Add CI and Zig security audit workflow #6
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| name: CI | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main] | ||
| pull_request: | ||
| schedule: | ||
| - cron: '0 0 * * 1' | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| check: | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Zig | ||
| run: | | ||
| curl -sL "https://ziglang.org/download/0.15.2/zig-x86_64-linux-0.15.2.tar.xz" | tar -xJ | ||
| echo "$PWD/zig-x86_64-linux-0.15.2" >> "$GITHUB_PATH" | ||
|
Comment on lines
+21
to
+22
There was a problem hiding this comment. 🧩 Analysis chain🌐 Web query:
💡 Result: To download and verify Zig programming language releases using SHA256 checksums: 1. Visit the official download page: https://ziglang.org/download/ 2. Download the appropriate tarball or zip for your platform (e.g., zig-x86_64-linux-0.15.2.tar.xz) and its corresponding .minisig file. 3. SHA256 checksums are provided in the JSON version of the download page at https://ziglang.org/download/index.json. Fetch this JSON to get the 'shasum' field (SHA256 hex digest) for your file, along with expected size. 4. Verify the SHA256 checksum of the downloaded file matches the one from index.json using shasum -a 256 filename. 5. Install minisign and verify the signature: minisign -V -m filename.tar.xz -x filename.tar.xz.minisig -P 'RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U'. The signature includes a trusted comment with the exact filename to prevent downgrade attacks. Primary verification is via minisign signatures using the public key shown on the download page. SHA256 checksums from index.json provide an additional integrity check, especially useful for automation and package managers. For mirrors, perform both SHA256 (from index.json) and minisign verification. Latest stable as of 2026-04-02: 0.15.2 (2025-10-11). Master dev build available as zig-0.16.0-dev-XXXX+commit.tar.xz. Citations:
🌐 Web query:
💡 Result: The official download page for Zig 0.15.2 is https://ziglang.org/download/#release-0.15.2, which lists the following binary download files (all signed with minisign using public key RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U): Source Code: - zig-0.15.2.tar.xz (20MiB) - zig-bootstrap-0.15.2.tar.xz (50MiB) Windows: - zig-x86_64-windows-0.15.2.zip (88MiB) - zig-aarch64-windows-0.15.2.zip (84MiB) - zig-x86-windows-0.15.2.zip (90MiB) macOS: - zig-x86_64-macos-0.15.2.tar.xz (53MiB) - zig-aarch64-macos-0.15.2.tar.xz (48MiB) Linux and other platform binaries (e.g., x86_64-linux) are also available on the page and mirrors like https://gr.ht/zig/. Direct links follow the pattern https://ziglang.org/download/0.15.2/[filename] (e.g., https://ziglang.org/download/0.15.2/zig-x86_64-windows-0.15.2.zip). Released on 2025-10-11. Citations: Zig バイナリ取得時に完全性検証を追加してください Line 21-22 の ただし、提案されている修正案を修正してください。Zig は 以下のいずれかの方法で対応してください:
🤖 Prompt for AI Agents |
||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y libxcb1-dev libxcb-randr0-dev | ||
|
|
||
| - name: Format check | ||
| continue-on-error: true | ||
|
There was a problem hiding this comment. 🟡 MEDIUM RISK Suggestion: The format check should fail the build if code is not properly formatted. Using |
||
| run: zig fmt --check src/ | ||
|
|
||
| - name: Build | ||
| run: zig build | ||
|
|
||
| - name: Test | ||
| run: zig build test | ||
|
|
||
| security-audit: | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Zig Security Audit | ||
| env: | ||
| GH_EVENT: ${{ github.event_name }} | ||
| GH_BASE_REF: ${{ github.event.pull_request.base.ref }} | ||
| run: | | ||
| echo "## Zig Security Audit" >> "$GITHUB_STEP_SUMMARY" | ||
| echo "" >> "$GITHUB_STEP_SUMMARY" | ||
| echo "| Pattern | Count | Level |" >> "$GITHUB_STEP_SUMMARY" | ||
| echo "|---------|-------|-------|" >> "$GITHUB_STEP_SUMMARY" | ||
|
|
||
| total=0 | ||
|
|
||
| audit() { | ||
| local pattern="$1" level="$2" label="$3" | ||
| local count | ||
| count=$(grep -rn --include='*.zig' -e "$pattern" src/ 2>/dev/null | wc -l) | ||
| if [ "$count" -gt 0 ]; then | ||
| echo "| \`$label\` | $count | $level |" >> "$GITHUB_STEP_SUMMARY" | ||
| total=$((total + count)) | ||
| fi | ||
| if [ "$GH_EVENT" = "pull_request" ] && [ -n "$GH_BASE_REF" ]; then | ||
| git diff --name-only "origin/$GH_BASE_REF" -- '*.zig' 2>/dev/null | while read -r file; do | ||
| [ -f "$file" ] || continue | ||
| grep -n "$pattern" "$file" 2>/dev/null | while IFS=: read -r line content; do | ||
| echo "::warning file=$file,line=$line::[$level] $label: $content" | ||
|
There was a problem hiding this comment. 🧩 Analysis chain🏁 Script executed: # First, let's verify the file exists and examine the context
cat -n .github/workflows/ci.yml | sed -n '60,80p'Repository: midasdf/zephwm Length of output: 1253 🌐 Web query:
💡 Result: In GitHub Actions workflow commands, special characters like % (percent), \n (newline), and \r (carriage return) require escaping when using the deprecated ::set-output syntax to handle multiline strings in outputs. To escape: - Replace '%' with '%25' - Replace '\n' with '%0A' - Replace '\r' with '%0D' Example in bash: text="${text//'%'/'%25'}" text="${text//$'\n'/'%0A'}" text="${text//$'\r'/'%0D'}" echo "::set-output name=myoutput::$text" This was a common workaround for the old stdout-based workflow commands like ::set-output and ::set-env, which treated newlines and % as delimiters, truncating multiline content otherwise. Note: ::set-output and ::set-env are deprecated since 2022 due to security issues. Use environment files instead: - For outputs: echo "name=value" >> $GITHUB_OUTPUT (single-line) or use delimiter syntax for multiline: echo "name<<DELIM" >> $GITHUB_OUTPUT; echo "multiline content" >> $GITHUB_OUTPUT; echo "DELIM" >> $GITHUB_OUTPUT - No manual escaping needed with environment files; newlines are preserved naturally with delimiters. Official docs confirm multiline support via delimiters in GITHUB_OUTPUT without % escaping. Citations:
Line 70 の 修正案(GitHub Actions コマンド文字列エスケープ)- echo "::warning file=$file,line=$line::[$level] $label: $content"
+ esc="${content//'%'/'%25'}"
+ esc="${esc//$'\n'/'%0A'}"
+ esc="${esc//$'\r'/'%0D'}"
+ echo "::warning file=$file,line=$line::[$level] $label: $esc"🤖 Prompt for AI Agents |
||
| done | ||
| done | ||
|
Comment on lines
+67
to
+72
There was a problem hiding this comment. 🟡 MEDIUM RISK The security audit logic currently generates warnings for all occurrences of patterns in a modified file, rather than just the new lines introduced in the PR. This creates 'warning noise' for pre-existing code. Update the script to only emit annotations for lines added or modified in the current diff (e.g., using |
||
| fi | ||
| } | ||
|
|
||
| audit '@setRuntimeSafety\(false\)' 'Critical' '@setRuntimeSafety(false)' | ||
| audit '@ptrCast' 'Tracked' '@ptrCast' | ||
| audit '@ptrFromInt' 'Tracked' '@ptrFromInt' | ||
| audit '@intFromPtr' 'Tracked' '@intFromPtr' | ||
| audit '@alignCast' 'Tracked' '@alignCast' | ||
| audit 'catch unreachable' 'Review' 'catch unreachable' | ||
| audit 'orelse unreachable' 'Review' 'orelse unreachable' | ||
| audit '@cImport' 'Info' '@cImport' | ||
|
|
||
| echo "" >> "$GITHUB_STEP_SUMMARY" | ||
| echo "**Total: $total** patterns tracked" >> "$GITHUB_STEP_SUMMARY" | ||
| echo "_Not bugs — areas requiring careful review during changes._" >> "$GITHUB_STEP_SUMMARY" | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
Suggestion: Manual installation of Zig is brittle and lacks version/checksum management. Consider using the community-standard
goto-bus-stop/setup-zigaction to improve workflow reliability and maintainability.