Skip to content

Commit

Permalink
Merge pull request #2331 from freedomofpress/zizmor
Browse files Browse the repository at this point in the history
Lint our GitHub Actions workflows with zizmor
  • Loading branch information
rocodes authored Dec 19, 2024
2 parents 53f872a + fb51305 commit b59ef3d
Show file tree
Hide file tree
Showing 10 changed files with 75 additions and 5 deletions.
11 changes: 11 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,11 @@ jobs:
- run: |
apt-get update && apt-get install --yes git git-lfs sudo make
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/checkout@v4
with:
persist-credentials: false
repository: "freedomofpress/securedrop-builder"
path: "securedrop-builder"
lfs: true
Expand Down Expand Up @@ -54,8 +57,11 @@ jobs:
artifact_id: ${{ steps.upload.outputs.artifact-id }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/checkout@v4
with:
persist-credentials: false
repository: "freedomofpress/securedrop-builder"
path: "securedrop-builder"
lfs: true
Expand All @@ -81,8 +87,11 @@ jobs:
artifact_id: ${{ steps.upload.outputs.artifact-id }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/checkout@v4
with:
persist-credentials: false
repository: "freedomofpress/securedrop-builder"
path: "securedrop-builder"
lfs: true
Expand Down Expand Up @@ -145,6 +154,8 @@ jobs:
- build-debs
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/download-artifact@v4
with:
pattern: "build-${{ matrix.debian_version }}"
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/cargo-vet.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,15 @@ jobs:
CARGO_VET_VERSION: 0.10.0
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/cache@v4
id: cache-vet
with:
path: /usr/local/cargo/bin/cargo-vet
key: cargo-vet-${{ env.CARGO_VET_VERSION }}
- name: Install the cargo-vet binary, if needed
if: ${{ steps.cache-vet.outputs.cache-hit != 'true' }}
run: cargo install --version ${{ env.CARGO_VET_VERSION }} cargo-vet
run: cargo install --version $CARGO_VET_VERSION cargo-vet
- name: Invoke cargo-vet
run: cargo vet --locked
12 changes: 12 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ jobs:
- run: |
apt-get update && apt-get install --yes git make apparmor
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Lint AppArmor profiles
run: |
make lint-apparmor
Expand All @@ -40,6 +42,8 @@ jobs:
- run: |
apt-get update && apt-get install --yes git make desktop-file-utils
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Lint .desktop files
run: |
make lint-desktop
Expand All @@ -55,6 +59,8 @@ jobs:
- run: |
apt-get update && apt-get install --yes git make file python3-poetry
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install dependencies
run: |
poetry install
Expand All @@ -80,6 +86,8 @@ jobs:
- run: |
apt-get update && apt-get install --yes git make gnupg python3-poetry
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install dependencies
run: |
poetry -C ${{ matrix.component }} install
Expand All @@ -96,6 +104,8 @@ jobs:
- run: |
apt-get update && apt-get install --yes git make python3-poetry
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run safety
run: |
poetry install
Expand All @@ -108,6 +118,8 @@ jobs:
container: rust:1.81.0
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Configure Qubes repository
run: |
cp scripts/qubes_42.sources /etc/apt/sources.list.d/
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/nightlies.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,11 @@ jobs:
artifact_id: ${{ steps.upload.outputs.artifact-id }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/checkout@v4
with:
persist-credentials: false
repository: "freedomofpress/securedrop-builder"
path: "securedrop-builder"
lfs: true
Expand Down Expand Up @@ -58,12 +61,16 @@ jobs:
pattern: "*${{ matrix.debian_version }}"
- uses: actions/checkout@v4
with:
# We need to store credentials here
persist-credentials: true
repository: "freedomofpress/securedrop-apt-test"
path: "securedrop-apt-test"
lfs: true
token: ${{ secrets.PUSH_TOKEN }}
- uses: actions/checkout@v4
with:
# We need to store credentials here
persist-credentials: true
repository: "freedomofpress/build-logs"
path: "build-logs"
token: ${{ secrets.PUSH_TOKEN }}
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/sdk.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,11 @@ jobs:
DOCKERIZE_VERSION: "v0.7.0"
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/checkout@v4
with:
persist-credentials: false
repository: "freedomofpress/securedrop"
path: "securedrop-server"
- uses: actions/setup-python@v5
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ jobs:
container: rust:1.81.0
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Check Rust dependencies
run: |
cargo install cargo-audit
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ jobs:
steps:
- run: |
apt-get update && apt-get install --yes git make gnupg sudo python3-poetry
- uses: actions/checkout@v4
- name: Setup user
run: |
# We want to run tests as a regular user, similar to Qubes VMs
Expand All @@ -42,6 +41,8 @@ jobs:
run: apt-get install --yes build-essential curl libssl-dev pkg-config
if: ${{ matrix.component == 'proxy' }}
- uses: actions/checkout@v4
with:
persist-credentials: false
# Install Rust, keep in sync with rust-toolchain.toml
- uses: dtolnay/rust-toolchain@1.81.0
if: ${{ matrix.component == 'proxy' }}
Expand Down Expand Up @@ -74,6 +75,8 @@ jobs:
- run: |
apt-get update && apt-get install --yes git make gnupg sudo python3-poetry
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup user
run: |
# We want to run tests as a regular user, similar to Qubes VMs
Expand All @@ -100,6 +103,8 @@ jobs:
- run: |
apt-get update && apt-get install --yes git make python3-poetry
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install dependencies
run: |
poetry -C client install
Expand Down
6 changes: 5 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ lint-desktop: ## Lint .desktop files
find . -name *.desktop -type f -not -path '*/\.git/*' | xargs desktop-file-validate

.PHONY: lint
lint: check-ruff shellcheck ## Run linters and formatters
lint: check-ruff shellcheck zizmor ## Run linters and formatters

.PHONY: fix
fix: ## Fix lint and formatting issues
Expand All @@ -54,6 +54,10 @@ safety: ## Run safety dependency checks on build dependencies
shellcheck: ## Lint shell scripts
@poetry run ./scripts/shellcheck.sh

.PHONY: zizmor
zizmor: ## Lint GitHub Actions workflows
@poetry run zizmor .

.PHONY: rust-lint
rust-lint: ## Lint Rust code
cargo fmt --check
Expand Down
27 changes: 25 additions & 2 deletions poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ python = "^3.11"
ruff = "^0.6.4"
safety = "*"
shellcheck-py = "*"
zizmor = "*"

[tool.ruff]
line-length = 100
Expand Down

0 comments on commit b59ef3d

Please sign in to comment.