref: main diff --git a/.github/workflows/issue-write.yml b/.github/workflows/issue-write.yml index 5334157a7fd20..8fc47e6a4dd53 100644 --- a/.github/workflows/issue-write.yml +++ b/.github/workflows/issue-write.yml @@ -27,6 +27,7 @@ jobs: - name: Fetch Sources uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: | .github/workflows/unprivileged-download-artifact/action.yml sparse-checkout-cone-mode: false diff --git a/.github/workflows/libclang-abi-tests.yml b/.github/workflows/libclang-abi-tests.yml index 9e839ff49e283..26049e4958c86 100644 --- a/.github/workflows/libclang-abi-tests.yml +++ b/.github/workflows/libclang-abi-tests.yml @@ -40,6 +40,7 @@ jobs: - name: Checkout source uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 250 - name: Get LLVM version diff --git a/.github/workflows/libcxx-build-and-test.yaml b/.github/workflows/libcxx-build-and-test.yaml index cba8afbb54f0f..a726273bf658f 100644 --- a/.github/workflows/libcxx-build-and-test.yaml +++ b/.github/workflows/libcxx-build-and-test.yaml @@ -55,6 +55,8 @@ jobs: cxx: 'g++-14' steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ${{ matrix.config }}.${{ matrix.cxx }} run: libcxx/utils/ci/run-buildbot ${{ matrix.config }} env: @@ -101,6 +103,8 @@ jobs: cxx: 'clang++-18' steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ${{ matrix.config }} run: libcxx/utils/ci/run-buildbot ${{ matrix.config }} env: @@ -165,6 +169,8 @@ jobs: container: ghcr.io/llvm/libcxx-linux-builder:0fd6f684b9c84c32d6cbfd9742402e788b2879f1 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ${{ matrix.config }} run: libcxx/utils/ci/run-buildbot ${{ matrix.config }} env: @@ -203,6 +209,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: maxim-lobanov/setup-xcode@v1 with: xcode-version: 'latest' @@ -243,6 +251,8 @@ jobs: - { config: mingw-incomplete-sysroot, mingw: true } steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install dependencies run: | choco install -y ninja diff --git a/.github/workflows/libcxx-build-containers.yml b/.github/workflows/libcxx-build-containers.yml index 2d040f712ce59..f36c3ce013b29 100644 --- a/.github/workflows/libcxx-build-containers.yml +++ b/.github/workflows/libcxx-build-containers.yml @@ -34,6 +34,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Build the Linux builder image working-directory: libcxx/utils/ci diff --git a/.github/workflows/libcxx-check-generated-files.yml b/.github/workflows/libcxx-check-generated-files.yml index 570055624b2a8..d99a96c012209 100644 --- a/.github/workflows/libcxx-check-generated-files.yml +++ b/.github/workflows/libcxx-check-generated-files.yml @@ -13,6 +13,8 @@ jobs: steps: - name: Fetch LLVM sources uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install dependencies uses: aminya/setup-cpp@v1 diff --git a/.github/workflows/llvm-project-tests.yml b/.github/workflows/llvm-project-tests.yml index 95a3890c0d2dc..0b87ef58d04a6 100644 --- a/.github/workflows/llvm-project-tests.yml +++ b/.github/workflows/llvm-project-tests.yml @@ -88,6 +88,7 @@ jobs: # clean: false. - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 250 - name: Setup ccache uses: hendrikmuhs/ccache-action@v1 diff --git a/.github/workflows/llvm-tests.yml b/.github/workflows/llvm-tests.yml index 26e644229aaa2..5f3eed04f1c1b 100644 --- a/.github/workflows/llvm-tests.yml +++ b/.github/workflows/llvm-tests.yml @@ -50,6 +50,7 @@ jobs: - name: Checkout source uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 250 - name: Get LLVM version diff --git a/.github/workflows/merged-prs.yml b/.github/workflows/merged-prs.yml index e29afd4097f9f..957b423f44ff5 100644 --- a/.github/workflows/merged-prs.yml +++ b/.github/workflows/merged-prs.yml @@ -23,6 +23,7 @@ jobs: - name: Checkout Automation Script uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: llvm/utils/git/ ref: main diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml index 88175d6f8d64d..c23d51d481448 100644 --- a/.github/workflows/new-prs.yml +++ b/.github/workflows/new-prs.yml @@ -37,6 +37,7 @@ jobs: - name: Checkout Automation Script uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: llvm/utils/git/ ref: main diff --git a/.github/workflows/pr-code-format.yml b/.github/workflows/pr-code-format.yml index f2bb37316d3a8..3b1b542dbcb92 100644 --- a/.github/workflows/pr-code-format.yml +++ b/.github/workflows/pr-code-format.yml @@ -21,6 +21,7 @@ jobs: - name: Fetch LLVM sources uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - name: Checkout through merge base @@ -42,6 +43,7 @@ jobs: - name: Fetch code formatting utils uses: actions/checkout@v4 with: + persist-credentials: false repository: ${{ github.repository }} ref: ${{ github.base_ref }} sparse-checkout: | diff --git a/.github/workflows/pr-request-release-note.yml b/.github/workflows/pr-request-release-note.yml index 2fa501dda16bb..0330ca0929737 100644 --- a/.github/workflows/pr-request-release-note.yml +++ b/.github/workflows/pr-request-release-note.yml @@ -21,6 +21,7 @@ jobs: - name: Checkout Scripts uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false sparse-checkout: | llvm/utils/git/requirements.txt llvm/utils/git/github-automation.py diff --git a/.github/workflows/pr-subscriber.yml b/.github/workflows/pr-subscriber.yml index 272d3e2f9ef8a..5708563bffd50 100644 --- a/.github/workflows/pr-subscriber.yml +++ b/.github/workflows/pr-subscriber.yml @@ -16,6 +16,7 @@ jobs: - name: Checkout Automation Script uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: llvm/utils/git/ ref: main diff --git a/.github/workflows/release-asset-audit.yml b/.github/workflows/release-asset-audit.yml index 018c5d542f32e..285704d617b89 100644 --- a/.github/workflows/release-asset-audit.yml +++ b/.github/workflows/release-asset-audit.yml @@ -23,6 +23,8 @@ jobs: if: github.repository == 'llvm/llvm-project' steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6 + with: + persist-credentials: false - name: "Run Audit Script" env: GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 1cde628d3f66c..8f5765e17b884 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -70,6 +70,8 @@ jobs: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Install Dependencies shell: bash @@ -155,6 +157,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ @@ -176,6 +179,7 @@ jobs: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false ref: ${{ needs.prepare.outputs.ref }} - name: Copy main workflows @@ -229,6 +233,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ @@ -263,6 +268,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ @@ -312,6 +318,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ @@ -362,6 +369,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ @@ -423,6 +431,7 @@ jobs: - name: Checkout Release Scripts uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false sparse-checkout: | llvm/utils/release/github-upload-release.py llvm/utils/git/requirements.txt @@ -475,6 +484,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ diff --git a/.github/workflows/release-documentation.yml b/.github/workflows/release-documentation.yml index 922c5093f1357..2968f03d6d29b 100644 --- a/.github/workflows/release-documentation.yml +++ b/.github/workflows/release-documentation.yml @@ -35,6 +35,8 @@ jobs: steps: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Setup Python env uses: actions/setup-python@v5 diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml index ea95e5bb12b2b..3288d215c8398 100644 --- a/.github/workflows/release-doxygen.yml +++ b/.github/workflows/release-doxygen.yml @@ -41,6 +41,8 @@ jobs: steps: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Setup Python env uses: actions/setup-python@v5 diff --git a/.github/workflows/release-lit.yml b/.github/workflows/release-lit.yml index 9d6f3140e6883..7e3b30fcf17a2 100644 --- a/.github/workflows/release-lit.yml +++ b/.github/workflows/release-lit.yml @@ -30,6 +30,7 @@ jobs: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false ref: "llvmorg-${{ inputs.release-version }}" - name: Install dependencies diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml index a6c86823f99df..9e42b2291a4e2 100644 --- a/.github/workflows/release-sources.yml +++ b/.github/workflows/release-sources.yml @@ -73,6 +73,7 @@ jobs: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false ref: ${{ needs.inputs.outputs.ref }} fetch-tags: true - name: Install Dependencies diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml index 780dd0ff6325c..d73c44c9b2fc2 100644 --- a/.github/workflows/release-tasks.yml +++ b/.github/workflows/release-tasks.yml @@ -39,6 +39,8 @@ jobs: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Create Release env: diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index 894e07d323ca9..adcb755b705a1 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -19,6 +19,7 @@ jobs: - name: Fetch LLVM sources uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 - name: Install dependencies diff --git a/.github/workflows/workflow-checks.yml b/.github/workflows/workflow-checks.yml new file mode 100644 index 0000000000000..04bee0dacfffe --- /dev/null +++ b/.github/workflows/workflow-checks.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Workflow Checks + +on: + push: + paths: [".github/workflows/*.ya?ml"] + pull_request: + paths: [".github/workflows/*.ya?ml"] + +jobs: + zizmor: + name: Workflow Security Checks + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + + - name: Add Homebrew to PATH + run: echo "/home/linuxbrew/.linuxbrew/bin" >>"${GITHUB_PATH}" + + - name: Get zizmor + run: brew install zizmor + + - name: Run zizmor + run: zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ github.token }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + with: + sarif_file: results.sarif + category: zizmor