diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e4dc7fe94bf24..c4ddb63fd8721 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -290,7 +290,9 @@ jobs: file: "Cargo.toml" field: "workspace.package.rust-version" - name: "Install Rust toolchain" - run: rustup default ${{ steps.msrv.outputs.value }} + env: + MSRV: ${{ steps.msrv.outputs.value }} + run: rustup default "${MSRV}" - name: "Install mold" uses: rui314/setup-mold@v1 - name: "Install cargo nextest" @@ -306,7 +308,8 @@ jobs: shell: bash env: NEXTEST_PROFILE: "ci" - run: cargo +${{ steps.msrv.outputs.value }} insta test --all-features --unreferenced reject --test-runner nextest + MSRV: ${{ steps.msrv.outputs.value }} + run: cargo "+${MSRV}" insta test --all-features --unreferenced reject --test-runner nextest cargo-fuzz-build: name: "cargo fuzz build" @@ -354,16 +357,18 @@ jobs: name: ruff path: ruff-to-test - name: Fuzz + env: + DOWNLOAD_PATH: ${{ steps.download-cached-binary.outputs.download-path }} run: | # Make executable, since artifact download doesn't preserve this - chmod +x ${{ steps.download-cached-binary.outputs.download-path }}/ruff + chmod +x "${DOWNLOAD_PATH}/ruff" ( uvx \ - --python=${{ env.PYTHON_VERSION }} \ + --python="${PYTHON_VERSION}" \ --from=./python/py-fuzzer \ fuzz \ - --test-executable=${{ steps.download-cached-binary.outputs.download-path }}/ruff \ + --test-executable="${DOWNLOAD_PATH}/ruff" \ --bin=ruff \ 0-500 ) @@ -429,14 +434,16 @@ jobs: - name: Run `ruff check` stable ecosystem check if: ${{ needs.determine_changes.outputs.linter == 'true' }} + env: + DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }} run: | # Make executable, since artifact download doesn't preserve this - chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff + chmod +x ./ruff "${DOWNLOAD_PATH}/ruff" # Set pipefail to avoid hiding errors with tee set -eo pipefail - ruff-ecosystem check ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown | tee ecosystem-result-check-stable + ruff-ecosystem check ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown | tee ecosystem-result-check-stable cat ecosystem-result-check-stable > "$GITHUB_STEP_SUMMARY" echo "### Linter (stable)" > ecosystem-result @@ -445,14 +452,16 @@ jobs: - name: Run `ruff check` preview ecosystem check if: ${{ needs.determine_changes.outputs.linter == 'true' }} + env: + DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }} run: | # Make executable, since artifact download doesn't preserve this - chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff + chmod +x ./ruff "${DOWNLOAD_PATH}/ruff" # Set pipefail to avoid hiding errors with tee set -eo pipefail - ruff-ecosystem check ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-check-preview + ruff-ecosystem check ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-check-preview cat ecosystem-result-check-preview > "$GITHUB_STEP_SUMMARY" echo "### Linter (preview)" >> ecosystem-result @@ -461,14 +470,16 @@ jobs: - name: Run `ruff format` stable ecosystem check if: ${{ needs.determine_changes.outputs.formatter == 'true' }} + env: + DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }} run: | # Make executable, since artifact download doesn't preserve this - chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff + chmod +x ./ruff "${DOWNLOAD_PATH}/ruff" # Set pipefail to avoid hiding errors with tee set -eo pipefail - ruff-ecosystem format ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown | tee ecosystem-result-format-stable + ruff-ecosystem format ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown | tee ecosystem-result-format-stable cat ecosystem-result-format-stable > "$GITHUB_STEP_SUMMARY" echo "### Formatter (stable)" >> ecosystem-result @@ -477,14 +488,16 @@ jobs: - name: Run `ruff format` preview ecosystem check if: ${{ needs.determine_changes.outputs.formatter == 'true' }} + env: + DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }} run: | # Make executable, since artifact download doesn't preserve this - chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff + chmod +x ./ruff "${DOWNLOAD_PATH}/ruff" # Set pipefail to avoid hiding errors with tee set -eo pipefail - ruff-ecosystem format ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-format-preview + ruff-ecosystem format ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-format-preview cat ecosystem-result-format-preview > "$GITHUB_STEP_SUMMARY" echo "### Formatter (preview)" >> ecosystem-result @@ -541,7 +554,7 @@ jobs: args: --out dist - name: "Test wheel" run: | - pip install --force-reinstall --find-links dist ${{ env.PACKAGE_NAME }} + pip install --force-reinstall --find-links dist "${PACKAGE_NAME}" ruff --help python -m ruff --help - name: "Remove wheels from cache" @@ -676,11 +689,13 @@ jobs: just install - name: Run ruff-lsp tests + env: + DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }} run: | # Setup development binary pip uninstall --yes ruff - chmod +x ${{ steps.ruff-target.outputs.download-path }}/ruff - export PATH=${{ steps.ruff-target.outputs.download-path }}:$PATH + chmod +x "${DOWNLOAD_PATH}/ruff" + export PATH="${DOWNLOAD_PATH}:${PATH}" ruff version just test diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml index 45f760dbf3a66..8064c8cbd7138 100644 --- a/.github/workflows/pr-comment.yaml +++ b/.github/workflows/pr-comment.yaml @@ -10,12 +10,11 @@ on: description: The ecosystem workflow that triggers the workflow run required: true -permissions: - pull-requests: write - jobs: comment: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: dawidd6/action-download-artifact@v7 name: Download pull request number diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000000000..2861f925ec265 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,6 @@ +# Configuration for the zizmor static analysis tool, run via pre-commit in CI +# https://woodruffw.github.io/zizmor/configuration/ +rules: + dangerous-triggers: + ignore: + - pr-comment.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5452fd1327b14..c990e32513c4c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -87,8 +87,10 @@ repos: - id: prettier types: [yaml] + # zizmor detects security vulnerabilities in GitHub Actions workflows. + # Additional configuration for the tool is found in `.github/zizmor.yml` - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: v0.8.0 + rev: v0.9.2 hooks: - id: zizmor # `release.yml` is autogenerated by `dist`; security issues need to be fixed there