Skip to content

Commit 99bd6da

Browse files
crazy-maxcrazy-max
committed
fix zizmor findings
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
1 parent 463b09b commit 99bd6da

File tree

11 files changed

+111
-112
lines changed

11 files changed

+111
-112
lines changed

.github/dependabot.yml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,12 @@ updates:
55
directory: "/"
66
schedule:
77
interval: "daily"
8-
ignore:
9-
# ignore this dependency
10-
# it seems a bug with dependabot as pining to commit sha should not
11-
# trigger a new version: https://github.com/docker/buildx/pull/2222#issuecomment-1919092153
12-
- dependency-name: "docker/docs"
8+
groups:
9+
crazy-max-dot-github:
10+
patterns:
11+
- "crazy-max/.github/*"
12+
cooldown:
13+
default-days: 2
1314
labels:
1415
- "area/dependencies"
1516
- "bot"

.github/workflows/.test.yml

Lines changed: 39 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
# reusable workflow
22
name: .test
33

4-
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
54
permissions:
65
contents: read
76

@@ -26,9 +25,9 @@ on:
2625
includes:
2726
required: false
2827
type: string
29-
env:
30-
required: false
31-
type: string
28+
secrets:
29+
codecov_token:
30+
required: true
3231

3332
env:
3433
GO_VERSION: "1.26"
@@ -46,10 +45,10 @@ jobs:
4645
steps:
4746
-
4847
name: Set up QEMU
49-
uses: docker/setup-qemu-action@v4
48+
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
5049
-
5150
name: Set up Docker Buildx
52-
uses: docker/setup-buildx-action@v4
51+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
5352
with:
5453
version: ${{ env.SETUP_BUILDX_VERSION }}
5554
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
@@ -61,38 +60,43 @@ jobs:
6160
-
6261
name: Set outputs
6362
id: set
64-
uses: actions/github-script@v8
63+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
64+
env:
65+
INPUT_PKGS: ${{ inputs.pkgs }}
66+
INPUT_KINDS: ${{ inputs.kinds }}
67+
INPUT_TAGS: ${{ inputs.tags }}
68+
INPUT_INCLUDES: ${{ inputs.includes }}
6569
with:
6670
script: |
6771
const yaml = require('js-yaml');
6872
await core.group(`Set pkgs matrix`, async () => {
69-
const pkgs = `${{ inputs.pkgs }}`.trim().split(/\r?\n/);
73+
const pkgs = core.getMultilineInput('pkgs');
7074
core.info(JSON.stringify(pkgs, null, 2));
7175
core.setOutput('pkgs', JSON.stringify(pkgs));
7276
});
7377
await core.group(`Set kinds matrix`, async () => {
74-
const kinds = `${{ inputs.kinds }}`.trim().split(/\r?\n/);
78+
const kinds = core.getMultilineInput('kinds');
7579
core.info(JSON.stringify(kinds, null, 2));
7680
core.setOutput('kinds', JSON.stringify(kinds));
7781
});
7882
await core.group(`Set tags matrix`, async () => {
79-
const tags = `${{ inputs.tags }}`.trim().split(/\r?\n/);
83+
const tags = core.getMultilineInput('tags');
8084
core.info(JSON.stringify(tags, null, 2));
8185
core.setOutput('tags', JSON.stringify(tags));
8286
});
8387
await core.group(`Set includes`, async () => {
84-
const includes = yaml.load(`${{ inputs.includes }}`.trim());
88+
const includes = yaml.load(core.getInput('includes'));
8589
core.info(JSON.stringify(includes, null, 2));
8690
core.setOutput('includes', JSON.stringify(includes ?? []));
8791
});
8892
-
8993
name: Build
90-
uses: docker/bake-action@v7
94+
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
9195
with:
9296
targets: integration-tests-base
9397
set: |
9498
*.cache-from=type=gha,scope=${{ inputs.cache_scope }}
95-
*.cache-to=type=gha,scope=${{ inputs.cache_scope }},repository=${{ github.repository }},ghtoken=${{ secrets.GITHUB_TOKEN }}
99+
*.cache-to=type=gha,scope=${{ inputs.cache_scope }},repository=${{ github.repository }},ghtoken=${{ github.token }}
96100
97101
run:
98102
runs-on: ubuntu-24.04
@@ -122,38 +126,41 @@ jobs:
122126
steps:
123127
-
124128
name: Prepare
129+
env:
130+
PKG: ${{ matrix.pkg }}
131+
KIND: ${{ matrix.kind }}
132+
WORKER: ${{ matrix.worker }}
133+
TAGS: ${{ matrix.tags }}
134+
SKIP_INTEGRATION_TESTS: ${{ matrix.skip-integration-tests }}
125135
run: |
126-
for l in "${{ inputs.env }}"; do
127-
echo "${l?}" >> $GITHUB_ENV
128-
done
129-
echo "TEST_REPORT_NAME=${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.skip-integration-tests }}-${{ matrix.kind }}-${{ matrix.worker }}-${{ matrix.tags }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
130-
testFlags="${{ env.TESTFLAGS }}"
131-
if [ -n "${{ matrix.tags }}" ]; then
132-
testFlags="${testFlags} --tags=${{ matrix.tags }}"
136+
echo "TEST_REPORT_NAME=${GITHUB_JOB}-$(echo "${PKG}-${SKIP_INTEGRATION_TESTS}-${KIND}-${WORKER}-${TAGS}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
137+
testFlags="${TESTFLAGS}"
138+
if [ -n "$TAGS" ]; then
139+
testFlags="${testFlags} --tags=${TAGS}"
133140
fi
134-
if [ -n "${{ matrix.worker }}" ]; then
135-
testFlags="${testFlags} --run=//worker=${{ matrix.worker }}$"
141+
if [ -n "${WORKER}" ]; then
142+
testFlags="${testFlags} --run=//worker=${WORKER}$"
136143
fi
137144
echo "TESTFLAGS=${testFlags}" >> $GITHUB_ENV
138145
-
139146
name: Checkout
140-
uses: actions/checkout@v6
147+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
141148
-
142149
name: Expose GitHub Runtime
143-
uses: crazy-max/ghaction-github-runtime@v4
150+
uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0
144151
-
145152
name: Set up QEMU
146-
uses: docker/setup-qemu-action@v4
153+
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
147154
-
148155
name: Set up Docker Buildx
149-
uses: docker/setup-buildx-action@v4
156+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
150157
with:
151158
version: ${{ env.SETUP_BUILDX_VERSION }}
152159
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
153160
buildkitd-flags: --debug
154161
-
155162
name: Build test image
156-
uses: docker/bake-action@v7
163+
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
157164
with:
158165
targets: integration-tests
159166
set: |
@@ -164,8 +171,9 @@ jobs:
164171
-
165172
name: Test
166173
run: |
167-
./hack/test ${{ matrix.kind }}
174+
./hack/test ${KIND}
168175
env:
176+
KIND: ${{ matrix.kind }}
169177
TEST_REPORT_SUFFIX: -${{ env.TEST_REPORT_NAME }}
170178
TEST_COVERAGE: 1
171179
TESTPKGS: ${{ matrix.pkg }}
@@ -174,12 +182,12 @@ jobs:
174182
-
175183
name: Send to Codecov
176184
if: always()
177-
uses: codecov/codecov-action@v5
185+
uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
178186
with:
179187
directory: ./bin/testreports
180188
flags: ${{ matrix.codecov_flags }}
181189
disable_file_fixes: true
182-
token: ${{ secrets.CODECOV_TOKEN }} # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
190+
token: ${{ secrets.codecov_token }} # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
183191
-
184192
name: Generate annotations
185193
if: always()
@@ -189,12 +197,8 @@ jobs:
189197
-
190198
name: Upload test reports
191199
if: always()
192-
uses: actions/upload-artifact@v7
200+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
193201
with:
194202
name: test-reports-${{ env.TEST_REPORT_NAME }}
195203
path: ./bin/testreports
196204
retention-days: 1
197-
-
198-
name: Dump context
199-
if: failure()
200-
uses: crazy-max/ghaction-dump-context@v2

.github/workflows/buildkit.yml

Lines changed: 18 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7-
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
87
permissions:
98
contents: read
109

@@ -40,17 +39,17 @@ jobs:
4039
steps:
4140
-
4241
name: Checkout
43-
uses: actions/checkout@v6
42+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
4443
-
4544
name: Platforms matrix
4645
id: platforms
47-
uses: docker/bake-action/subaction/matrix@v7
46+
uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
4847
with:
4948
target: release
5049
fields: platforms
5150

5251
binaries:
53-
uses: docker/github-builder/.github/workflows/bake.yml@v1
52+
uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0
5453
permissions:
5554
contents: read # same as global permission
5655
id-token: write # for signing attestation(s) with GitHub OIDC Token
@@ -73,7 +72,7 @@ jobs:
7372
steps:
7473
-
7574
name: Download artifacts
76-
uses: actions/download-artifact@v8
75+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
7776
with:
7877
path: /tmp/buildx-output
7978
name: ${{ needs.binaries.outputs.artifact-name }}
@@ -102,15 +101,14 @@ jobs:
102101
tree -nh .
103102
-
104103
name: Upload release binaries
105-
uses: actions/upload-artifact@v7
104+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
106105
with:
107106
name: buildkit-release
108107
path: ${{ env.DESTDIR }}/*
109108
if-no-files-found: error
110109

111110
test:
112111
uses: ./.github/workflows/.test.yml
113-
secrets: inherit
114112
needs:
115113
- binaries
116114
with:
@@ -137,33 +135,33 @@ jobs:
137135
- pkg: ./cache/remotecache/gha
138136
worker: oci
139137
typ: integration
138+
secrets:
139+
codecov_token: ${{ secrets.CODECOV_TOKEN }}
140140

141141
govulncheck:
142142
runs-on: ubuntu-24.04
143143
permissions:
144-
# same as global permission
145-
contents: read
146-
# required to write sarif report
147-
security-events: write
144+
contents: read # same as global permission
145+
security-events: write # required to write sarif report
148146
steps:
149147
-
150148
name: Set up Docker Buildx
151-
uses: docker/setup-buildx-action@v4
149+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
152150
with:
153151
version: ${{ env.SETUP_BUILDX_VERSION }}
154152
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
155153
buildkitd-flags: --debug
156154
-
157155
name: Run
158-
uses: docker/bake-action@v7
156+
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
159157
with:
160158
targets: govulncheck
161159
env:
162160
GOVULNCHECK_FORMAT: sarif
163161
-
164162
name: Upload SARIF report
165163
if: ${{ github.ref == 'refs/heads/master' && github.repository == 'moby/buildkit' }}
166-
uses: github/codeql-action/upload-sarif@v4
164+
uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
167165
with:
168166
sarif_file: ${{ env.DESTDIR }}/govulncheck.out
169167

@@ -175,7 +173,7 @@ jobs:
175173
-
176174
name: Set outputs
177175
id: set
178-
uses: actions/github-script@v8
176+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
179177
env:
180178
INPUT_DEFAULT-BASE: alpine
181179
INPUT_REF: ${{ github.ref }}
@@ -224,7 +222,7 @@ jobs:
224222
core.setOutput('includes', JSON.stringify(matrix));
225223
226224
image:
227-
uses: docker/github-builder/.github/workflows/bake.yml@v1
225+
uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0
228226
needs:
229227
- image-prepare
230228
- test
@@ -308,10 +306,10 @@ jobs:
308306
steps:
309307
-
310308
name: Checkout
311-
uses: actions/checkout@v6
309+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
312310
-
313311
name: Login to DockerHub
314-
uses: docker/login-action@v4
312+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
315313
with:
316314
username: ${{ secrets.DOCKERHUB_USERNAME }}
317315
password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -329,7 +327,7 @@ jobs:
329327
jq . ${{ steps.scout.outputs.result-file }}
330328
-
331329
name: Upload SARIF report
332-
uses: github/codeql-action/upload-sarif@v4
330+
uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
333331
with:
334332
sarif_file: ${{ steps.scout.outputs.result-file }}
335333

@@ -345,7 +343,7 @@ jobs:
345343
steps:
346344
-
347345
name: Download release binaries
348-
uses: actions/download-artifact@v8
346+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
349347
with:
350348
path: ${{ env.DESTDIR }}
351349
name: buildkit-release

.github/workflows/buildx-image.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ concurrency:
1313
group: ${{ github.workflow }}-${{ github.ref }}
1414
cancel-in-progress: true
1515

16-
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
1716
permissions:
1817
contents: read
1918

@@ -50,20 +49,20 @@ jobs:
5049
steps:
5150
-
5251
name: Set up Docker Buildx
53-
uses: docker/setup-buildx-action@v4
52+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
5453
with:
5554
version: ${{ env.SETUP_BUILDX_VERSION }}
5655
buildkitd-flags: --debug
5756
-
5857
name: Login to DockerHub
5958
if: github.event.inputs.dry-run != 'true'
60-
uses: docker/login-action@v4
59+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
6160
with:
6261
username: ${{ secrets.DOCKERHUB_USERNAME }}
6362
password: ${{ secrets.DOCKERHUB_TOKEN }}
6463
-
6564
name: Create
66-
uses: actions/github-script@v8
65+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
6766
env:
6867
INPUT_SOURCE-TAG: ${{ inputs.source-tag }}
6968
INPUT_DRY-RUN: ${{ inputs.dry-run }}

0 commit comments

Comments
 (0)