From c3e5275b7b92093cce22e1332d6943bcf530ba42 Mon Sep 17 00:00:00 2001 From: Robbie Blaine <4052340+rblaine95@users.noreply.github.com> Date: Sat, 14 Dec 2024 19:50:22 +0200 Subject: [PATCH] :lock: Resolve all failed zizmor checks (#1234) * Run [zizmor](https://woodruffw.github.io/zizmor) against all our Github actions * Resolve all failed checks --- .github/workflows/codacy.yml | 2 ++ .github/workflows/continuous-deploy.yml | 43 ++++++++++++++++++++----- .github/workflows/sonarcloud.yml | 1 + .github/workflows/style-check.yml | 2 ++ .github/workflows/validate-pr.yml | 36 ++++++++++++--------- 5 files changed, 61 insertions(+), 23 deletions(-) diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index 76ef092f0..708a946f9 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -37,6 +37,8 @@ jobs: # Checkout the repository to the GitHub Actions runner - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI diff --git a/.github/workflows/continuous-deploy.yml b/.github/workflows/continuous-deploy.yml index 59cb710d4..18b3c5b50 100644 --- a/.github/workflows/continuous-deploy.yml +++ b/.github/workflows/continuous-deploy.yml @@ -131,6 +131,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -176,6 +178,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Mise uses: jdx/mise-action@v2 with: @@ -220,6 +223,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Mise uses: jdx/mise-action@v2 with: @@ -245,11 +249,14 @@ jobs: - name: Set branch name id: set_branch_name run: | - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "BRANCH_NAME=${{ github.head_ref }}" >> $GITHUB_ENV + if [[ "${EVENT_NAME}" == "pull_request" ]]; then + echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV else echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV fi + env: + EVENT_NAME: ${{ github.event_name }} + HEAD_REF: ${{ github.head_ref }} - name: Check if branch exists id: check_branch run: | @@ -269,6 +276,7 @@ jobs: token: ${{ secrets.CHARTS_PAT }} path: tilt/.charts ref: ${{ env.branch_name }} + persist-credentials: false - name: Start Test Harness run: mise run tilt:ci shell: bash @@ -425,6 +433,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Install dependencies run: pip install coverage - name: Download all .coverage artifacts @@ -471,6 +480,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Mise uses: jdx/mise-action@v2 @@ -493,10 +504,12 @@ jobs: id: set_branch_name run: | if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "BRANCH_NAME=${{ github.head_ref }}" >> $GITHUB_ENV + echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV else echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV fi + env: + HEAD_REF: ${{ github.head_ref }} - name: Check if branch exists id: check_branch @@ -518,6 +531,7 @@ jobs: token: ${{ secrets.CHARTS_PAT }} path: charts ref: ${{ env.branch_name }} + persist-credentials: false - name: Install dependencies run: sudo apt-get install -y postgresql-client @@ -685,6 +699,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Mise uses: jdx/mise-action@v2 @@ -695,16 +711,20 @@ jobs: install: true - name: Authenticate GitHub CLI - run: echo "${{ secrets.CHARTS_PAT }}" | gh auth login --with-token + run: echo "${PAT}" | gh auth login --with-token + env: + PAT: ${{ secrets.CHARTS_PAT }} - name: Set branch name id: set_branch_name run: | if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "BRANCH_NAME=${{ github.head_ref }}" >> $GITHUB_ENV + echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV else echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV fi + env: + HEAD_REF: ${{ github.head_ref }} - name: Check if branch exists id: check_branch @@ -726,6 +746,7 @@ jobs: token: ${{ secrets.CHARTS_PAT }} path: charts ref: ${{ env.branch_name }} + persist-credentials: false - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 @@ -818,7 +839,7 @@ jobs: COMPLETION_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.succeeded}') FAILURE_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.failed}') - if [ "$COMPLETION_STATUS" == "${{ env.PYTEST_COMPLETIONS }}" ] || [ "$FAILURE_STATUS" == "1" ]; then + if [ "$COMPLETION_STATUS" == "${PYTEST_COMPLETIONS}" ] || [ "$FAILURE_STATUS" == "1" ]; then echo "Job $JOB_NAME has completed." break else @@ -840,6 +861,7 @@ jobs: env: JOB_NAME: cloudapi-pytest NAMESPACE: dev-cloudapi + PYTEST_COMPLETIONS: ${{ env.PYTEST_COMPLETIONS }} - name: Wait for pytest regression and print logs if: steps.pytest-init-regression.outcome == 'success' || steps.pytest-run-regression.outcome == 'success' @@ -849,7 +871,7 @@ jobs: COMPLETION_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.succeeded}') FAILURE_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.failed}') - if [ "$COMPLETION_STATUS" == "${{ env.PYTEST_COMPLETIONS }}" ] || [ "$FAILURE_STATUS" == "1" ]; then + if [ "$COMPLETION_STATUS" == "${PYTEST_COMPLETIONS}" ] || [ "$FAILURE_STATUS" == "1" ]; then echo "Job $JOB_NAME has completed." break else @@ -871,6 +893,7 @@ jobs: env: JOB_NAME: cloudapi-pytest-regression NAMESPACE: dev-cloudapi + PYTEST_COMPLETIONS: ${{ env.PYTEST_COMPLETIONS }} - name: Copy k8s pytest results if: steps.pytest.outcome == 'success' || steps.pytest-init-regression.outcome == 'success' || steps.pytest-run-regression.outcome == 'success' @@ -1028,6 +1051,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -1082,6 +1107,8 @@ jobs: -e GOVERNANCE_OAUTH_ENDPOINT=${{ secrets.GOVERNANCE_OAUTH_ENDPOINT }} \ --workdir /scripts \ --entrypoint /bin/sh \ - ghcr.io/${{ github.repository_owner }}/xk6:${{ steps.meta.outputs.version }} \ + ghcr.io/${{ github.repository_owner }}/xk6:${VERSION} \ /scripts/run_tests.sh shell: bash + env: + VERSION: ${{ steps.meta.outputs.version }} diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 64cdc4a72..67ff6f5fc 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -48,6 +48,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 # Required for proper blame data in SonarCloud + persist-credentials: false - name: Overwrite .mise.toml # Simplify mise in this workflow run: | diff --git a/.github/workflows/style-check.yml b/.github/workflows/style-check.yml index a255eac98..b3ce2a206 100644 --- a/.github/workflows/style-check.yml +++ b/.github/workflows/style-check.yml @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Overwrite .mise.toml # It's not needed in this workflow run: | diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml index bb3d4caf2..78d609af8 100644 --- a/.github/workflows/validate-pr.yml +++ b/.github/workflows/validate-pr.yml @@ -6,7 +6,6 @@ on: permissions: contents: read - pull-requests: write env: # https://cbea.ms/git-commit/#limit-50 @@ -17,6 +16,8 @@ env: jobs: check-title: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Get PR info id: pr @@ -27,7 +28,7 @@ jobs: const title = context.payload.pull_request.title; core.setOutput('title', title); - // Get PR Comments, filtering for only this bot's comments + // Get PR Comments const allComments = await github.rest.issues.listComments({ owner: context.repo.owner, repo: context.repo.repo, @@ -42,25 +43,29 @@ jobs: comment.body.includes(process.env.BOT_COMMENT_IDENTIFIER) ); - core.setOutput('comments', botComments); + core.setOutput('comments_json', JSON.stringify(botComments)); - // Get JSON of valid Gitmojis + // Get Gitmojis const gitmojiResponse = await github.request('GET /repos/{owner}/{repo}/contents/{path}', { owner: 'carloscuesta', repo: 'gitmoji', path: 'packages/gitmojis/src/gitmojis.json' }); const gitmojis = JSON.parse(Buffer.from(gitmojiResponse.data.content, 'base64').toString()).gitmojis; - core.setOutput('gitmojis', gitmojis); + core.setOutput('gitmojis_json', JSON.stringify(gitmojis)); - name: PR title should start with emoji + env: + PR_TITLE: ${{ steps.pr.outputs.title }} + PR_COMMENTS: ${{ steps.pr.outputs.comments_json }} + GITMOJIS: ${{ steps.pr.outputs.gitmojis_json }} uses: actions/github-script@v7 if: always() with: script: | - const prTitle = "${{ steps.pr.outputs.title }}"; - const comments = ${{ steps.pr.outputs.comments }}; - const gitmojis = ${{ steps.pr.outputs.gitmojis }}; + const prTitle = process.env.PR_TITLE; + const comments = JSON.parse(process.env.PR_COMMENTS); + const gitmojis = JSON.parse(process.env.GITMOJIS); const validEmojis = gitmojis.map(g => [g.emoji, g.code]); const titleStartsWithValidEmoji = validEmojis.some(([emoji, code]) => @@ -96,18 +101,19 @@ jobs: }); } - - name: PR title should not exceed ${{ env.MAX_PR_TITLE_LENGTH }} characters + - name: Check PR title length + env: + PR_TITLE: ${{ steps.pr.outputs.title }} + PR_COMMENTS: ${{ steps.pr.outputs.comments_json }} + MAX_LENGTH: ${{ env.MAX_PR_TITLE_LENGTH }} uses: actions/github-script@v7 if: always() with: script: | - const prTitle = "${{ steps.pr.outputs.title }}"; - const comments = ${{ steps.pr.outputs.comments }}; - const MAX_LENGTH = ${{ env.MAX_PR_TITLE_LENGTH }}; + const prTitle = process.env.PR_TITLE; + const comments = JSON.parse(process.env.PR_COMMENTS); + const MAX_LENGTH = parseInt(process.env.MAX_LENGTH, 10); - // Match either: - // 1. Unicode emoji at start (using Unicode properties) - // 2. GitHub emoji shortcode format (e.g. :fire:) const emojiRegex = /^(?:[\p{Emoji_Presentation}\p{Extended_Pictographic}]|:[a-z0-9_+-]+:)/u; // Remove emoji prefix and its trailing space for length check