clean-up

mayeut · mayeut · commit b372e8bacdc6 · 2026-01-02T14:18:51.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -14,6 +14,12 @@ on:
     tags:
       - "v*.*.*.*"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   build_bootstrap_image:
     name: Build x86_64 bootstrap image
@@ -28,31 +34,33 @@ jobs:
         id: llvm-version
         run: echo "version=$(cat llvm-version)" >> $GITHUB_OUTPUT
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
         id: setup-buildx
       - name: Cache Docker layers
         uses: actions/cache@v5
         with:
           path: .cache/buildx-x86_64-bootstrap
-          key: buildx-x86_64-bootstrap-${{ github.sha }}
+          key: buildx-x86_64-bootstrap-${{ github.sha }}-${{ github.ref_type }}
           restore-keys: |
+            buildx-x86_64-bootstrap-${{ github.sha }}
             buildx-x86_64-bootstrap
+          lookup-only: ${{ github.ref_type == 'tag' }}  # zizmor: ignore[cache-poisoning]
       - name: Cache Docker cache mounts
         if: ${{ github.ref_type != 'tag' }}
-        uses: actions/cache@v5
+        uses: actions/cache@v5  # zizmor: ignore[cache-poisoning]
         with:
           path: .cache/buildx-x86_64-bootstrap-cache-mounts
           key: buildx-x86_64-bootstrap-cache-mounts-${{ github.sha }}
           restore-keys: |
             buildx-x86_64-bootstrap-cache-mount
       - name: Restore Docker cache mounts
         if: ${{ github.ref_type != 'tag' }}
-        uses: reproducible-containers/buildkit-cache-dance@v3
+        uses: reproducible-containers/buildkit-cache-dance@5b81f4d29dc8397a7d341dba3aeecc7ec54d6361 # v3.3.0
         with:
           builder: ${{ steps.setup-buildx.outputs.name }}
           cache-dir: .cache/buildx-x86_64-bootstrap-cache-mounts
       - name: Build image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           platforms: linux/amd64
@@ -69,13 +77,14 @@ jobs:
         # https://github.com/moby/buildkit/issues/1896
         run: |
           rm -rf .cache/buildx-x86_64-bootstrap || true
-          mv ${{ runner.temp }}/.buildx-cache-new .cache/buildx-x86_64-bootstrap
+          mv "${RUNNER_TEMP}/.buildx-cache-new" .cache/buildx-x86_64-bootstrap
+
   build_image:
     name: Build ${{ matrix.platform }} image
     needs: [build_bootstrap_image]
     runs-on: ubuntu-latest
     permissions:
-      packages: write
+      packages: write # push to ghcr.io
       contents: read
     strategy:
       fail-fast: false
@@ -101,21 +110,22 @@ jobs:
 
       - name: Set up QEMU
         if: matrix.platform != 'amd64'
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        id: setup-buildx
 
       - name: Restore bootstrap cache
         uses: actions/cache/restore@v5
         with:
           path: .cache/buildx-x86_64-bootstrap
-          key: buildx-x86_64-bootstrap-${{ github.sha }}
+          key: buildx-x86_64-bootstrap-${{ github.sha }}-${{ github.ref_type }}
           fail-on-cache-miss: true
 
       - name: Cache Docker cache mounts
         if: ${{ github.ref_type != 'tag' }}
-        uses: actions/cache@v5
+        uses: actions/cache@v5  # zizmor: ignore[cache-poisoning]
         with:
           path: .cache/buildx-${{ matrix.platform }}-cache-mounts
           key: buildx-${{ matrix.platform }}-cache-mounts-${{ github.sha }}
@@ -124,13 +134,13 @@ jobs:
 
       - name: Restore Docker cache mounts
         if: ${{ github.ref_type != 'tag' }}
-        uses: reproducible-containers/buildkit-cache-dance@v3
+        uses: reproducible-containers/buildkit-cache-dance@5b81f4d29dc8397a7d341dba3aeecc7ec54d6361 # v3.3.0
         with:
           builder: ${{ steps.setup-buildx.outputs.name }}
           cache-dir: .cache/buildx-${{ matrix.platform }}-cache-mounts
 
       - name: Build image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           platforms: linux/${{ matrix.platform }}
@@ -143,7 +153,9 @@ jobs:
           cache-from: type=local,src=${{ github.workspace }}/.cache/buildx-x86_64-bootstrap
 
       - name: Prepare Archive
-        run: tar cf - -C binaries/opt --owner 0 --group 0 clang | xz -9e -T0 > binaries/static-clang-linux-${{ matrix.platform }}.tar.xz
+        run: tar cf - -C binaries/opt --owner 0 --group 0 clang | xz -9e -T0 > "binaries/static-clang-linux-${MATRIX_PLATFORM}.tar.xz"
+        env:
+          MATRIX_PLATFORM: ${{ matrix.platform }}
 
       # TODO add some basic tests here
 
@@ -156,7 +168,7 @@ jobs:
 
       - name: Login to GitHub Container Registry
         if: github.event_name == 'push'
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -165,7 +177,7 @@ jobs:
       - name: Push image by digest
         if: github.event_name == 'push'
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           platforms: linux/${{ matrix.platform }}
@@ -195,7 +207,7 @@ jobs:
     if: github.event_name == 'push'
     runs-on: ubuntu-latest
     permissions:
-      packages: write
+      packages: write # push to ghcr.io
       contents: read
     needs:
       - build_image
@@ -212,11 +224,11 @@ jobs:
           merge-multiple: true
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ghcr.io/${{ github.repository_owner }}/static-clang
           tags: |
@@ -227,7 +239,7 @@ jobs:
             type=pep440,pattern={{major}}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -237,14 +249,14 @@ jobs:
         working-directory: /tmp/digests
         run: |
           docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf 'ghcr.io/${{ github.repository_owner }}/static-clang@sha256:%s ' *)
+            $(printf "ghcr.io/${GITHUB_REPOSITORY_OWNER}/static-clang@sha256:%s " *)
 
   release:
     name: Release
     if: github.ref_type == 'tag'
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: write  # create release
     needs:
       - build_image
     steps:
@@ -267,6 +279,6 @@ jobs:
         run: cat binaries/sha256sums.txt
 
       - name: Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
           files: 'binaries/*'
