diff --git a/.github/actions/nss/action.yml b/.github/actions/nss/action.yml index bc44d71606..141617c49a 100644 --- a/.github/actions/nss/action.yml +++ b/.github/actions/nss/action.yml @@ -14,7 +14,7 @@ runs: steps: - name: Install system NSS (Linux) shell: bash - if: runner.os == 'Linux' && runner.environment == 'github-hosted' + if: ${{ runner.os == 'Linux' && runner.environment == 'github-hosted' }} env: DEBIAN_FRONTEND: noninteractive run: | @@ -23,41 +23,40 @@ runs: - name: Install system NSS (MacOS) shell: bash - if: runner.os == 'MacOS' && runner.environment == 'github-hosted' + if: ${{ runner.os == 'MacOS' && runner.environment == 'github-hosted' }} run: | [ "$BREW_UPDATED" ] || brew update && echo "BREW_UPDATED=1" >> "$GITHUB_ENV" brew install nss - name: Check system NSS version + id: nss + env: + MIN_VERSION: ${{ inputs.minimum-version }} shell: bash run: | if ! command -v pkg-config &> /dev/null; then echo "pkg-config: not found" - echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV" exit 0 fi if ! pkg-config --exists nss; then echo "pkg-config: NSS not found" - echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV" exit 0 fi NSS_VERSION="$(pkg-config --modversion nss)" if [ "$?" -ne 0 ]; then echo "pkg-config: failed to determine NSS version" - echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV" exit 0 fi NSS_MAJOR=$(echo "$NSS_VERSION" | cut -d. -f1) NSS_MINOR=$(echo "$NSS_VERSION" | cut -d. -f2) - REQ_NSS_MAJOR=$(echo "${{ inputs.minimum-version}}" | cut -d. -f1) - REQ_NSS_MINOR=$(echo "${{ inputs.minimum-version}}" | cut -d. -f2) + REQ_NSS_MAJOR=$(echo "$MIN_VERSION" | cut -d. -f1) + REQ_NSS_MINOR=$(echo "$MIN_VERSION" | cut -d. -f2) if [[ "$NSS_MAJOR" -lt "$REQ_NSS_MAJOR" || "$NSS_MAJOR" -eq "$REQ_NSS_MAJOR" && "$NSS_MINOR" -lt "$REQ_NSS_MINOR" ]]; then echo "System NSS is too old: $NSS_VERSION" - echo "USE_SYSTEM_NSS=0" >> "$GITHUB_ENV" exit 0 fi echo "System NSS is suitable: $NSS_VERSION" - echo "USE_SYSTEM_NSS=1" >> "$GITHUB_ENV" + echo "use_system_nss=1" >> "$GITHUB_OUTPUT" - name: Use sccache # Apparently the action can't be installed twice in the same workflow, so check if @@ -66,11 +65,13 @@ runs: # # Also, only enable sscache on our self-hosted runner, because the GitHub cache limit # is too small for this to be effective there. - if: env.SCCACHE_ENABLED != '1' && env.USE_SYSTEM_NSS == '0' && runner.environment != 'github-hosted' + if: ${{ env.SCCACHE_ENABLED != '1' && !steps.nss.outputs.use_system_nss && runner.environment != 'github-hosted' }} uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4 - name: Enable sscache - if: env.USE_SYSTEM_NSS == '0' && runner.environment != 'github-hosted' + if: ${{ !steps.nss.outputs.use_system_nss && runner.environment != 'github-hosted' }} + env: + RUNNER_ENVIRONMENT: ${{ runner.environment }} shell: bash run: | echo "SCCACHE_ENABLED=1" >> "$GITHUB_ENV" @@ -81,72 +82,75 @@ runs: fi echo "CMAKE_C_COMPILER_LAUNCHER=sccache" >> "$GITHUB_ENV" echo "CMAKE_CXX_COMPILER_LAUNCHER=sccache" >> "$GITHUB_ENV" - if [ "${{ runner.environment }}" == "github-hosted" ]; then + if [ "$RUNNER_ENVIRONMENT" == "github-hosted" ]; then echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV" fi - name: Checkout NSS - if: env.USE_SYSTEM_NSS == '0' + if: ${{ !steps.nss.outputs.use_system_nss }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: nss-dev/nss path: nss - name: Checkout NSPR - if: env.USE_SYSTEM_NSS == '0' + if: ${{ !steps.nss.outputs.use_system_nss }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: nss-dev/nspr path: nspr - name: Get head revisions - if: env.USE_SYSTEM_NSS == '0' + id: heads + if: ${{ !steps.nss.outputs.use_system_nss }} shell: bash run: | NSS_HEAD=$(git -C nss rev-parse HEAD) NSPR_HEAD=$(git -C nspr rev-parse HEAD) - echo "NSS_HEAD=$NSS_HEAD" >> "$GITHUB_ENV" - echo "NSPR_HEAD=$NSPR_HEAD" >> "$GITHUB_ENV" + echo "nss_head=$NSS_HEAD" >> "$GITHUB_OUTPUT" + echo "nspr_head=$NSPR_HEAD" >> "$GITHUB_OUTPUT" - name: Cache NSS id: cache - if: env.USE_SYSTEM_NSS == '0' && runner.environment == 'github-hosted' + if: ${{ !steps.nss.outputs.use_system_nss && runner.environment == 'github-hosted' }} uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: dist - key: nss-${{ runner.os }}-${{ runner.arch }}-${{ inputs.type }}-${{ env.NSS_HEAD }}-${{ env.NSPR_HEAD }} + key: nss-${{ runner.os }}-${{ runner.arch }}-${{ inputs.type }}-${{ steps.heads.outputs.nss_head }}-${{ steps.heads.outputs.NSPR_HEAD }} - name: Check if build is needed - if: env.USE_SYSTEM_NSS == '0' + id: check_build + if: ${{ !steps.nss.outputs.use_system_nss }} + env: + CACHE_HIT: ${{ steps.cache.outputs.cache-hit }} + RUNNER_ENVIRONMENT: ${{ runner.environment }} shell: bash run: | - if [ "${{ runner.environment }}" != "github-hosted" ] || [ "${{ steps.cache.outputs.cache-hit }}" == "" ]; then + if [ "$RUNNER_ENVIRONMENT" != "github-hosted" ] || [ ! "$CACHE_HIT" ]; then echo "Building NSS from source" - echo "BUILD_NSS=1" >> "$GITHUB_ENV" + echo "build_nss=1" >> "$GITHUB_OUTPUT" else echo "Using cached prebuilt NSS" - echo "BUILD_NSS=0" >> "$GITHUB_ENV" fi - name: Install build dependencies (Linux) shell: bash - if: runner.os == 'Linux' && env.BUILD_NSS == '1' && runner.environment == 'github-hosted' + if: ${{ runner.os == 'Linux' && steps.check_build.outputs.build_nss && runner.environment == 'github-hosted' }} env: DEBIAN_FRONTEND: noninteractive run: sudo apt-get install -y --no-install-recommends gyp ninja-build - name: Install build dependencies (MacOS) shell: bash - if: runner.os == 'MacOS' && env.BUILD_NSS == '1' + if: ${{ runner.os == 'MacOS' && steps.check_build.outputs.build_nss }} run: | brew install ninja echo "gyp-next>=0.18.1" > req.txt - python3 -m pip install --user --break-system-packages -r req.txt - echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH" + python3 -m pip install --break-system-packages -r req.txt - name: Install build dependencies (Windows) shell: bash - if: runner.os == 'Windows' && env.BUILD_NSS == '1' + if: ${{ runner.os == 'Windows' && steps.check_build.outputs.build_nss }} run: | # shellcheck disable=SC2028 { @@ -158,14 +162,14 @@ runs: python3 -m pip install -r req.txt - name: Set up MSVC (Windows) - if: runner.os == 'Windows' && env.BUILD_NSS == '1' - uses: ilammy/msvc-dev-cmd@v1 + if: ${{ runner.os == 'Windows' && steps.check_build.outputs.build_nss }} + uses: ilammy/msvc-dev-cmd@v1 # zizmor: ignore[unpinned-uses] # TODO: Would like to pin this, but the Mozilla org allowlist requires "ilammy/msvc-dev-cmd@v1*" # uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 - name: Set up build environment (Windows) shell: bash - if: runner.os == 'Windows' && env.BUILD_NSS == '1' + if: ${{ runner.os == 'Windows' && steps.check_build.outputs.build_nss }} run: | { echo "GYP_MSVS_OVERRIDE_PATH=$VSINSTALLDIR" @@ -177,24 +181,30 @@ runs: - name: Set up environment shell: bash - if: env.USE_SYSTEM_NSS == '0' - run: | - NSS_TARGET="${{ inputs.type }}" - echo "NSS_TARGET=$NSS_TARGET" >> "$GITHUB_ENV" - NSS_OUT="$NSS_DIR/../dist/$NSS_TARGET" - echo "LD_LIBRARY_PATH=$NSS_OUT/lib" >> "$GITHUB_ENV" - echo "DYLD_FALLBACK_LIBRARY_PATH=$NSS_OUT/lib" >> "$GITHUB_ENV" - echo "$NSS_OUT/lib" >> "$GITHUB_PATH" - echo "NSS_DIR=$NSS_DIR" >> "$GITHUB_ENV" - echo "NSS_PREBUILT=1" >> "$GITHUB_ENV" + if: ${{ !steps.nss.outputs.use_system_nss }} env: + NSS_TARGET: ${{ inputs.type }} NSS_DIR: ${{ github.workspace }}/nss + run: | + NSS_OUT="${{ github.workspace }}/nss/../dist/$NSS_TARGET" + { + echo "LD_LIBRARY_PATH=$NSS_OUT/lib" + echo "DYLD_FALLBACK_LIBRARY_PATH=$NSS_OUT/lib" + echo "NSS_TARGET=$NSS_TARGET" + echo "NSS_DIR=$NSS_DIR" + echo "NSS_PREBUILT=1" + } >> "$GITHUB_ENV" + if [ "${{ runner.os }}" == "Windows" ]; then + echo "$NSS_OUT/lib" >> "$GITHUB_PATH" + fi - name: Build shell: bash - if: env.BUILD_NSS == '1' + if: ${{ steps.check_build.outputs.build_nss }} + env: + NSS_TARGET: ${{ inputs.type }} run: | - if [ "${{ inputs.type }}" != "Debug" ]; then + if [ "$NSS_TARGET" != "Debug" ]; then # We want to do an optimized build for accurate CPU profiling, but # we also want debug symbols and frame pointers for that, which the normal optimized NSS # build process doesn't provide. diff --git a/.github/actions/pr-comment-data-export/action.yml b/.github/actions/pr-comment-data-export/action.yml index a220814dd2..63b6c61447 100644 --- a/.github/actions/pr-comment-data-export/action.yml +++ b/.github/actions/pr-comment-data-export/action.yml @@ -20,17 +20,21 @@ inputs: runs: using: composite steps: - - if: github.event_name == 'pull_request' + - if: ${{ github.event_name == 'pull_request' }} shell: bash + env: + CONTENTS: ${{ inputs.contents }} + NAME: ${{ inputs.name }} + LOG_URL: ${{ inputs.log-url }} run: | mkdir comment-data - cp "${{ inputs.contents }}" comment-data/contents - echo "${{ inputs.name }}" > comment-data/name + cp "$CONTENTS" comment-data/contents + echo "$NAME" > comment-data/name echo "${{ github.event.number }}" > comment-data/pr-number - if [ -n "${{ inputs.log-url }}" ]; then - echo "${{ inputs.log-url }}" > comment-data/log-url + if [ -n "$LOG_URL" ]; then + echo "$LOG_URL" > comment-data/log-url fi - - if: github.event_name == 'pull_request' + - if: ${{ github.event_name == 'pull_request' }} uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: ${{ inputs.name }} diff --git a/.github/actions/quic-interop-runner/action.yml b/.github/actions/quic-interop-runner/action.yml index e647ca3c37..6c3da83c0a 100644 --- a/.github/actions/quic-interop-runner/action.yml +++ b/.github/actions/quic-interop-runner/action.yml @@ -54,20 +54,25 @@ runs: shell: bash - name: Run tests + env: + CLIENT: ${{ inputs.client }} + SERVER: ${{ inputs.server }} + TEST: ${{ inputs.test }} + IMPLEMENTATIONS: ${{ inputs.implementations }} run: | cd quic-interop-runner - if [ -n "${{ inputs.implementations }}" ]; then - echo '${{ inputs.implementations }}' > implementations.json + if [ -n "$IMPLEMENTATIONS" ]; then + echo '$IMPLEMENTATIONS' > implementations.json fi ARGS="--log-dir ../logs --json ../result.json" - if [ -n "${{ inputs.client }}" ]; then - ARGS="$ARGS --client ${{ inputs.client }}" + if [ -n "$CLIENT" ]; then + ARGS="$ARGS --client $CLIENT" fi - if [ -n "${{ inputs.server }}" ]; then - ARGS="$ARGS --server ${{ inputs.server }}" + if [ -n "$SERVER" ]; then + ARGS="$ARGS --server $SERVER" fi - if [ -n "${{ inputs.test }}" ]; then - ARGS="$ARGS --test ${{ inputs.test }}" + if [ -n "$TEST" ]; then + ARGS="$ARGS --test $TEST" fi # Don't fail CI if the interop test fails set -o pipefail @@ -95,7 +100,7 @@ runs: shell: bash - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 - if: always() + if: ${{ always() }} id: upload-logs with: name: '${{ inputs.client }} vs. ${{ inputs.server }} logs' @@ -103,15 +108,17 @@ runs: compression-level: 9 - name: Store log URL - if: always() + if: ${{ always() }} + env: + ARTIFACT_URL: ${{ steps.upload-logs.outputs.artifact-url }} run: | - jq '. + {log_url: "${{ steps.upload-logs.outputs.artifact-url }}"}' \ + jq '. + {log_url: "$ARTIFACT_URL"}' < result.json > result.json.tmp && \ mv result.json.tmp result.json shell: bash - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 - if: always() + if: ${{ always() }} with: name: '${{ inputs.client }} vs. ${{ inputs.server }} results' path: | diff --git a/.github/actions/rust/action.yml b/.github/actions/rust/action.yml index ca04f217ca..b57321f5f1 100644 --- a/.github/actions/rust/action.yml +++ b/.github/actions/rust/action.yml @@ -35,12 +35,12 @@ runs: # # Also, only enable sscache on our self-hosted runner, because the GitHub cache limit # is too small for this to be effective there. - if: env.SCCACHE_ENABLED != '1' && runner.environment != 'github-hosted' + if: ${{ env.SCCACHE_ENABLED != '1' && runner.environment != 'github-hosted' }} uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4 - name: Install build dependencies (Linux) shell: bash - if: runner.os == 'Linux' && runner.environment == 'github-hosted' + if: ${{ runner.os == 'Linux' && runner.environment == 'github-hosted' }} env: DEBIAN_FRONTEND: noninteractive run: | @@ -65,12 +65,14 @@ runs: } >> "$GITHUB_ENV" - name: Enable sscache - if: runner.environment != 'github-hosted' + if: ${{ runner.environment != 'github-hosted' }} + env: + RUNNER_ENVIRONMENT: ${{ runner.environment }} shell: bash run: | echo "SCCACHE_ENABLED=1" >> "$GITHUB_ENV" echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV" - if [ "${{ runner.environment }}" == "github-hosted" ]; then + if [ "$RUNNER_ENVIRONMENT" == "github-hosted" ]; then echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV" fi @@ -81,20 +83,20 @@ runs: save-if: ${{ github.ref == 'refs/heads/main' }} # Only cache runs from `main` - name: Set up MSVC (Windows) - if: runner.os == 'Windows' - uses: ilammy/msvc-dev-cmd@v1 + if: ${{ runner.os == 'Windows' }} + uses: ilammy/msvc-dev-cmd@v1 # zizmor: ignore[unpinned-uses] # TODO: Would like to pin this, but the Mozilla org allowlist requires "ilammy/msvc-dev-cmd@v1*" # uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 # See https://github.com/ilammy/msvc-dev-cmd#name-conflicts-with-shell-bash - name: Set up build environment (Windows) shell: bash - if: runner.os == 'Windows' + if: ${{ runner.os == 'Windows' }} run: rm /usr/bin/link.exe || true - name: Install cargo-quickinstall shell: bash - if: inputs.tools != '' + if: ${{ inputs.tools != '' }} env: GITHUB_TOKEN: ${{ inputs.token }} # TODO: Unpin cargo-quickinstall once our MSRV is > 1.76 @@ -102,8 +104,9 @@ runs: - name: Install Rust tools shell: bash - if: inputs.tools != '' + if: ${{ inputs.tools != '' }} env: GITHUB_TOKEN: ${{ inputs.token }} + TOOLS: ${{ inputs.tools }} # FIXME: See https://github.com/Swatinem/rust-cache/issues/204 for why `--force`. - run: cargo quickinstall --force $(echo ${{ inputs.tools }} | tr -d ",") + run: cargo quickinstall --force $(echo $TOOLS | tr -d ",") diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index 83d6dfe97e..77abe830b6 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -23,10 +23,35 @@ jobs: shell: bash steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - name: Download actionlint id: get_actionlint run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) + - name: Check workflow files + env: + ACTIONLINT: ${{ steps.get_actionlint.outputs.executable }} run: | echo "::add-matcher::.github/actionlint-matcher.json" - ${{ steps.get_actionlint.outputs.executable }} -color + $ACTIONLINT -color + + zizmor: + name: zizmor 🌈 + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2 + + - run: uvx zizmor --persona auditor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 + with: + sarif_file: results.sarif + category: zizmor diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index c9fc73ce88..1c28c33edf 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -20,7 +20,7 @@ permissions: jobs: bench: name: Benchmark - runs-on: self-hosted + runs-on: self-hosted # zizmor: ignore[self-hosted-runner] defaults: run: shell: bash @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout neqo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Checkout msquic uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -36,6 +38,7 @@ jobs: ref: main path: msquic submodules: true + persist-credentials: false - name: Checkout gquiche uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -44,6 +47,7 @@ jobs: ref: main path: gquiche submodules: true + persist-credentials: false - name: Set PATH and environment run: | @@ -63,6 +67,7 @@ jobs: run: echo "minimum=$(cat neqo-crypto/min_version.txt)" >> "$GITHUB_OUTPUT" - name: Install NSS + id: nss uses: ./.github/actions/nss with: minimum-version: ${{ steps.nss-version.outputs.minimum }} @@ -214,7 +219,7 @@ jobs: sudo /root/bin/unprep.sh # In case the previous test failed: sudo ip link set dev lo mtu 65536 - if: success() || failure() || cancelled() + if: ${{ success() || failure() || cancelled() }} - name: Post-process perf data run: | @@ -258,17 +263,17 @@ jobs: cat results.md > "$GITHUB_STEP_SUMMARY" - name: Remember main-branch push URL - if: github.ref == 'refs/heads/main' + if: ${{ github.ref == 'refs/heads/main' }} run: echo "${{ github.sha }}" > target/criterion/baseline-sha.txt - name: Store history - if: github.ref == 'refs/heads/main' + if: ${{ github.ref == 'refs/heads/main' }} run: | mkdir -p target/criterion-history cp -r target/criterion "target/criterion-history/$(date +%s)-${{ github.sha }}" - name: Cache main-branch results - if: github.ref == 'refs/heads/main' + if: ${{ github.ref == 'refs/heads/main' }} uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: ./target/criterion diff --git a/.github/workflows/check-vm.yml b/.github/workflows/check-vm.yml index f2ecbb3414..4876e582a1 100644 --- a/.github/workflows/check-vm.yml +++ b/.github/workflows/check-vm.yml @@ -35,14 +35,16 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - id: nss-version run: echo "minimum=$(cat neqo-crypto/min_version.txt)" >> "$GITHUB_OUTPUT" - run: curl -o rustup.sh --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs - - if: matrix.os == 'freebsd' - uses: vmactions/freebsd-vm@848dac7e118679d08e2c2f9d42cd96608d834323 + - if: ${{ matrix.os == 'freebsd' }} + uses: vmactions/freebsd-vm@848dac7e118679d08e2c2f9d42cd96608d834323 # v1.1.8 with: usesh: true envs: "CARGO_TERM_COLOR RUST_BACKTRACE RUST_LOG GITHUB_ACTIONS" @@ -67,8 +69,8 @@ jobs: cargo test --locked --no-fail-fast --release rm -rf target # Don't sync this back to host - - if: matrix.os == 'openbsd' - uses: vmactions/openbsd-vm@7ac70b6de6f33efc74a90c1964afa3bcf0ee4401 + - if: ${{ matrix.os == 'openbsd' }} + uses: vmactions/openbsd-vm@7ac70b6de6f33efc74a90c1964afa3bcf0ee4401 # v1.1.6 with: usesh: true envs: "CARGO_TERM_COLOR RUST_BACKTRACE RUST_LOG GITHUB_ACTIONS" @@ -98,8 +100,8 @@ jobs: cargo test --locked --no-fail-fast --release rm -rf target # Don't sync this back to host - - if: matrix.os == 'netbsd' - uses: vmactions/netbsd-vm@46a58bbf03682b4cb24142b97fa315ae52bed573 + - if: ${{ matrix.os == 'netbsd' }} + uses: vmactions/netbsd-vm@46a58bbf03682b4cb24142b97fa315ae52bed573 # v1.1.8 with: usesh: true envs: "CARGO_TERM_COLOR RUST_BACKTRACE RUST_LOG GITHUB_ACTIONS" @@ -131,8 +133,8 @@ jobs: cargo test --locked --no-fail-fast --release rm -rf target # Don't sync this back to host - - if: matrix.os == 'solaris' - uses: vmactions/solaris-vm@cc8f82fa1a7cc746153ec3f71bf11f311f16e225 + - if: ${{ matrix.os == 'solaris' }} + uses: vmactions/solaris-vm@cc8f82fa1a7cc746153ec3f71bf11f311f16e225 # v1.1.1 with: release: "11.4-gcc" usesh: true diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 53fcaecc85..cf6f756edb 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -35,6 +35,8 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: sparse-checkout: Cargo.toml + persist-credentials: false + - id: toolchains run: | msrv="$(grep rust-version Cargo.toml | tr -d '"' | cut -f3 -d\ )" @@ -59,6 +61,8 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: ./.github/actions/rust with: @@ -83,11 +87,12 @@ jobs: env: RUST_LOG: trace RUST_BACKTRACE: 1 + TOOLCHAIN: ${{ matrix.rust-toolchain }} run: | DUMP_SIMULATION_SEEDS="$(pwd)/simulation-seeds" export DUMP_SIMULATION_SEEDS # shellcheck disable=SC2086 - if [ "${{ matrix.rust-toolchain }}" == "nightly" ]; then + if [ "$TOOLCHAIN" == "nightly" ]; then cargo llvm-cov nextest $BUILD_TYPE --locked --mcdc --include-ffi --features ci --profile ci --codecov --output-path codecov.json else cargo nextest run $BUILD_TYPE --locked --features ci --profile ci @@ -118,10 +123,10 @@ jobs: verbose: true env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - if: matrix.type == 'debug' && matrix.rust-toolchain == 'nightly' + if: ${{ matrix.type == 'debug' && matrix.rust-toolchain == 'nightly' }} - uses: codecov/test-results-action@4e79e65778be1cecd5df25e14af1eafb6df80ea9 # v1.0.2 - if: always() + if: ${{ always() }} with: files: target/nextest/ci/junit.xml fail_ci_if_error: false @@ -129,7 +134,7 @@ jobs: verbose: true - name: Save simulation seeds artifact - if: always() + if: ${{ always() }} uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: simulation-seeds-${{ matrix.os }}-${{ matrix.rust-toolchain }}-${{ matrix.type }} @@ -141,9 +146,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - run: cargo update -w --locked bench: needs: [check] - if: github.event_name != 'workflow_dispatch' || github.event.inputs.run_benchmarks + if: ${{ github.event_name != 'workflow_dispatch' || github.event.inputs.run_benchmarks }} uses: ./.github/workflows/bench.yml diff --git a/.github/workflows/clippy.yml b/.github/workflows/clippy.yml index ba1795ba22..b3a5f6f943 100644 --- a/.github/workflows/clippy.yml +++ b/.github/workflows/clippy.yml @@ -29,6 +29,9 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: ./.github/actions/rust with: components: clippy diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index 8925c48cf5..bad28d333a 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -27,6 +27,9 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: EmbarkStudios/cargo-deny-action@e2f4ede4a4e60ea15ff31bc0647485d80c66cfba # v2.0.4 with: command: check ${{ matrix.checks }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 6e3bb26652..111ef1ce7b 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -25,6 +25,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 with: base-ref: ${{ github.event.pull_request.base.sha || 'main' }} diff --git a/.github/workflows/firefox.yml b/.github/workflows/firefox.yml index 1051f5109f..37d6a7bffb 100644 --- a/.github/workflows/firefox.yml +++ b/.github/workflows/firefox.yml @@ -20,7 +20,7 @@ env: jobs: firefox: name: Build Firefox - # if: github.event.pull_request.draft == false + # if: ${{ github.event.pull_request.draft == false }} strategy: fail-fast: false matrix: @@ -37,9 +37,11 @@ jobs: steps: - name: Check out Neqo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Maximize build space - if: runner.os == 'Linux' + if: ${{ runner.os == 'Linux' }} run: | sudo rm -rf /usr/local/lib/android || true sudo rm -rf /usr/share/dotnet || true @@ -59,9 +61,10 @@ jobs: with: repository: mozilla/gecko-dev path: mozilla-unified + persist-credentials: false - name: Install deps (Windows) - if: runner.os == 'Windows' + if: ${{ runner.os == 'Windows' }} run: choco install -y mozillabuild --version 4.0.2 - name: Install Rust @@ -147,7 +150,9 @@ jobs: path: ${{ env.FIREFOX }}.tar compression-level: 9 - - run: echo "${{ steps.upload.outputs.artifact-url }}" >> artifact + - env: + ARTIFACT_URL: ${{ steps.upload.outputs.artifact-url }} + run: echo "$ARTIFACT_URL" >> artifact - name: Export artifact URL uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 @@ -158,11 +163,13 @@ jobs: comment: name: Comment on PR - # if: github.event.pull_request.draft == false + # if: ${{ github.event.pull_request.draft == false }} needs: firefox runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: diff --git a/.github/workflows/fuzz-bench.yml b/.github/workflows/fuzz-bench.yml index 32c5036365..69d949b619 100644 --- a/.github/workflows/fuzz-bench.yml +++ b/.github/workflows/fuzz-bench.yml @@ -18,6 +18,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: ./.github/actions/rust with: version: nightly diff --git a/.github/workflows/machete.yml b/.github/workflows/machete.yml index facd9b42d3..88ddb8dae1 100644 --- a/.github/workflows/machete.yml +++ b/.github/workflows/machete.yml @@ -18,6 +18,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Install Rust uses: ./.github/actions/rust diff --git a/.github/workflows/mutants.yml b/.github/workflows/mutants.yml index b547a65537..2a7b7cca68 100644 --- a/.github/workflows/mutants.yml +++ b/.github/workflows/mutants.yml @@ -17,12 +17,13 @@ permissions: jobs: mutants: - if: github.event_name == 'pull_request' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + if: ${{ github.event_name == 'pull_request' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - id: nss-version run: echo "minimum=$(cat neqo-crypto/min_version.txt)" >> "$GITHUB_OUTPUT" @@ -37,21 +38,26 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} - name: Find incremental mutants - if: github.event_name == 'pull_request' + id: mutants + env: + BASE_REF: ${{ github.base_ref }} + if: ${{ github.event_name == 'pull_request' }} run: | - git diff origin/${{ github.base_ref }}.. > pr.diff + git diff "origin/$BASE_REF".. > pr.diff set -o pipefail cargo mutants --test-tool=nextest --no-shuffle -j 2 -vV --in-diff pr.diff | tee results.txt || true - echo 'TITLE=Incremental Mutants' >> "$GITHUB_ENV" + echo 'title=Incremental Mutants' >> "$GITHUB_OUTPUT" - name: Find mutants - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} run: | set -o pipefail cargo mutants --test-tool=nextest -vV --in-place | tee results.txt || true - echo 'TITLE=All Mutants' >> "$GITHUB_ENV" + echo 'title=All Mutants' >> "$GITHUB_OUTPUT" - name: Post step summary + env: + TITLE: ${{ steps.mutants.outputs.title }} run: | { echo "### $TITLE" diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml index e0ae87e9a8..0fcd0f537c 100644 --- a/.github/workflows/pr-comment.yml +++ b/.github/workflows/pr-comment.yml @@ -10,7 +10,7 @@ on: workflow_run: workflows: ["QNS", "CI", "Firefox"] types: - - completed + - completed # zizmor: ignore[dangerous-triggers] permissions: contents: read @@ -25,6 +25,9 @@ jobs: (github.event.workflow_run.conclusion == 'success' || github.event.workflow_run.conclusion == 'failure') steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: ./.github/actions/pr-comment with: name: ${{ github.event.workflow_run.name }} diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml index 7aa5ada822..b5847ba177 100644 --- a/.github/workflows/qns.yml +++ b/.github/workflows/qns.yml @@ -35,6 +35,9 @@ jobs: steps: - uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 + with: + cache-binary: ${{ github.event_name == 'pull_request' }} # zizmor: ignore[cache-poisoning] + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io @@ -55,7 +58,7 @@ jobs: type=raw,value=latest,enable={{is_default_branch}} - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 - if: github.event_name != 'pull_request' + if: ${{ github.event_name != 'pull_request' }} with: push: true tags: ${{ steps.meta.outputs.tags }} @@ -91,17 +94,18 @@ jobs: env: URL: https://github.com/mozilla/neqo ROLE: both + IMAGE: ${{ needs.docker-image.outputs.imageID }} steps: - id: config run: | # Add neqo-latest to implementations.json curl https://raw.githubusercontent.com/quic-interop/quic-interop-runner/master/implementations.json | \ - jq --arg key "$LATEST" --argjson newEntry ' + jq --arg key "$LATEST" --argjson newEntry " { - "image": "${{ needs.docker-image.outputs.imageID }}", - "url": "${{ env.URL }}", - "role": "${{ env.ROLE }}" - }' '.[$key] = $newEntry' > implementations.json + \"image\": \"$IMAGE\", + \"url\": \"$URL\", + \"role\": \"$ROLE\" + }" '.[$key] = $newEntry' > implementations.json { echo "implementations<> "$GITHUB_OUTPUT" echo "server=$(echo "$PAIR" | cut -d% -f2)" >> "$GITHUB_OUTPUT" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false # TODO: Replace once https://github.com/quic-interop/quic-interop-runner/pull/356 is merged. - uses: ./.github/actions/quic-interop-runner @@ -158,9 +166,11 @@ jobs: name: Report results needs: [run-qns, implementations] runs-on: ubuntu-latest - if: always() + if: ${{ always() }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: pattern: '*results' @@ -173,8 +183,11 @@ jobs: restore-keys: qns- - run: sudo apt-get install -y --no-install-recommends wdiff - - run: | - mapfile -t LIST < <(echo '${{ needs.implementations.outputs.pairs }}' | jq '.[]' | sort) + - env: + PAIRS: ${{ needs.implementations.outputs.pairs }} + run: | + # shellcheck disable=SC2153 + mapfile -t LIST < <(echo "$PAIRS" | jq '.[]' | sort) for PREFIX in "${LIST[@]}"; do PREFIX=$(echo "$PREFIX" | tr -d '"') CLIENT=$(echo "$PREFIX" | cut -f1 -d " ") @@ -256,13 +269,13 @@ jobs: echo "" } >> comment.md - - if: github.ref == 'refs/heads/main' + - if: ${{ github.ref == 'refs/heads/main' }} run: | rm -rf results-main || true mv results results-main echo "${{ github.sha }}" > results-main/baseline-sha.txt - - if: github.ref == 'refs/heads/main' + - if: ${{ github.ref == 'refs/heads/main' }} uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: results-main diff --git a/.github/workflows/rustfmt.yml b/.github/workflows/rustfmt.yml index 0a6fa7363d..68fe0f0097 100644 --- a/.github/workflows/rustfmt.yml +++ b/.github/workflows/rustfmt.yml @@ -21,6 +21,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: ./.github/actions/rust with: version: nightly diff --git a/.github/workflows/sanitize.yml b/.github/workflows/sanitize.yml index 0bcc2398d2..2efc7fcd84 100644 --- a/.github/workflows/sanitize.yml +++ b/.github/workflows/sanitize.yml @@ -39,6 +39,9 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: ./.github/actions/rust with: version: nightly @@ -80,7 +83,7 @@ jobs: cargo nextest run --locked -Z build-std --features ci --profile ci --target "$TARGET" - name: Save simulation seeds artifact - if: env.DUMP_SIMULATION_SEEDS + if: ${{ env.DUMP_SIMULATION_SEEDS }} uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: simulation-seeds-${{ matrix.os }}-sanitizer-${{ matrix.sanitizer }}