Skip to content

ci: zizmor workflow #6623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tonistiigi merged 2 commits into from
Mar 31, 2026
Merged

ci: zizmor workflow #6623

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
463b09b
ci: zizmor workflow
crazy-max Mar 27, 2026
6ba4626
fix zizmor findings
crazy-max Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,12 @@ updates:
directory: "/"
schedule:
interval: "daily"
ignore:
# ignore this dependency
# it seems a bug with dependabot as pining to commit sha should not
Copy link
Copy Markdown
Member

@tonistiigi tonistiigi Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did this change?

Copy link
Copy Markdown
Member Author

@crazy-max crazy-max Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are not using commit sha when validating docs in

buildkit/.github/workflows/docs-upstream.yml

Line 37 in 9f86bbc

uses: docker/docs/.github/workflows/validate-upstream.yml@main

That was an oversight from #5702

# trigger a new version: https://github.com/docker/buildx/pull/2222#issuecomment-1919092153
- dependency-name: "docker/docs"
groups:
crazy-max-dot-github:
patterns:
- "crazy-max/.github/*"
cooldown:
default-days: 2
labels:
- "area/dependencies"
- "bot"
87 changes: 47 additions & 40 deletions .github/workflows/.test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
# reusable workflow
name: .test

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

Expand All @@ -26,9 +25,9 @@ on:
includes:
required: false
type: string
env:
secrets:
codecov_token:
required: false
type: string

env:
GO_VERSION: "1.26"
Expand All @@ -46,10 +45,10 @@ jobs:
steps:
-
name: Set up QEMU
uses: docker/setup-qemu-action@v4
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
version: ${{ env.SETUP_BUILDX_VERSION }}
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
Expand All @@ -61,38 +60,46 @@ jobs:
-
name: Set outputs
id: set
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_PKGS: ${{ inputs.pkgs }}
INPUT_KINDS: ${{ inputs.kinds }}
INPUT_TAGS: ${{ inputs.tags }}
INPUT_INCLUDES: ${{ inputs.includes }}
with:
script: |
const yaml = require('js-yaml');
await core.group(`Set pkgs matrix`, async () => {
const pkgs = `${{ inputs.pkgs }}`.trim().split(/\r?\n/);
core.info(JSON.stringify(pkgs, null, 2));
core.setOutput('pkgs', JSON.stringify(pkgs));
const pkgs = core.getMultilineInput('pkgs');
const matrix = pkgs.length ? pkgs : [''];
core.info(JSON.stringify(matrix, null, 2));
core.setOutput('pkgs', JSON.stringify(matrix));
});
await core.group(`Set kinds matrix`, async () => {
const kinds = `${{ inputs.kinds }}`.trim().split(/\r?\n/);
core.info(JSON.stringify(kinds, null, 2));
core.setOutput('kinds', JSON.stringify(kinds));
const kinds = core.getMultilineInput('kinds');
const matrix = kinds.length ? kinds : [''];
core.info(JSON.stringify(matrix, null, 2));
core.setOutput('kinds', JSON.stringify(matrix));
});
await core.group(`Set tags matrix`, async () => {
const tags = `${{ inputs.tags }}`.trim().split(/\r?\n/);
core.info(JSON.stringify(tags, null, 2));
core.setOutput('tags', JSON.stringify(tags));
const tags = core.getMultilineInput('tags');
const matrix = tags.length ? tags : [''];
core.info(JSON.stringify(matrix, null, 2));
core.setOutput('tags', JSON.stringify(matrix));
});
await core.group(`Set includes`, async () => {
const includes = yaml.load(`${{ inputs.includes }}`.trim());
const includes = yaml.load(core.getInput('includes'));
core.info(JSON.stringify(includes, null, 2));
core.setOutput('includes', JSON.stringify(includes ?? []));
});
-
name: Build
uses: docker/bake-action@v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: integration-tests-base
set: |
*.cache-from=type=gha,scope=${{ inputs.cache_scope }}
*.cache-to=type=gha,scope=${{ inputs.cache_scope }},repository=${{ github.repository }},ghtoken=${{ secrets.GITHUB_TOKEN }}
*.cache-to=type=gha,scope=${{ inputs.cache_scope }},repository=${{ github.repository }},ghtoken=${{ github.token }}

run:
runs-on: ubuntu-24.04
Expand Down Expand Up @@ -122,38 +129,41 @@ jobs:
steps:
-
name: Prepare
env:
PKG: ${{ matrix.pkg }}
KIND: ${{ matrix.kind }}
WORKER: ${{ matrix.worker }}
TAGS: ${{ matrix.tags }}
SKIP_INTEGRATION_TESTS: ${{ matrix.skip-integration-tests }}
run: |
for l in "${{ inputs.env }}"; do
echo "${l?}" >> $GITHUB_ENV
done
echo "TEST_REPORT_NAME=${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.skip-integration-tests }}-${{ matrix.kind }}-${{ matrix.worker }}-${{ matrix.tags }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
testFlags="${{ env.TESTFLAGS }}"
if [ -n "${{ matrix.tags }}" ]; then
testFlags="${testFlags} --tags=${{ matrix.tags }}"
echo "TEST_REPORT_NAME=${GITHUB_JOB}-$(echo "${PKG}-${SKIP_INTEGRATION_TESTS}-${KIND}-${WORKER}-${TAGS}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
testFlags="${TESTFLAGS}"
if [ -n "$TAGS" ]; then
testFlags="${testFlags} --tags=${TAGS}"
fi
if [ -n "${{ matrix.worker }}" ]; then
testFlags="${testFlags} --run=//worker=${{ matrix.worker }}$"
if [ -n "${WORKER}" ]; then
testFlags="${testFlags} --run=//worker=${WORKER}$"
fi
echo "TESTFLAGS=${testFlags}" >> $GITHUB_ENV
-
name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Expose GitHub Runtime
uses: crazy-max/ghaction-github-runtime@v4
uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0
-
name: Set up QEMU
uses: docker/setup-qemu-action@v4
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
version: ${{ env.SETUP_BUILDX_VERSION }}
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
buildkitd-flags: --debug
-
name: Build test image
uses: docker/bake-action@v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: integration-tests
set: |
Expand All @@ -164,8 +174,9 @@ jobs:
-
name: Test
run: |
./hack/test ${{ matrix.kind }}
./hack/test ${KIND}
env:
KIND: ${{ matrix.kind }}
TEST_REPORT_SUFFIX: -${{ env.TEST_REPORT_NAME }}
TEST_COVERAGE: 1
TESTPKGS: ${{ matrix.pkg }}
Expand All @@ -174,12 +185,12 @@ jobs:
-
name: Send to Codecov
if: always()
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
with:
directory: ./bin/testreports
flags: ${{ matrix.codecov_flags }}
disable_file_fixes: true
token: ${{ secrets.CODECOV_TOKEN }} # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
token: ${{ secrets.codecov_token }} # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
-
name: Generate annotations
if: always()
Expand All @@ -189,12 +200,8 @@ jobs:
-
name: Upload test reports
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: test-reports-${{ env.TEST_REPORT_NAME }}
path: ./bin/testreports
retention-days: 1
-
name: Dump context
if: failure()
uses: crazy-max/ghaction-dump-context@v2
38 changes: 18 additions & 20 deletions .github/workflows/buildkit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

Expand Down Expand Up @@ -40,17 +39,17 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Platforms matrix
id: platforms
uses: docker/bake-action/subaction/matrix@v7
uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
target: release
fields: platforms

binaries:
uses: docker/github-builder/.github/workflows/bake.yml@v1
uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0
permissions:
contents: read # same as global permission
id-token: write # for signing attestation(s) with GitHub OIDC Token
Expand All @@ -73,7 +72,7 @@ jobs:
steps:
-
name: Download artifacts
uses: actions/download-artifact@v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: /tmp/buildx-output
name: ${{ needs.binaries.outputs.artifact-name }}
Expand Down Expand Up @@ -102,15 +101,14 @@ jobs:
tree -nh .
-
name: Upload release binaries
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: buildkit-release
path: ${{ env.DESTDIR }}/*
if-no-files-found: error

test:
uses: ./.github/workflows/.test.yml
secrets: inherit
needs:
- binaries
with:
Expand All @@ -137,33 +135,33 @@ jobs:
- pkg: ./cache/remotecache/gha
worker: oci
typ: integration
secrets:
codecov_token: ${{ secrets.CODECOV_TOKEN }}

govulncheck:
runs-on: ubuntu-24.04
permissions:
# same as global permission
contents: read
# required to write sarif report
security-events: write
contents: read # same as global permission
security-events: write # required to write sarif report
steps:
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
version: ${{ env.SETUP_BUILDX_VERSION }}
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
buildkitd-flags: --debug
-
name: Run
uses: docker/bake-action@v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: govulncheck
env:
GOVULNCHECK_FORMAT: sarif
-
name: Upload SARIF report
if: ${{ github.ref == 'refs/heads/master' && github.repository == 'moby/buildkit' }}
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
with:
sarif_file: ${{ env.DESTDIR }}/govulncheck.out

Expand All @@ -175,7 +173,7 @@ jobs:
-
name: Set outputs
id: set
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_DEFAULT-BASE: alpine
INPUT_REF: ${{ github.ref }}
Expand Down Expand Up @@ -224,7 +222,7 @@ jobs:
core.setOutput('includes', JSON.stringify(matrix));

image:
uses: docker/github-builder/.github/workflows/bake.yml@v1
uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0
needs:
- image-prepare
- test
Expand Down Expand Up @@ -308,10 +306,10 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Login to DockerHub
uses: docker/login-action@v4
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
Expand All @@ -329,7 +327,7 @@ jobs:
jq . ${{ steps.scout.outputs.result-file }}
-
name: Upload SARIF report
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
with:
sarif_file: ${{ steps.scout.outputs.result-file }}

Expand All @@ -345,7 +343,7 @@ jobs:
steps:
-
name: Download release binaries
uses: actions/download-artifact@v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: ${{ env.DESTDIR }}
name: buildkit-release
Expand Down
7 changes: 3 additions & 4 deletions .github/workflows/buildx-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

Expand Down Expand Up @@ -50,20 +49,20 @@ jobs:
steps:
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
version: ${{ env.SETUP_BUILDX_VERSION }}
buildkitd-flags: --debug
-
name: Login to DockerHub
if: github.event.inputs.dry-run != 'true'
uses: docker/login-action@v4
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Create
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_SOURCE-TAG: ${{ inputs.source-tag }}
INPUT_DRY-RUN: ${{ inputs.dry-run }}
Expand Down
Loading
Loading