Skip to content

Commit

Permalink
ci: Enable zizmor CI workflow linting
Browse files Browse the repository at this point in the history 
And fix the issues.
  • Loading branch information
@larseggert
larseggert committed Feb 3, 2025
1 parent 9a7ba21 commit 79c8c57
Show file tree
Hide file tree
Showing 20 changed files with 196 additions and 111 deletions.
95 changes: 54 additions & 41 deletions .github/actions/nss/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,23 @@ inputs:
description: "Minimum required version of NSS"
required: true

outputs:
nss-dir:
description: "Path to the NSS source directory"
value: ${{ steps.nss.outputs.nss-dir }}
nss-target:
description: "Type of build (Debug or Release)"
value: ${{ steps.nss.outputs.nss-target }}
nss-prebuilt:
description: "Whether NSS was prebuilt"
value: ${{ steps.nss.outputs.nss-prebuilt }}

runs:
using: composite
steps:
- name: Install system NSS (Linux)
shell: bash
if: runner.os == 'Linux' && runner.environment == 'github-hosted'
if: runner.os == 'Linux' && env.RUNNER_ENVIRONMENT == 'github-hosted'
env:
DEBIAN_FRONTEND: noninteractive
run: |
Expand All @@ -23,41 +34,40 @@ runs:
- name: Install system NSS (MacOS)
shell: bash
if: runner.os == 'MacOS' && runner.environment == 'github-hosted'
if: runner.os == 'MacOS' && env.RUNNER_ENVIRONMENT == 'github-hosted'
run: |
[ "$BREW_UPDATED" ] || brew update && echo "BREW_UPDATED=1" >> "$GITHUB_ENV"
brew install nss
- name: Check system NSS version
id: nss
env:
MIN_VERSION: ${{ inputs.minimum-version }}
shell: bash
run: |
if ! command -v pkg-config &> /dev/null; then
echo "pkg-config: not found"
echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV"
exit 0
fi
if ! pkg-config --exists nss; then
echo "pkg-config: NSS not found"
echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV"
exit 0
fi
NSS_VERSION="$(pkg-config --modversion nss)"
if [ "$?" -ne 0 ]; then
echo "pkg-config: failed to determine NSS version"
echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV"
exit 0
fi
NSS_MAJOR=$(echo "$NSS_VERSION" | cut -d. -f1)
NSS_MINOR=$(echo "$NSS_VERSION" | cut -d. -f2)
REQ_NSS_MAJOR=$(echo "${{ inputs.minimum-version}}" | cut -d. -f1)
REQ_NSS_MINOR=$(echo "${{ inputs.minimum-version}}" | cut -d. -f2)
REQ_NSS_MAJOR=$(echo "$MIN_VERSION" | cut -d. -f1)
REQ_NSS_MINOR=$(echo "$MIN_VERSION" | cut -d. -f2)
if [[ "$NSS_MAJOR" -lt "$REQ_NSS_MAJOR" || "$NSS_MAJOR" -eq "$REQ_NSS_MAJOR" && "$NSS_MINOR" -lt "$REQ_NSS_MINOR" ]]; then
echo "System NSS is too old: $NSS_VERSION"
echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV"
exit 0
fi
echo "System NSS is suitable: $NSS_VERSION"
echo "USE_SYSTEM_NSS=1" >> "$GITHUB_ENV"
echo "use_system_nss=1" >> "$GITHUB_OUTPUT"
- name: Use sccache
# Apparently the action can't be installed twice in the same workflow, so check if
Expand All @@ -66,11 +76,11 @@ runs:
#
# Also, only enable sscache on our self-hosted runner, because the GitHub cache limit
# is too small for this to be effective there.
if: env.SCCACHE_ENABLED != '1' && env.USE_SYSTEM_NSS == '0' && runner.environment != 'github-hosted'
if: env.SCCACHE_ENABLED != '1' && !steps.nss.outputs.use_system_nss && env.RUNNER_ENVIRONMENT != 'github-hosted'
uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4

- name: Enable sscache
if: env.USE_SYSTEM_NSS == '0' && runner.environment != 'github-hosted'
if: ${{ !steps.nss.outputs.use_system_nss && env.RUNNER_ENVIRONMENT != 'github-hosted' }}
shell: bash
run: |
echo "SCCACHE_ENABLED=1" >> "$GITHUB_ENV"
Expand All @@ -81,72 +91,74 @@ runs:
fi
echo "CMAKE_C_COMPILER_LAUNCHER=sccache" >> "$GITHUB_ENV"
echo "CMAKE_CXX_COMPILER_LAUNCHER=sccache" >> "$GITHUB_ENV"
if [ "${{ runner.environment }}" == "github-hosted" ]; then
if [ "$RUNNER_ENVIRONMENT" == "github-hosted" ]; then
echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
fi
- name: Checkout NSS
if: env.USE_SYSTEM_NSS == '0'
if: ${{ !steps.nss.outputs.use_system_nss }}
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: nss-dev/nss
path: nss

- name: Checkout NSPR
if: env.USE_SYSTEM_NSS == '0'
if: ${{ !steps.nss.outputs.use_system_nss }}
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: nss-dev/nspr
path: nspr

- name: Get head revisions
if: env.USE_SYSTEM_NSS == '0'
id: heads
if: ${{ !steps.nss.outputs.use_system_nss }}
shell: bash
run: |
NSS_HEAD=$(git -C nss rev-parse HEAD)
NSPR_HEAD=$(git -C nspr rev-parse HEAD)
echo "NSS_HEAD=$NSS_HEAD" >> "$GITHUB_ENV"
echo "NSPR_HEAD=$NSPR_HEAD" >> "$GITHUB_ENV"
echo "nss_head=$NSS_HEAD" >> "$GITHUB_OUTPUT"
echo "nspr_head=$NSPR_HEAD" >> "$GITHUB_OUTPUT"
- name: Cache NSS
id: cache
if: env.USE_SYSTEM_NSS == '0' && runner.environment == 'github-hosted'
if: ${{ !steps.nss.outputs.use_system_nss && env.RUNNER_ENVIRONMENT == 'github-hosted' }}
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: dist
key: nss-${{ runner.os }}-${{ runner.arch }}-${{ inputs.type }}-${{ env.NSS_HEAD }}-${{ env.NSPR_HEAD }}
key: nss-${{ runner.os }}-${{ runner.arch }}-${{ inputs.type }}-${{ steps.heads.outputs.nss_head }}-${{ steps.heads.outputs.NSPR_HEAD }}

- name: Check if build is needed
if: env.USE_SYSTEM_NSS == '0'
id: check_build
if: ${{ !steps.nss.outputs.use_system_nss }}
env:
CACHE_HIT: ${{ steps.cache.outputs.cache-hit }}
shell: bash
run: |
if [ "${{ runner.environment }}" != "github-hosted" ] || [ "${{ steps.cache.outputs.cache-hit }}" == "" ]; then
if [ "$RUNNER_ENVIRONMENT" != "github-hosted" ] || [ "$CACHE_HIT" == "" ]; then
echo "Building NSS from source"
echo "BUILD_NSS=1" >> "$GITHUB_ENV"
echo "build_nss=1" >> "$GITHUB_OUTPUT"
else
echo "Using cached prebuilt NSS"
echo "BUILD_NSS=0" >> "$GITHUB_ENV"
fi
- name: Install build dependencies (Linux)
shell: bash
if: runner.os == 'Linux' && env.BUILD_NSS == '1' && runner.environment == 'github-hosted'
if: ${{ runner.os == 'Linux' && steps.check_build.build_nss && env.RUNNER_ENVIRONMENT == 'github-hosted' }}
env:
DEBIAN_FRONTEND: noninteractive
run: sudo apt-get install -y --no-install-recommends gyp ninja-build

- name: Install build dependencies (MacOS)
shell: bash
if: runner.os == 'MacOS' && env.BUILD_NSS == '1'
if: runner.os == 'MacOS' && steps.check_build.build_nss
run: |
brew install ninja
echo "gyp-next>=0.18.1" > req.txt
python3 -m pip install --user --break-system-packages -r req.txt
echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
python3 -m pip install --break-system-packages -r req.txt
- name: Install build dependencies (Windows)
shell: bash
if: runner.os == 'Windows' && env.BUILD_NSS == '1'
if: runner.os == 'Windows' && steps.check_build.build_nss
run: |
# shellcheck disable=SC2028
{
Expand All @@ -158,14 +170,14 @@ runs:
python3 -m pip install -r req.txt
- name: Set up MSVC (Windows)
if: runner.os == 'Windows' && env.BUILD_NSS == '1'
uses: ilammy/msvc-dev-cmd@v1
if: runner.os == 'Windows' && steps.check_build.build_nss
uses: ilammy/msvc-dev-cmd@v1 # zizmor: ignore[unpinned-uses]
# TODO: Would like to pin this, but the Mozilla org allowlist requires "ilammy/msvc-dev-cmd@v1*"
# uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0

- name: Set up build environment (Windows)
shell: bash
if: runner.os == 'Windows' && env.BUILD_NSS == '1'
if: runner.os == 'Windows' && steps.check_build.build_nss
run: |
{
echo "GYP_MSVS_OVERRIDE_PATH=$VSINSTALLDIR"
Expand All @@ -177,24 +189,25 @@ runs:
- name: Set up environment
shell: bash
if: env.USE_SYSTEM_NSS == '0'
if: ${{ !steps.nss.outputs.use_system_nss }}
env:
NSS_TARGET: ${{ inputs.type }}
run: |
NSS_TARGET="${{ inputs.type }}"
echo "NSS_TARGET=$NSS_TARGET" >> "$GITHUB_ENV"
NSS_OUT="$NSS_DIR/../dist/$NSS_TARGET"
NSS_OUT="${{ github.workspace}}/nss/../dist/$NSS_TARGET"
echo "LD_LIBRARY_PATH=$NSS_OUT/lib" >> "$GITHUB_ENV"
echo "DYLD_FALLBACK_LIBRARY_PATH=$NSS_OUT/lib" >> "$GITHUB_ENV"
echo "$NSS_OUT/lib" >> "$GITHUB_PATH"
echo "NSS_DIR=$NSS_DIR" >> "$GITHUB_ENV"
echo "NSS_PREBUILT=1" >> "$GITHUB_ENV"
env:
NSS_DIR: ${{ github.workspace }}/nss
echo "nss-target=$NSS_TARGET" >> "$GITHUB_OUTPUT"
echo "nss-dir=${{ github.workspace}}/nss" >> "$GITHUB_OUTPUT"
echo "nss-prebuilt=1" >> "$GITHUB_OUTPUT"
- name: Build
shell: bash
if: env.BUILD_NSS == '1'
if: steps.check_build.build_nss
env:
NSS_TARGET: ${{ inputs.type }}
run: |
if [ "${{ inputs.type }}" != "Debug" ]; then
if [ "$NSS_TARGET" != "Debug" ]; then
# We want to do an optimized build for accurate CPU profiling, but
# we also want debug symbols and frame pointers for that, which the normal optimized NSS
# build process doesn't provide.
Expand Down
12 changes: 8 additions & 4 deletions .github/actions/pr-comment-data-export/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,17 @@ runs:
steps:
- if: github.event_name == 'pull_request'
shell: bash
env:
CONTENTS: ${{ inputs.contents }}
NAME: ${{ inputs.name }}
LOG_URL: ${{ inputs.log-url }}
run: |
mkdir comment-data
cp "${{ inputs.contents }}" comment-data/contents
echo "${{ inputs.name }}" > comment-data/name
cp "$CONTENTS" comment-data/contents
echo "$NAME" > comment-data/name
echo "${{ github.event.number }}" > comment-data/pr-number
if [ -n "${{ inputs.log-url }}" ]; then
echo "${{ inputs.log-url }}" > comment-data/log-url
if [ -n "$LOG_URL" ]; then
echo "$LOG_URL" > comment-data/log-url
fi
- if: github.event_name == 'pull_request'
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
Expand Down
25 changes: 16 additions & 9 deletions .github/actions/quic-interop-runner/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,20 +54,25 @@ runs:
shell: bash

- name: Run tests
env:
CLIENT: ${{ inputs.client }}
SERVER: ${{ inputs.server }}
TEST: ${{ inputs.test }}
IMPLEMENTATIONS: ${{ inputs.implementations }}
run: |
cd quic-interop-runner
if [ -n "${{ inputs.implementations }}" ]; then
echo '${{ inputs.implementations }}' > implementations.json
if [ -n "$IMPLEMENTATIONS" ]; then
echo '$IMPLEMENTATIONS' > implementations.json
fi
ARGS="--log-dir ../logs --json ../result.json"
if [ -n "${{ inputs.client }}" ]; then
ARGS="$ARGS --client ${{ inputs.client }}"
if [ -n "$CLIENT" ]; then
ARGS="$ARGS --client $CLIENT"
fi
if [ -n "${{ inputs.server }}" ]; then
ARGS="$ARGS --server ${{ inputs.server }}"
if [ -n "$SERVER" ]; then
ARGS="$ARGS --server $SERVER"
fi
if [ -n "${{ inputs.test }}" ]; then
ARGS="$ARGS --test ${{ inputs.test }}"
if [ -n "$TEST" ]; then
ARGS="$ARGS --test $TEST"
fi
# Don't fail CI if the interop test fails
set -o pipefail
Expand Down Expand Up @@ -104,8 +109,10 @@ runs:

- name: Store log URL
if: always()
env:
ARTIFACT_URL: ${{ steps.upload-logs.outputs.artifact-url }}
run: |
jq '. + {log_url: "${{ steps.upload-logs.outputs.artifact-url }}"}' \
jq '. + {log_url: "$ARTIFACT_URL"}'
< result.json > result.json.tmp && \
mv result.json.tmp result.json
shell: bash
Expand Down
15 changes: 8 additions & 7 deletions .github/actions/rust/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,12 @@ runs:
#
# Also, only enable sscache on our self-hosted runner, because the GitHub cache limit
# is too small for this to be effective there.
if: env.SCCACHE_ENABLED != '1' && runner.environment != 'github-hosted'
if: env.SCCACHE_ENABLED != '1' && env.RUNNER_ENVIRONMENT != 'github-hosted'
uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4

- name: Install build dependencies (Linux)
shell: bash
if: runner.os == 'Linux' && runner.environment == 'github-hosted'
if: runner.os == 'Linux' && env.RUNNER_ENVIRONMENT == 'github-hosted'
env:
DEBIAN_FRONTEND: noninteractive
run: |
Expand All @@ -65,23 +65,23 @@ runs:
} >> "$GITHUB_ENV"
- name: Enable sscache
if: runner.environment != 'github-hosted'
if: env.RUNNER_ENVIRONMENT != 'github-hosted'
shell: bash
run: |
echo "SCCACHE_ENABLED=1" >> "$GITHUB_ENV"
echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
if [ "${{ runner.environment }}" == "github-hosted" ]; then
if [ "$RUNNER_ENVIRONMENT" == "github-hosted" ]; then
echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
fi
- name: Enable Rust cache
uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
with:
cache-bin: ${{ runner.environment == 'github-hosted' }}
cache-bin: ${{ env.RUNNER_ENVIRONMENT == 'github-hosted' }}

- name: Set up MSVC (Windows)
if: runner.os == 'Windows'
uses: ilammy/msvc-dev-cmd@v1
uses: ilammy/msvc-dev-cmd@v1 # zizmor: ignore[unpinned-uses]
# TODO: Would like to pin this, but the Mozilla org allowlist requires "ilammy/msvc-dev-cmd@v1*"
# uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0

Expand All @@ -104,5 +104,6 @@ runs:
if: inputs.tools != ''
env:
GITHUB_TOKEN: ${{ inputs.token }}
TOOLS: ${{ inputs.tools }}
# FIXME: See https://github.com/Swatinem/rust-cache/issues/204 for why `--force`.
run: cargo quickinstall --force $(echo ${{ inputs.tools }} | tr -d ",")
run: cargo quickinstall --force $(echo $TOOLS | tr -d ",")
27 changes: 26 additions & 1 deletion .github/workflows/actionlint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,35 @@ jobs:
shell: bash
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Download actionlint
id: get_actionlint
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)

- name: Check workflow files
env:
ACTIONLINT: ${{ steps.get_actionlint.outputs.executable }}
run: |
echo "::add-matcher::.github/actionlint-matcher.json"
${{ steps.get_actionlint.outputs.executable }} -color
$ACTIONLINT -color
zizmor:
name: zizmor 🌈
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2

- run: uvx zizmor --format sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
with:
sarif_file: results.sarif
category: zizmor
Loading

0 comments on commit 79c8c57

Please sign in to comment.