From 4ce913960a77a8ec857518cd894e12bf59df1bae Mon Sep 17 00:00:00 2001 From: Leonardo Lima Date: Mon, 16 Dec 2024 16:55:15 -0300 Subject: [PATCH 1/2] fix(ci): do not persist credentials fix(cron-update-rust): don't persist credentials fix(audit): don't persist credentials fix(code-coverage): don't persist credentials fix(nightly-docs): don't persist credentials fix(cont-integration): don't persist credentials --- .github/workflows/audit.yml | 2 ++ .github/workflows/code_coverage.yml | 2 ++ .github/workflows/cont_integration.yml | 14 ++++++++++++++ .github/workflows/cron-update-rust.yml | 2 ++ .github/workflows/nightly_docs.yml | 3 +++ 5 files changed, 23 insertions(+) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index e0da8e855..e3d34f968 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -24,5 +24,7 @@ jobs: issues: write steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions-rust-lang/audit@v1 name: Audit Rust Dependencies diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml index 2a2a280a3..8e1491adc 100644 --- a/.github/workflows/code_coverage.yml +++ b/.github/workflows/code_coverage.yml @@ -14,6 +14,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install lcov tools run: sudo apt-get install lcov -y - name: Install Rust toolchain diff --git a/.github/workflows/cont_integration.yml b/.github/workflows/cont_integration.yml index 5e900663a..56e1fea87 100644 --- a/.github/workflows/cont_integration.yml +++ b/.github/workflows/cont_integration.yml @@ -11,6 +11,8 @@ jobs: steps: - name: "Checkout repo" uses: actions/checkout@v4 + with: + persist-credentials: false - name: "Read rust version" id: read_toolchain run: echo "rust_version=$(cat rust-version)" >> $GITHUB_OUTPUT @@ -32,6 +34,8 @@ jobs: steps: - name: checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Rust toolchain uses: actions-rs/toolchain@v1 with: @@ -64,6 +68,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Rust toolchain uses: actions-rs/toolchain@v1 with: @@ -96,6 +102,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false # Install a recent version of clang that supports wasm32 - run: wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add - || exit 1 - run: sudo apt-get update || exit 1 @@ -123,6 +131,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Rust toolchain uses: actions-rs/toolchain@v1 with: @@ -141,6 +151,8 @@ jobs: checks: write steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions-rs/toolchain@v1 with: toolchain: ${{ needs.prepare.outputs.rust_version }} @@ -172,6 +184,8 @@ jobs: steps: - name: checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Rust toolchain uses: actions-rs/toolchain@v1 with: diff --git a/.github/workflows/cron-update-rust.yml b/.github/workflows/cron-update-rust.yml index 207f6b7c4..2fc212ebd 100644 --- a/.github/workflows/cron-update-rust.yml +++ b/.github/workflows/cron-update-rust.yml @@ -9,6 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@stable - uses: tibdex/github-app-token@v2 id: generate-token diff --git a/.github/workflows/nightly_docs.yml b/.github/workflows/nightly_docs.yml index 04f90d766..80e3fc787 100644 --- a/.github/workflows/nightly_docs.yml +++ b/.github/workflows/nightly_docs.yml @@ -9,6 +9,8 @@ jobs: steps: - name: Checkout sources uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set default toolchain run: rustup default nightly - name: Set profile @@ -36,6 +38,7 @@ jobs: - name: Checkout `bitcoindevkit.org` uses: actions/checkout@v4 with: + persist-credentials: false ssh-key: ${{ secrets.DOCS_PUSH_SSH_KEY }} repository: bitcoindevkit/bitcoindevkit.org ref: master From 30dce98450fb3a919babfe512d8e8d505f3dddd8 Mon Sep 17 00:00:00 2001 From: Leonardo Lima Date: Tue, 28 Jan 2025 11:06:55 -0300 Subject: [PATCH 2/2] fix(cont-integration): template injection audit - fixes the `template_injection` audit failure due to `matrix.rust.version` usage, use an environement var instead see: https://woodruffw.github.io/zizmor/audits/#template-injection --- .github/workflows/cont_integration.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cont_integration.yml b/.github/workflows/cont_integration.yml index 56e1fea87..f13bca2fe 100644 --- a/.github/workflows/cont_integration.yml +++ b/.github/workflows/cont_integration.yml @@ -52,8 +52,10 @@ jobs: if: matrix.rust.version == '1.63.0' run: ./ci/pin-msrv.sh - name: Build + Test + env: + MATRIX_RUST_VERSION: ${{ matrix.rust.version }} run: | - if [ "${{matrix.rust.version}}" = '1.63.0' ]; then + if [ $MATRIX_RUST_VERSION = '1.63.0' ]; then cargo build --workspace --exclude 'example_*' --exclude 'bdk_electrum' ${{ matrix.features }} cargo test --workspace --exclude 'example_*' --exclude 'bdk_electrum' ${{ matrix.features }} else