Skip to content

Commit

Permalink
ci: Check CI workflows with zizmor (#2413)
Browse files Browse the repository at this point in the history 
* ci: Check CI workflows with `zizmor`

* ci: Enable `zizmor` CI workflow linting

And fix the issues.

* Fix

* Fix

* Fix

* Fix

* Fix

* Fix

* Fix

* Fix

* Fix

* Fix

* Fix

* Add tags

* Fix

* debug

* Quotes

* Undo debug
  • Loading branch information
@larseggert
larseggert authored Feb 4, 2025
1 parent e682ede commit 12dc9e9
Show file tree
Hide file tree
Showing 19 changed files with 227 additions and 115 deletions.
96 changes: 53 additions & 43 deletions .github/actions/nss/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ runs:
steps:
- name: Install system NSS (Linux)
shell: bash
if: runner.os == 'Linux' && runner.environment == 'github-hosted'
if: ${{ runner.os == 'Linux' && runner.environment == 'github-hosted' }}
env:
DEBIAN_FRONTEND: noninteractive
run: |
Expand All @@ -23,41 +23,40 @@ runs:
- name: Install system NSS (MacOS)
shell: bash
if: runner.os == 'MacOS' && runner.environment == 'github-hosted'
if: ${{ runner.os == 'MacOS' && runner.environment == 'github-hosted' }}
run: |
[ "$BREW_UPDATED" ] || brew update && echo "BREW_UPDATED=1" >> "$GITHUB_ENV"
brew install nss
- name: Check system NSS version
id: nss
env:
MIN_VERSION: ${{ inputs.minimum-version }}
shell: bash
run: |
if ! command -v pkg-config &> /dev/null; then
echo "pkg-config: not found"
echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV"
exit 0
fi
if ! pkg-config --exists nss; then
echo "pkg-config: NSS not found"
echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV"
exit 0
fi
NSS_VERSION="$(pkg-config --modversion nss)"
if [ "$?" -ne 0 ]; then
echo "pkg-config: failed to determine NSS version"
echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV"
exit 0
fi
NSS_MAJOR=$(echo "$NSS_VERSION" | cut -d. -f1)
NSS_MINOR=$(echo "$NSS_VERSION" | cut -d. -f2)
REQ_NSS_MAJOR=$(echo "${{ inputs.minimum-version}}" | cut -d. -f1)
REQ_NSS_MINOR=$(echo "${{ inputs.minimum-version}}" | cut -d. -f2)
REQ_NSS_MAJOR=$(echo "$MIN_VERSION" | cut -d. -f1)
REQ_NSS_MINOR=$(echo "$MIN_VERSION" | cut -d. -f2)
if [[ "$NSS_MAJOR" -lt "$REQ_NSS_MAJOR" || "$NSS_MAJOR" -eq "$REQ_NSS_MAJOR" && "$NSS_MINOR" -lt "$REQ_NSS_MINOR" ]]; then
echo "System NSS is too old: $NSS_VERSION"
echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV"
exit 0
fi
echo "System NSS is suitable: $NSS_VERSION"
echo "USE_SYSTEM_NSS=1" >> "$GITHUB_ENV"
echo "use_system_nss=1" >> "$GITHUB_OUTPUT"
- name: Use sccache
# Apparently the action can't be installed twice in the same workflow, so check if
Expand All @@ -66,11 +65,13 @@ runs:
#
# Also, only enable sscache on our self-hosted runner, because the GitHub cache limit
# is too small for this to be effective there.
if: env.SCCACHE_ENABLED != '1' && env.USE_SYSTEM_NSS == '0' && runner.environment != 'github-hosted'
if: ${{ env.SCCACHE_ENABLED != '1' && !steps.nss.outputs.use_system_nss && runner.environment != 'github-hosted' }}
uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4

- name: Enable sscache
if: env.USE_SYSTEM_NSS == '0' && runner.environment != 'github-hosted'
if: ${{ !steps.nss.outputs.use_system_nss && runner.environment != 'github-hosted' }}
env:
RUNNER_ENVIRONMENT: ${{ runner.environment }}
shell: bash
run: |
echo "SCCACHE_ENABLED=1" >> "$GITHUB_ENV"
Expand All @@ -81,72 +82,75 @@ runs:
fi
echo "CMAKE_C_COMPILER_LAUNCHER=sccache" >> "$GITHUB_ENV"
echo "CMAKE_CXX_COMPILER_LAUNCHER=sccache" >> "$GITHUB_ENV"
if [ "${{ runner.environment }}" == "github-hosted" ]; then
if [ "$RUNNER_ENVIRONMENT" == "github-hosted" ]; then
echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
fi
- name: Checkout NSS
if: env.USE_SYSTEM_NSS == '0'
if: ${{ !steps.nss.outputs.use_system_nss }}
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: nss-dev/nss
path: nss

- name: Checkout NSPR
if: env.USE_SYSTEM_NSS == '0'
if: ${{ !steps.nss.outputs.use_system_nss }}
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: nss-dev/nspr
path: nspr

- name: Get head revisions
if: env.USE_SYSTEM_NSS == '0'
id: heads
if: ${{ !steps.nss.outputs.use_system_nss }}
shell: bash
run: |
NSS_HEAD=$(git -C nss rev-parse HEAD)
NSPR_HEAD=$(git -C nspr rev-parse HEAD)
echo "NSS_HEAD=$NSS_HEAD" >> "$GITHUB_ENV"
echo "NSPR_HEAD=$NSPR_HEAD" >> "$GITHUB_ENV"
echo "nss_head=$NSS_HEAD" >> "$GITHUB_OUTPUT"
echo "nspr_head=$NSPR_HEAD" >> "$GITHUB_OUTPUT"
- name: Cache NSS
id: cache
if: env.USE_SYSTEM_NSS == '0' && runner.environment == 'github-hosted'
if: ${{ !steps.nss.outputs.use_system_nss && runner.environment == 'github-hosted' }}
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: dist
key: nss-${{ runner.os }}-${{ runner.arch }}-${{ inputs.type }}-${{ env.NSS_HEAD }}-${{ env.NSPR_HEAD }}
key: nss-${{ runner.os }}-${{ runner.arch }}-${{ inputs.type }}-${{ steps.heads.outputs.nss_head }}-${{ steps.heads.outputs.NSPR_HEAD }}

- name: Check if build is needed
if: env.USE_SYSTEM_NSS == '0'
id: check_build
if: ${{ !steps.nss.outputs.use_system_nss }}
env:
CACHE_HIT: ${{ steps.cache.outputs.cache-hit }}
RUNNER_ENVIRONMENT: ${{ runner.environment }}
shell: bash
run: |
if [ "${{ runner.environment }}" != "github-hosted" ] || [ "${{ steps.cache.outputs.cache-hit }}" == "" ]; then
if [ "$RUNNER_ENVIRONMENT" != "github-hosted" ] || [ ! "$CACHE_HIT" ]; then
echo "Building NSS from source"
echo "BUILD_NSS=1" >> "$GITHUB_ENV"
echo "build_nss=1" >> "$GITHUB_OUTPUT"
else
echo "Using cached prebuilt NSS"
echo "BUILD_NSS=0" >> "$GITHUB_ENV"
fi
- name: Install build dependencies (Linux)
shell: bash
if: runner.os == 'Linux' && env.BUILD_NSS == '1' && runner.environment == 'github-hosted'
if: ${{ runner.os == 'Linux' && steps.check_build.outputs.build_nss && runner.environment == 'github-hosted' }}
env:
DEBIAN_FRONTEND: noninteractive
run: sudo apt-get install -y --no-install-recommends gyp ninja-build

- name: Install build dependencies (MacOS)
shell: bash
if: runner.os == 'MacOS' && env.BUILD_NSS == '1'
if: ${{ runner.os == 'MacOS' && steps.check_build.outputs.build_nss }}
run: |
brew install ninja
echo "gyp-next>=0.18.1" > req.txt
python3 -m pip install --user --break-system-packages -r req.txt
echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
python3 -m pip install --break-system-packages -r req.txt
- name: Install build dependencies (Windows)
shell: bash
if: runner.os == 'Windows' && env.BUILD_NSS == '1'
if: ${{ runner.os == 'Windows' && steps.check_build.outputs.build_nss }}
run: |
# shellcheck disable=SC2028
{
Expand All @@ -158,14 +162,14 @@ runs:
python3 -m pip install -r req.txt
- name: Set up MSVC (Windows)
if: runner.os == 'Windows' && env.BUILD_NSS == '1'
uses: ilammy/msvc-dev-cmd@v1
if: ${{ runner.os == 'Windows' && steps.check_build.outputs.build_nss }}
uses: ilammy/msvc-dev-cmd@v1 # zizmor: ignore[unpinned-uses]
# TODO: Would like to pin this, but the Mozilla org allowlist requires "ilammy/msvc-dev-cmd@v1*"
# uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0

- name: Set up build environment (Windows)
shell: bash
if: runner.os == 'Windows' && env.BUILD_NSS == '1'
if: ${{ runner.os == 'Windows' && steps.check_build.outputs.build_nss }}
run: |
{
echo "GYP_MSVS_OVERRIDE_PATH=$VSINSTALLDIR"
Expand All @@ -177,24 +181,30 @@ runs:
- name: Set up environment
shell: bash
if: env.USE_SYSTEM_NSS == '0'
run: |
NSS_TARGET="${{ inputs.type }}"
echo "NSS_TARGET=$NSS_TARGET" >> "$GITHUB_ENV"
NSS_OUT="$NSS_DIR/../dist/$NSS_TARGET"
echo "LD_LIBRARY_PATH=$NSS_OUT/lib" >> "$GITHUB_ENV"
echo "DYLD_FALLBACK_LIBRARY_PATH=$NSS_OUT/lib" >> "$GITHUB_ENV"
echo "$NSS_OUT/lib" >> "$GITHUB_PATH"
echo "NSS_DIR=$NSS_DIR" >> "$GITHUB_ENV"
echo "NSS_PREBUILT=1" >> "$GITHUB_ENV"
if: ${{ !steps.nss.outputs.use_system_nss }}
env:
NSS_TARGET: ${{ inputs.type }}
NSS_DIR: ${{ github.workspace }}/nss
run: |
NSS_OUT="${{ github.workspace }}/nss/../dist/$NSS_TARGET"
{
echo "LD_LIBRARY_PATH=$NSS_OUT/lib"
echo "DYLD_FALLBACK_LIBRARY_PATH=$NSS_OUT/lib"
echo "NSS_TARGET=$NSS_TARGET"
echo "NSS_DIR=$NSS_DIR"
echo "NSS_PREBUILT=1"
} >> "$GITHUB_ENV"
if [ "${{ runner.os }}" == "Windows" ]; then
echo "$NSS_OUT/lib" >> "$GITHUB_PATH"
fi
- name: Build
shell: bash
if: env.BUILD_NSS == '1'
if: ${{ steps.check_build.outputs.build_nss }}
env:
NSS_TARGET: ${{ inputs.type }}
run: |
if [ "${{ inputs.type }}" != "Debug" ]; then
if [ "$NSS_TARGET" != "Debug" ]; then
# We want to do an optimized build for accurate CPU profiling, but
# we also want debug symbols and frame pointers for that, which the normal optimized NSS
# build process doesn't provide.
Expand Down
16 changes: 10 additions & 6 deletions .github/actions/pr-comment-data-export/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,21 @@ inputs:
runs:
using: composite
steps:
- if: github.event_name == 'pull_request'
- if: ${{ github.event_name == 'pull_request' }}
shell: bash
env:
CONTENTS: ${{ inputs.contents }}
NAME: ${{ inputs.name }}
LOG_URL: ${{ inputs.log-url }}
run: |
mkdir comment-data
cp "${{ inputs.contents }}" comment-data/contents
echo "${{ inputs.name }}" > comment-data/name
cp "$CONTENTS" comment-data/contents
echo "$NAME" > comment-data/name
echo "${{ github.event.number }}" > comment-data/pr-number
if [ -n "${{ inputs.log-url }}" ]; then
echo "${{ inputs.log-url }}" > comment-data/log-url
if [ -n "$LOG_URL" ]; then
echo "$LOG_URL" > comment-data/log-url
fi
- if: github.event_name == 'pull_request'
- if: ${{ github.event_name == 'pull_request' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: ${{ inputs.name }}
Expand Down
31 changes: 19 additions & 12 deletions .github/actions/quic-interop-runner/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,20 +54,25 @@ runs:
shell: bash

- name: Run tests
env:
CLIENT: ${{ inputs.client }}
SERVER: ${{ inputs.server }}
TEST: ${{ inputs.test }}
IMPLEMENTATIONS: ${{ inputs.implementations }}
run: |
cd quic-interop-runner
if [ -n "${{ inputs.implementations }}" ]; then
echo '${{ inputs.implementations }}' > implementations.json
if [ -n "$IMPLEMENTATIONS" ]; then
echo '$IMPLEMENTATIONS' > implementations.json
fi
ARGS="--log-dir ../logs --json ../result.json"
if [ -n "${{ inputs.client }}" ]; then
ARGS="$ARGS --client ${{ inputs.client }}"
if [ -n "$CLIENT" ]; then
ARGS="$ARGS --client $CLIENT"
fi
if [ -n "${{ inputs.server }}" ]; then
ARGS="$ARGS --server ${{ inputs.server }}"
if [ -n "$SERVER" ]; then
ARGS="$ARGS --server $SERVER"
fi
if [ -n "${{ inputs.test }}" ]; then
ARGS="$ARGS --test ${{ inputs.test }}"
if [ -n "$TEST" ]; then
ARGS="$ARGS --test $TEST"
fi
# Don't fail CI if the interop test fails
set -o pipefail
Expand Down Expand Up @@ -95,23 +100,25 @@ runs:
shell: bash

- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
if: always()
if: ${{ always() }}
id: upload-logs
with:
name: '${{ inputs.client }} vs. ${{ inputs.server }} logs'
path: logs
compression-level: 9

- name: Store log URL
if: always()
if: ${{ always() }}
env:
ARTIFACT_URL: ${{ steps.upload-logs.outputs.artifact-url }}
run: |
jq '. + {log_url: "${{ steps.upload-logs.outputs.artifact-url }}"}' \
jq '. + {log_url: "$ARTIFACT_URL"}'
< result.json > result.json.tmp && \
mv result.json.tmp result.json
shell: bash

- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
if: always()
if: ${{ always() }}
with:
name: '${{ inputs.client }} vs. ${{ inputs.server }} results'
path: |
Expand Down
23 changes: 13 additions & 10 deletions .github/actions/rust/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,12 @@ runs:
#
# Also, only enable sscache on our self-hosted runner, because the GitHub cache limit
# is too small for this to be effective there.
if: env.SCCACHE_ENABLED != '1' && runner.environment != 'github-hosted'
if: ${{ env.SCCACHE_ENABLED != '1' && runner.environment != 'github-hosted' }}
uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4

- name: Install build dependencies (Linux)
shell: bash
if: runner.os == 'Linux' && runner.environment == 'github-hosted'
if: ${{ runner.os == 'Linux' && runner.environment == 'github-hosted' }}
env:
DEBIAN_FRONTEND: noninteractive
run: |
Expand All @@ -65,12 +65,14 @@ runs:
} >> "$GITHUB_ENV"
- name: Enable sscache
if: runner.environment != 'github-hosted'
if: ${{ runner.environment != 'github-hosted' }}
env:
RUNNER_ENVIRONMENT: ${{ runner.environment }}
shell: bash
run: |
echo "SCCACHE_ENABLED=1" >> "$GITHUB_ENV"
echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
if [ "${{ runner.environment }}" == "github-hosted" ]; then
if [ "$RUNNER_ENVIRONMENT" == "github-hosted" ]; then
echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
fi
Expand All @@ -81,29 +83,30 @@ runs:
save-if: ${{ github.ref == 'refs/heads/main' }} # Only cache runs from `main`

- name: Set up MSVC (Windows)
if: runner.os == 'Windows'
uses: ilammy/msvc-dev-cmd@v1
if: ${{ runner.os == 'Windows' }}
uses: ilammy/msvc-dev-cmd@v1 # zizmor: ignore[unpinned-uses]
# TODO: Would like to pin this, but the Mozilla org allowlist requires "ilammy/msvc-dev-cmd@v1*"
# uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0

# See https://github.com/ilammy/msvc-dev-cmd#name-conflicts-with-shell-bash
- name: Set up build environment (Windows)
shell: bash
if: runner.os == 'Windows'
if: ${{ runner.os == 'Windows' }}
run: rm /usr/bin/link.exe || true

- name: Install cargo-quickinstall
shell: bash
if: inputs.tools != ''
if: ${{ inputs.tools != '' }}
env:
GITHUB_TOKEN: ${{ inputs.token }}
# TODO: Unpin cargo-quickinstall once our MSRV is > 1.76
run: cargo install --locked cargo-quickinstall@0.3.5

- name: Install Rust tools
shell: bash
if: inputs.tools != ''
if: ${{ inputs.tools != '' }}
env:
GITHUB_TOKEN: ${{ inputs.token }}
TOOLS: ${{ inputs.tools }}
# FIXME: See https://github.com/Swatinem/rust-cache/issues/204 for why `--force`.
run: cargo quickinstall --force $(echo ${{ inputs.tools }} | tr -d ",")
run: cargo quickinstall --force $(echo $TOOLS | tr -d ",")
Loading

0 comments on commit 12dc9e9

Please sign in to comment.