From bb59fa1e367226beee989ecb202f096061c38d2a Mon Sep 17 00:00:00 2001 From: Sysix Date: Thu, 12 Dec 2024 20:32:57 +0100 Subject: [PATCH 1/3] feat(ci): add zizmor for github actions security --- .github/workflows/ci.yml | 2 +- .github/workflows/ci_security.yml | 40 +++++++++++++++++++ .github/workflows/pr.yml | 2 +- .github/workflows/prepare_release_oxlint.yml | 10 ++--- .github/workflows/release_crates.yml | 13 +++--- .github/workflows/release_napi_parser.yml | 7 +++- .github/workflows/release_napi_transform.yml | 7 +++- .github/workflows/release_oxlint.yml | 9 ++++- .github/workflows/release_types.yml | 5 ++- .github/workflows/release_vscode.yml | 7 +++- .github/workflows/release_wasm.yml | 5 ++- .../workflows/reusable_prepare_release.yml | 5 ++- 12 files changed, 89 insertions(+), 23 deletions(-) create mode 100644 .github/workflows/ci_security.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 891015959e0d6..956f077580363 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -113,7 +113,7 @@ jobs: save-cache: ${{ github.ref_name == 'main' }} - run: rustup target add wasm32-wasip1-threads - uses: bytecodealliance/actions/wasmtime/setup@v1 - - run: cargo test --target wasm32-wasip1-threads ${{ env.TEST_FLAGS }} + - run: cargo test --target wasm32-wasip1-threads ${TEST_FLAGS} - run: git diff --exit-code # Must commit everything test-wasm32-unknown-unknown: diff --git a/.github/workflows/ci_security.yml b/.github/workflows/ci_security.yml new file mode 100644 index 0000000000000..04f9f29fa6db9 --- /dev/null +++ b/.github/workflows/ci_security.yml @@ -0,0 +1,40 @@ +name: GitHub Actions Security Analysis + +on: + workflow_dispatch: + pull_request: + types: [opened, synchronize] + paths: + - ".github/worfkflows/**" + push: + branches: + - main + - "renovate/**" + paths: + - ".github/worfkflows/**" + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v4 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor \ No newline at end of file diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 6b909aef0bf55..58a74b18816f1 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,7 +1,7 @@ name: Check PR on: - pull_request_target: + pull_request: types: - opened - edited diff --git a/.github/workflows/prepare_release_oxlint.yml b/.github/workflows/prepare_release_oxlint.yml index d3fe770be1fd9..abbf409e3e541 100644 --- a/.github/workflows/prepare_release_oxlint.yml +++ b/.github/workflows/prepare_release_oxlint.yml @@ -10,11 +10,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - pull-requests: write - contents: write - actions: write - jobs: prepare: name: Prepare Release Oxlint @@ -28,6 +23,9 @@ jobs: needs: prepare name: Trigger Ecosystem CI runs-on: ubuntu-latest + permissions: + pull-requests: write + contents: write steps: - uses: taiki-e/checkout-action@v1 @@ -50,6 +48,8 @@ jobs: needs: prepare name: Update oxc.rs runs-on: ubuntu-latest + permissions: + actions: write steps: - uses: taiki-e/checkout-action@v1 - uses: benc-uk/workflow-dispatch@v1 diff --git a/.github/workflows/release_crates.yml b/.github/workflows/release_crates.yml index 19174aff5b9a1..37b828440e380 100644 --- a/.github/workflows/release_crates.yml +++ b/.github/workflows/release_crates.yml @@ -8,9 +8,6 @@ on: paths: - crates/oxc/Cargo.toml -permissions: - contents: write - actions: write concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -20,10 +17,14 @@ jobs: release: name: Release crates runs-on: ubuntu-latest + permissions: + contents: write + actions: write steps: - uses: actions/checkout@v4 with: token: ${{ secrets.PAT }} # required for git tag push + persist-credentials: false - uses: Boshen/setup-rust@main with: @@ -41,6 +42,8 @@ jobs: echo "TAG=$(cat ./target/OXC_VERSION)" >> $GITHUB_OUTPUT - name: Tag and Push + env: + TAG_NAME: ${{ steps.run.outputs.TAG }} run: | - git tag ${{ steps.run.outputs.TAG }} - git push origin tag ${{ steps.run.outputs.TAG }} + git tag ${TAG_NAME} + git push origin tag ${TAG_NAME} diff --git a/.github/workflows/release_napi_parser.yml b/.github/workflows/release_napi_parser.yml index 531791bc1d7d1..59162c751e959 100644 --- a/.github/workflows/release_napi_parser.yml +++ b/.github/workflows/release_napi_parser.yml @@ -35,9 +35,12 @@ jobs: - name: Set version name if: steps.version.outputs.changed == 'true' + env: + VERSION_NUMBER: ${{ steps.version.outputs.version }} + VERSION_TYPE: ${{ steps.version.outputs.version_type }} run: | - echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})" - echo "version=${{ steps.version.outputs.version }}" >> $GITHUB_ENV + echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})" + echo "version=${VERSION_TYPE}" >> $GITHUB_ENV build: needs: check diff --git a/.github/workflows/release_napi_transform.yml b/.github/workflows/release_napi_transform.yml index bc7b61ec7b669..356403fcaf7ca 100644 --- a/.github/workflows/release_napi_transform.yml +++ b/.github/workflows/release_napi_transform.yml @@ -35,9 +35,12 @@ jobs: - name: Set version name if: steps.version.outputs.changed == 'true' + env: + VERSION_NUMBER: ${{ steps.version.outputs.version }} + VERSION_TYPE: ${{ steps.version.outputs.version_type }} run: | - echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})" - echo "version=${{ steps.version.outputs.version }}" >> $GITHUB_ENV + echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_NUMBER})" + echo "version=${VERSION_NUMBER}" >> $GITHUB_ENV build: needs: check diff --git a/.github/workflows/release_oxlint.yml b/.github/workflows/release_oxlint.yml index f4eade0fdff29..63b01f244212c 100644 --- a/.github/workflows/release_oxlint.yml +++ b/.github/workflows/release_oxlint.yml @@ -32,8 +32,10 @@ jobs: - name: Print version if: steps.version.outputs.changed == 'true' + env: + NEW_VERSION: ${{ steps.version.outputs.version }} run: | - echo "Version change found! New version: ${{ steps.version.outputs.version }}" + echo "Version change found! New version: ${NEW_VERSION}" build: needs: check @@ -150,6 +152,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 # for changelog + persist-credentials: false - uses: Boshen/setup-rust@main with: @@ -227,10 +230,12 @@ jobs: container: ${{ matrix.container }} steps: - name: Test + env: + OXLINT_VERSION: ${{ needs.check.outputs.version}} run: | touch test.js ldd --version || true - npx oxlint@${{ needs.check.outputs.version }} ./test.js + npx oxlint@${OXLINT_VERSION} ./test.js eslint-plugin-oxlint: needs: [check, publish] diff --git a/.github/workflows/release_types.yml b/.github/workflows/release_types.yml index ff045e238930b..70df5423acb76 100644 --- a/.github/workflows/release_types.yml +++ b/.github/workflows/release_types.yml @@ -32,8 +32,11 @@ jobs: - name: Set version name if: steps.version.outputs.changed == 'true' + env: + VERSION_NUMBER: ${{ steps.version.outputs.version }} + VERSION_TYPE: ${{ steps.version.outputs.version_type }} run: | - echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})" + echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})" build: needs: check diff --git a/.github/workflows/release_vscode.yml b/.github/workflows/release_vscode.yml index 2b99896b5e12d..30d3d26ea42fd 100644 --- a/.github/workflows/release_vscode.yml +++ b/.github/workflows/release_vscode.yml @@ -36,9 +36,12 @@ jobs: - name: Set version name if: steps.version.outputs.changed == 'true' + env: + VERSION_NUMBER: ${{ steps.version.outputs.version }} + VERSION_TYPE: ${{ steps.version.outputs.version_type }} run: | - echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})" - echo "version=${{ steps.version.outputs.version }}" >> $GITHUB_ENV + echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})" + echo "version=${VERSION_NUMBER}" >> $GITHUB_ENV build: needs: check diff --git a/.github/workflows/release_wasm.yml b/.github/workflows/release_wasm.yml index e49b885355b3e..16b4a4fe35753 100644 --- a/.github/workflows/release_wasm.yml +++ b/.github/workflows/release_wasm.yml @@ -32,8 +32,11 @@ jobs: - name: Set version name if: steps.version.outputs.changed == 'true' + env: + VERSION_NUMBER: ${{ steps.version.outputs.version }} + VERSION_TYPE: ${{ steps.version.outputs.version_type }} run: | - echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})" + echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})" build: needs: check diff --git a/.github/workflows/reusable_prepare_release.yml b/.github/workflows/reusable_prepare_release.yml index cb0888854ba18..3aa01e6ea5677 100644 --- a/.github/workflows/reusable_prepare_release.yml +++ b/.github/workflows/reusable_prepare_release.yml @@ -27,6 +27,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: Boshen/setup-rust@main with: @@ -35,9 +36,11 @@ jobs: - name: Run id: run + env: + RELEASE_NAME: ${{ inputs.name }} run: | cargo ck - cargo release-oxc update --release ${{ inputs.name }} + cargo release-oxc update --release ${RELEASE_NAME} echo "VERSION=$(cat ./target/OXC_VERSION)" >> $GITHUB_OUTPUT { echo 'CHANGELOG< Date: Thu, 12 Dec 2024 20:44:03 +0100 Subject: [PATCH 2/3] ci: add zizmor for github actions security --- .github/workflows/ci_security.yml | 28 ++++++++++++++-------------- .github/workflows/release_crates.yml | 1 - 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci_security.yml b/.github/workflows/ci_security.yml index 04f9f29fa6db9..bb81dde1151ec 100644 --- a/.github/workflows/ci_security.yml +++ b/.github/workflows/ci_security.yml @@ -1,17 +1,17 @@ name: GitHub Actions Security Analysis on: - workflow_dispatch: - pull_request: - types: [opened, synchronize] - paths: - - ".github/worfkflows/**" - push: - branches: - - main - - "renovate/**" - paths: - - ".github/worfkflows/**" + workflow_dispatch: + pull_request: + types: [opened, synchronize] + paths: + - ".github/workflows/**" + push: + branches: + - main + - "renovate/**" + paths: + - ".github/workflows/**" jobs: zizmor: @@ -29,12 +29,12 @@ jobs: uses: astral-sh/setup-uv@v4 - name: Run zizmor 🌈 - run: uvx zizmor --format sarif . > results.sarif + run: uvx zizmor --format sarif . > results.sarif env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif - category: zizmor \ No newline at end of file + category: zizmor diff --git a/.github/workflows/release_crates.yml b/.github/workflows/release_crates.yml index 37b828440e380..c8e5df106f36e 100644 --- a/.github/workflows/release_crates.yml +++ b/.github/workflows/release_crates.yml @@ -8,7 +8,6 @@ on: paths: - crates/oxc/Cargo.toml - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true From e1d1244e2ac8e2532e82a133f0cf456329f772c6 Mon Sep 17 00:00:00 2001 From: Boshen Date: Fri, 13 Dec 2024 13:33:04 +0800 Subject: [PATCH 3/3] u --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 58a74b18816f1..f6173afd5fb9d 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,7 +1,7 @@ name: Check PR on: - pull_request: + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - opened - edited