From d0f5963d36184319717612b1f612a65e66d04cf0 Mon Sep 17 00:00:00 2001 From: Hynek Schlawack Date: Thu, 31 Oct 2024 10:43:28 +0100 Subject: [PATCH] Thank you Doctor Zizmor! --- .github/workflows/ci.yml | 33 ++++++++++++++---------- .github/workflows/codeql-analysis.yml | 6 ++--- .github/workflows/pypi-package.yml | 20 ++++++++++----- .github/workflows/zizmor.yml | 37 +++++++++++++++++++++++++++ 4 files changed, 72 insertions(+), 24 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 43b7d38..144967a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,12 +4,11 @@ name: CI on: push: branches: [main] - tags: ["*"] pull_request: workflow_dispatch: env: - FORCE_COLOR: "1" # Make tools pretty. + FORCE_COLOR: "1" # Make tools pretty. PIP_DISABLE_PIP_VERSION_CHECK: "1" PIP_NO_PYTHON_VERSION_WARNING: "1" @@ -39,6 +38,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: hynek/build-and-inspect-python-package@v2 id: baipp @@ -53,11 +53,16 @@ jobs: name: Tests & Mypy API on ${{ matrix.python-version }} runs-on: ubuntu-latest needs: build-package + strategy: + fail-fast: false matrix: # Created by the build-and-inspect-python-package action above. python-version: ${{ fromJson(needs.build-package.outputs.python-versions) }} + env: + PYTHON: ${{ matrix.python-version }} + steps: - name: Download pre-built packages uses: actions/download-artifact@v4 @@ -75,10 +80,9 @@ jobs: - name: Run tests run: > - uvx --with tox-uv - tox run + uvx --with tox-uv tox run --installpkg dist/*.whl - -f py$(echo ${{ matrix.python-version }} | tr -d .) + -f py${PYTHON//./} - name: Upload coverage data uses: actions/upload-artifact@v4 @@ -90,32 +94,35 @@ jobs: - name: Check public API with Mypy run: > - uvx --with tox-uv - tox run + uvx --with tox-uv tox run --installpkg dist/*.whl -e mypy-api coverage: name: Ensure 100% test coverage - needs: tests runs-on: ubuntu-latest + needs: tests + if: always() steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version-file: .python-version-default - uses: hynek/setup-cached-uv@v2 - - uses: actions/download-artifact@v4 + - name: Download coverage data + uses: actions/download-artifact@v4 with: pattern: coverage-data-* merge-multiple: true - - name: Combine coverage & fail if it's <100% + - name: Combine coverage and fail if it's <100%. run: | - uv tool install coverage[toml] + uv tool install coverage coverage combine coverage html --skip-covered --skip-empty @@ -208,10 +215,10 @@ jobs: needs: - coverage - - docs - - install-dev - lint - mypy-pkg + - docs + - install-dev runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 181da6e..7907ccb 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -2,10 +2,6 @@ name: CodeQL on: - push: - branches: [main] - pull_request: - branches: [main] schedule: - cron: "41 3 * * 6" @@ -29,6 +25,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v3 diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index d533852..997092c 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -1,5 +1,5 @@ --- -name: Build & maybe upload PyPI package +name: Build & upload PyPI package on: push: @@ -10,21 +10,21 @@ on: - published workflow_dispatch: -permissions: - attestations: write - contents: read - id-token: write jobs: # Always build & lint package. build-package: name: Build & verify package runs-on: ubuntu-latest + permissions: + attestations: write + id-token: write steps: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: hynek/build-and-inspect-python-package@v2 with: @@ -34,10 +34,13 @@ jobs: release-test-pypi: name: Publish in-dev package to test.pypi.org environment: release-test-pypi - if: github.event_name == 'push' && github.ref == 'refs/heads/main' + if: github.repository_owner == 'pyca' && github.event_name == 'push' && github.ref == 'refs/heads/main' runs-on: ubuntu-latest needs: build-package + permissions: + id-token: write + steps: - name: Download packages built by build-and-inspect-python-package uses: actions/download-artifact@v4 @@ -54,10 +57,13 @@ jobs: release-pypi: name: Publish released package to pypi.org environment: release-pypi - if: github.event.action == 'published' + if: github.repository_owner == 'pyca' && github.event.action == 'published' runs-on: ubuntu-latest needs: build-package + permissions: + id-token: write + steps: - name: Download packages built by build-and-inspect-python-package uses: actions/download-artifact@v4 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..08294a4 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +# https://github.com/woodruffw/zizmor +name: GitHub Actions Security Analysis with Zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["*"] + +permissions: + contents: read + +jobs: + zizmor: + name: Zizmor latest via Cargo + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Setup Rust + uses: actions-rust-lang/setup-rust-toolchain@v1 + - name: Get zizmor + run: cargo install zizmor + - name: Run zizmor + run: zizmor --format sarif . > results.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: results.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: zizmor