Skip to content

Commit 6ba4626

Browse files
crazy-maxcrazy-max
committed
fix zizmor findings
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
1 parent 463b09b commit 6ba4626

File tree

11 files changed

+119
-117
lines changed

11 files changed

+119
-117
lines changed

.github/dependabot.yml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,12 @@ updates:
55
directory: "/"
66
schedule:
77
interval: "daily"
8-
ignore:
9-
# ignore this dependency
10-
# it seems a bug with dependabot as pining to commit sha should not
11-
# trigger a new version: https://github.com/docker/buildx/pull/2222#issuecomment-1919092153
12-
- dependency-name: "docker/docs"
8+
groups:
9+
crazy-max-dot-github:
10+
patterns:
11+
- "crazy-max/.github/*"
12+
cooldown:
13+
default-days: 2
1314
labels:
1415
- "area/dependencies"
1516
- "bot"

.github/workflows/.test.yml

Lines changed: 47 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
# reusable workflow
22
name: .test
33

4-
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
54
permissions:
65
contents: read
76

@@ -26,9 +25,9 @@ on:
2625
includes:
2726
required: false
2827
type: string
29-
env:
28+
secrets:
29+
codecov_token:
3030
required: false
31-
type: string
3231

3332
env:
3433
GO_VERSION: "1.26"
@@ -46,10 +45,10 @@ jobs:
4645
steps:
4746
-
4847
name: Set up QEMU
49-
uses: docker/setup-qemu-action@v4
48+
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
5049
-
5150
name: Set up Docker Buildx
52-
uses: docker/setup-buildx-action@v4
51+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
5352
with:
5453
version: ${{ env.SETUP_BUILDX_VERSION }}
5554
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
@@ -61,38 +60,46 @@ jobs:
6160
-
6261
name: Set outputs
6362
id: set
64-
uses: actions/github-script@v8
63+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
64+
env:
65+
INPUT_PKGS: ${{ inputs.pkgs }}
66+
INPUT_KINDS: ${{ inputs.kinds }}
67+
INPUT_TAGS: ${{ inputs.tags }}
68+
INPUT_INCLUDES: ${{ inputs.includes }}
6569
with:
6670
script: |
6771
const yaml = require('js-yaml');
6872
await core.group(`Set pkgs matrix`, async () => {
69-
const pkgs = `${{ inputs.pkgs }}`.trim().split(/\r?\n/);
70-
core.info(JSON.stringify(pkgs, null, 2));
71-
core.setOutput('pkgs', JSON.stringify(pkgs));
73+
const pkgs = core.getMultilineInput('pkgs');
74+
const matrix = pkgs.length ? pkgs : [''];
75+
core.info(JSON.stringify(matrix, null, 2));
76+
core.setOutput('pkgs', JSON.stringify(matrix));
7277
});
7378
await core.group(`Set kinds matrix`, async () => {
74-
const kinds = `${{ inputs.kinds }}`.trim().split(/\r?\n/);
75-
core.info(JSON.stringify(kinds, null, 2));
76-
core.setOutput('kinds', JSON.stringify(kinds));
79+
const kinds = core.getMultilineInput('kinds');
80+
const matrix = kinds.length ? kinds : [''];
81+
core.info(JSON.stringify(matrix, null, 2));
82+
core.setOutput('kinds', JSON.stringify(matrix));
7783
});
7884
await core.group(`Set tags matrix`, async () => {
79-
const tags = `${{ inputs.tags }}`.trim().split(/\r?\n/);
80-
core.info(JSON.stringify(tags, null, 2));
81-
core.setOutput('tags', JSON.stringify(tags));
85+
const tags = core.getMultilineInput('tags');
86+
const matrix = tags.length ? tags : [''];
87+
core.info(JSON.stringify(matrix, null, 2));
88+
core.setOutput('tags', JSON.stringify(matrix));
8289
});
8390
await core.group(`Set includes`, async () => {
84-
const includes = yaml.load(`${{ inputs.includes }}`.trim());
91+
const includes = yaml.load(core.getInput('includes'));
8592
core.info(JSON.stringify(includes, null, 2));
8693
core.setOutput('includes', JSON.stringify(includes ?? []));
8794
});
8895
-
8996
name: Build
90-
uses: docker/bake-action@v7
97+
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
9198
with:
9299
targets: integration-tests-base
93100
set: |
94101
*.cache-from=type=gha,scope=${{ inputs.cache_scope }}
95-
*.cache-to=type=gha,scope=${{ inputs.cache_scope }},repository=${{ github.repository }},ghtoken=${{ secrets.GITHUB_TOKEN }}
102+
*.cache-to=type=gha,scope=${{ inputs.cache_scope }},repository=${{ github.repository }},ghtoken=${{ github.token }}
96103
97104
run:
98105
runs-on: ubuntu-24.04
@@ -122,38 +129,41 @@ jobs:
122129
steps:
123130
-
124131
name: Prepare
132+
env:
133+
PKG: ${{ matrix.pkg }}
134+
KIND: ${{ matrix.kind }}
135+
WORKER: ${{ matrix.worker }}
136+
TAGS: ${{ matrix.tags }}
137+
SKIP_INTEGRATION_TESTS: ${{ matrix.skip-integration-tests }}
125138
run: |
126-
for l in "${{ inputs.env }}"; do
127-
echo "${l?}" >> $GITHUB_ENV
128-
done
129-
echo "TEST_REPORT_NAME=${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.skip-integration-tests }}-${{ matrix.kind }}-${{ matrix.worker }}-${{ matrix.tags }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
130-
testFlags="${{ env.TESTFLAGS }}"
131-
if [ -n "${{ matrix.tags }}" ]; then
132-
testFlags="${testFlags} --tags=${{ matrix.tags }}"
139+
echo "TEST_REPORT_NAME=${GITHUB_JOB}-$(echo "${PKG}-${SKIP_INTEGRATION_TESTS}-${KIND}-${WORKER}-${TAGS}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
140+
testFlags="${TESTFLAGS}"
141+
if [ -n "$TAGS" ]; then
142+
testFlags="${testFlags} --tags=${TAGS}"
133143
fi
134-
if [ -n "${{ matrix.worker }}" ]; then
135-
testFlags="${testFlags} --run=//worker=${{ matrix.worker }}$"
144+
if [ -n "${WORKER}" ]; then
145+
testFlags="${testFlags} --run=//worker=${WORKER}$"
136146
fi
137147
echo "TESTFLAGS=${testFlags}" >> $GITHUB_ENV
138148
-
139149
name: Checkout
140-
uses: actions/checkout@v6
150+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
141151
-
142152
name: Expose GitHub Runtime
143-
uses: crazy-max/ghaction-github-runtime@v4
153+
uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0
144154
-
145155
name: Set up QEMU
146-
uses: docker/setup-qemu-action@v4
156+
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
147157
-
148158
name: Set up Docker Buildx
149-
uses: docker/setup-buildx-action@v4
159+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
150160
with:
151161
version: ${{ env.SETUP_BUILDX_VERSION }}
152162
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
153163
buildkitd-flags: --debug
154164
-
155165
name: Build test image
156-
uses: docker/bake-action@v7
166+
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
157167
with:
158168
targets: integration-tests
159169
set: |
@@ -164,8 +174,9 @@ jobs:
164174
-
165175
name: Test
166176
run: |
167-
./hack/test ${{ matrix.kind }}
177+
./hack/test ${KIND}
168178
env:
179+
KIND: ${{ matrix.kind }}
169180
TEST_REPORT_SUFFIX: -${{ env.TEST_REPORT_NAME }}
170181
TEST_COVERAGE: 1
171182
TESTPKGS: ${{ matrix.pkg }}
@@ -174,12 +185,12 @@ jobs:
174185
-
175186
name: Send to Codecov
176187
if: always()
177-
uses: codecov/codecov-action@v5
188+
uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
178189
with:
179190
directory: ./bin/testreports
180191
flags: ${{ matrix.codecov_flags }}
181192
disable_file_fixes: true
182-
token: ${{ secrets.CODECOV_TOKEN }} # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
193+
token: ${{ secrets.codecov_token }} # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
183194
-
184195
name: Generate annotations
185196
if: always()
@@ -189,12 +200,8 @@ jobs:
189200
-
190201
name: Upload test reports
191202
if: always()
192-
uses: actions/upload-artifact@v7
203+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
193204
with:
194205
name: test-reports-${{ env.TEST_REPORT_NAME }}
195206
path: ./bin/testreports
196207
retention-days: 1
197-
-
198-
name: Dump context
199-
if: failure()
200-
uses: crazy-max/ghaction-dump-context@v2

.github/workflows/buildkit.yml

Lines changed: 18 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7-
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
87
permissions:
98
contents: read
109

@@ -40,17 +39,17 @@ jobs:
4039
steps:
4140
-
4241
name: Checkout
43-
uses: actions/checkout@v6
42+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
4443
-
4544
name: Platforms matrix
4645
id: platforms
47-
uses: docker/bake-action/subaction/matrix@v7
46+
uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
4847
with:
4948
target: release
5049
fields: platforms
5150

5251
binaries:
53-
uses: docker/github-builder/.github/workflows/bake.yml@v1
52+
uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0
5453
permissions:
5554
contents: read # same as global permission
5655
id-token: write # for signing attestation(s) with GitHub OIDC Token
@@ -73,7 +72,7 @@ jobs:
7372
steps:
7473
-
7574
name: Download artifacts
76-
uses: actions/download-artifact@v8
75+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
7776
with:
7877
path: /tmp/buildx-output
7978
name: ${{ needs.binaries.outputs.artifact-name }}
@@ -102,15 +101,14 @@ jobs:
102101
tree -nh .
103102
-
104103
name: Upload release binaries
105-
uses: actions/upload-artifact@v7
104+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
106105
with:
107106
name: buildkit-release
108107
path: ${{ env.DESTDIR }}/*
109108
if-no-files-found: error
110109

111110
test:
112111
uses: ./.github/workflows/.test.yml
113-
secrets: inherit
114112
needs:
115113
- binaries
116114
with:
@@ -137,33 +135,33 @@ jobs:
137135
- pkg: ./cache/remotecache/gha
138136
worker: oci
139137
typ: integration
138+
secrets:
139+
codecov_token: ${{ secrets.CODECOV_TOKEN }}
140140

141141
govulncheck:
142142
runs-on: ubuntu-24.04
143143
permissions:
144-
# same as global permission
145-
contents: read
146-
# required to write sarif report
147-
security-events: write
144+
contents: read # same as global permission
145+
security-events: write # required to write sarif report
148146
steps:
149147
-
150148
name: Set up Docker Buildx
151-
uses: docker/setup-buildx-action@v4
149+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
152150
with:
153151
version: ${{ env.SETUP_BUILDX_VERSION }}
154152
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
155153
buildkitd-flags: --debug
156154
-
157155
name: Run
158-
uses: docker/bake-action@v7
156+
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
159157
with:
160158
targets: govulncheck
161159
env:
162160
GOVULNCHECK_FORMAT: sarif
163161
-
164162
name: Upload SARIF report
165163
if: ${{ github.ref == 'refs/heads/master' && github.repository == 'moby/buildkit' }}
166-
uses: github/codeql-action/upload-sarif@v4
164+
uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
167165
with:
168166
sarif_file: ${{ env.DESTDIR }}/govulncheck.out
169167

@@ -175,7 +173,7 @@ jobs:
175173
-
176174
name: Set outputs
177175
id: set
178-
uses: actions/github-script@v8
176+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
179177
env:
180178
INPUT_DEFAULT-BASE: alpine
181179
INPUT_REF: ${{ github.ref }}
@@ -224,7 +222,7 @@ jobs:
224222
core.setOutput('includes', JSON.stringify(matrix));
225223
226224
image:
227-
uses: docker/github-builder/.github/workflows/bake.yml@v1
225+
uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0
228226
needs:
229227
- image-prepare
230228
- test
@@ -308,10 +306,10 @@ jobs:
308306
steps:
309307
-
310308
name: Checkout
311-
uses: actions/checkout@v6
309+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
312310
-
313311
name: Login to DockerHub
314-
uses: docker/login-action@v4
312+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
315313
with:
316314
username: ${{ secrets.DOCKERHUB_USERNAME }}
317315
password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -329,7 +327,7 @@ jobs:
329327
jq . ${{ steps.scout.outputs.result-file }}
330328
-
331329
name: Upload SARIF report
332-
uses: github/codeql-action/upload-sarif@v4
330+
uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
333331
with:
334332
sarif_file: ${{ steps.scout.outputs.result-file }}
335333

@@ -345,7 +343,7 @@ jobs:
345343
steps:
346344
-
347345
name: Download release binaries
348-
uses: actions/download-artifact@v8
346+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
349347
with:
350348
path: ${{ env.DESTDIR }}
351349
name: buildkit-release

.github/workflows/buildx-image.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ concurrency:
1313
group: ${{ github.workflow }}-${{ github.ref }}
1414
cancel-in-progress: true
1515

16-
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
1716
permissions:
1817
contents: read
1918

@@ -50,20 +49,20 @@ jobs:
5049
steps:
5150
-
5251
name: Set up Docker Buildx
53-
uses: docker/setup-buildx-action@v4
52+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
5453
with:
5554
version: ${{ env.SETUP_BUILDX_VERSION }}
5655
buildkitd-flags: --debug
5756
-
5857
name: Login to DockerHub
5958
if: github.event.inputs.dry-run != 'true'
60-
uses: docker/login-action@v4
59+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
6160
with:
6261
username: ${{ secrets.DOCKERHUB_USERNAME }}
6362
password: ${{ secrets.DOCKERHUB_TOKEN }}
6463
-
6564
name: Create
66-
uses: actions/github-script@v8
65+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
6766
env:
6867
INPUT_SOURCE-TAG: ${{ inputs.source-tag }}
6968
INPUT_DRY-RUN: ${{ inputs.dry-run }}

0 commit comments

Comments
 (0)