github-actions: fix all zizmor pedantic findings and add zizmor CI workflow#2428
Open
Dorcas-BD wants to merge 1 commit intorust-lang:masterfrom
Open
github-actions: fix all zizmor pedantic findings and add zizmor CI workflow#2428Dorcas-BD wants to merge 1 commit intorust-lang:masterfrom
Dorcas-BD wants to merge 1 commit intorust-lang:masterfrom
Conversation
Dorcas-BD
force-pushed
the
fix/zizmor-pedantic-findings
branch
from
317832f to
dd00263
Compare
Dorcas-BD
force-pushed
the
fix/zizmor-pedantic-findings
branch
from
dd00263 to
32fe914
Compare
Member
|
Hi, could you please split this into multiple PRs?
Thank you. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes most findings reported by
zizmor --pedanticacross all workflow files.Changes:
unpinned-usespersist-credentials: falseto allactions/checkoutsteps to fixartipacked${{ toJson(needs) }}to an env variable in theconclusionjob to fixtemplate-injectiontemplate-injectioninnightly.ymlby using${RUSTC_PERF_VERSION}instead of${{ env.RUSTC_PERF_VERSION }}in shellcache-from/cache-toand addno-cache: trueto Docker build steps to fixcache-poisoningname:to anonymousdockerandconclusionjobs to fixanonymous-definitioncontents: writepermission to fixundocumented-permissions.github/zizmor.ymlto suppress findings that will be addressed in follow-up PRs.github/workflows/zizmor.ymlto run zizmor on every PR and prevent regressions. PassesGITHUB_TOKENfor full audit coverage.Pending findings (to be fixed in follow-up PRs):
unpinned-images: postgres images need SHA256 digest pins, which require looking up the exact digest for each image versionconcurrency-limits: adding concurrency settings needs careful consideration per workflow to avoid cancelling jobs unintentionallyarchived-uses:actions-rs/cargois archived and needs replacing with a directcargo build, but this needs testing to ensure it doesn't break the nightly releasemisfeature: replacingshell: cmdon Windows needs testing to ensure the toolchain install commands still workstale-action-refs: simpleinfra andactions-rs/cargorefs need updating, but are tied to the above changessuperfluous-actions: replacingncipollo/release-actionwithgh releaseis a non-trivial change that needs careful testing