ci: Check CI workflows with zizmor

[larseggert]

And fix the security issues it found.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[github-actions]

Failed Interop Tests

QUIC Interop Runner, client vs. server, differences relative to 108fb8d.

neqo-latest as client

• neqo-latest vs. aioquic: run cancelled after min
• neqo-latest vs. go-x-net: run cancelled after min
• neqo-latest vs. haproxy: run cancelled after min
• neqo-latest vs. kwik: run cancelled after min
• neqo-latest vs. lsquic: run cancelled after min
• neqo-latest vs. msquic: run cancelled after min
• neqo-latest vs. mvfst: run cancelled after min
• neqo-latest vs. neqo: run cancelled after min
• neqo-latest vs. neqo-latest: run cancelled after min
• neqo-latest vs. nginx: run cancelled after min
• neqo-latest vs. ngtcp2: run cancelled after min
• neqo-latest vs. picoquic: run cancelled after min
• neqo-latest vs. quic-go: run cancelled after min
• neqo-latest vs. quiche: run cancelled after min
• neqo-latest vs. quinn: run cancelled after min
• neqo-latest vs. s2n-quic: run cancelled after min
• neqo-latest vs. xquic: run cancelled after min

neqo-latest as server

• aioquic vs. neqo-latest: run cancelled after min
• chrome vs. neqo-latest: run cancelled after min
• go-x-net vs. neqo-latest: run cancelled after min
• kwik vs. neqo-latest: run cancelled after min
• lsquic vs. neqo-latest: run cancelled after min
• msquic vs. neqo-latest: run cancelled after min
• mvfst vs. neqo-latest: run cancelled after min
• neqo vs. neqo-latest: run cancelled after min
• ngtcp2 vs. neqo-latest: run cancelled after min
• picoquic vs. neqo-latest: run cancelled after min
• quic-go vs. neqo-latest: run cancelled after min
• quiche vs. neqo-latest: run cancelled after min
• quinn vs. neqo-latest: run cancelled after min
• s2n-quic vs. neqo-latest: run cancelled after min
• xquic vs. neqo-latest: run cancelled after min

All results

Succeeded Interop Tests

None ❓

Unsupported Interop Tests

None ❓

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.28%. Comparing base (e682ede) to head (f956c76).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2413   +/-   ##
=======================================
  Coverage   95.28%   95.28%           
=======================================
  Files         114      114           
  Lines       37111    37111           
  Branches    37111    37111           
=======================================
  Hits        35363    35363           
  Misses       1742     1742           
  Partials        6        6           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Benchmark results

Performance differences relative to ed0a053.

decode 4096 bytes, mask ff: No change in performance detected.

       time:   [11.827 µs 11.873 µs 11.924 µs]
       change: [-0.6864% +0.2395% +1.2742%] (p = 0.65 > 0.05)
Found 20 outliers among 100 measurements (20.00%)

2 (2.00%) low severe

2 (2.00%) low mild

16 (16.00%) high severe

decode 1048576 bytes, mask ff: No change in performance detected.

       time:   [2.9064 ms 2.9207 ms 2.9391 ms]
       change: [-0.2659% +0.3333% +1.0238%] (p = 0.34 > 0.05)
Found 12 outliers among 100 measurements (12.00%)

12 (12.00%) high severe

decode 4096 bytes, mask 7f: No change in performance detected.

       time:   [19.686 µs 19.743 µs 19.809 µs]
       change: [-1.0730% -0.2516% +0.3173%] (p = 0.58 > 0.05)
Found 19 outliers among 100 measurements (19.00%)

2 (2.00%) low severe

3 (3.00%) low mild

2 (2.00%) high mild

12 (12.00%) high severe

decode 1048576 bytes, mask 7f: No change in performance detected.

       time:   [4.7169 ms 4.7299 ms 4.7445 ms]
       change: [-0.2621% +0.1375% +0.5251%] (p = 0.49 > 0.05)
Found 14 outliers among 100 measurements (14.00%)

14 (14.00%) high severe

decode 4096 bytes, mask 3f: No change in performance detected.

       time:   [6.2104 µs 6.2371 µs 6.2700 µs]
       change: [-0.8264% -0.2108% +0.5341%] (p = 0.55 > 0.05)
Found 10 outliers among 100 measurements (10.00%)

5 (5.00%) low mild

5 (5.00%) high severe

decode 1048576 bytes, mask 3f: No change in performance detected.

       time:   [2.1153 ms 2.1323 ms 2.1596 ms]
       change: [-0.4389% +0.4915% +1.9220%] (p = 0.48 > 0.05)
Found 14 outliers among 100 measurements (14.00%)

5 (5.00%) high mild

9 (9.00%) high severe

coalesce_acked_from_zero 1+1 entries: No change in performance detected.

       time:   [93.182 ns 93.508 ns 93.833 ns]
       change: [-0.4429% +0.0705% +0.6136%] (p = 0.82 > 0.05)
Found 11 outliers among 100 measurements (11.00%)

9 (9.00%) high mild

2 (2.00%) high severe

coalesce_acked_from_zero 3+1 entries: No change in performance detected.

       time:   [110.65 ns 110.98 ns 111.33 ns]
       change: [-0.3059% +0.0313% +0.3756%] (p = 0.87 > 0.05)
Found 15 outliers among 100 measurements (15.00%)

1 (1.00%) low mild

2 (2.00%) high mild

12 (12.00%) high severe

coalesce_acked_from_zero 10+1 entries: No change in performance detected.

       time:   [110.43 ns 111.37 ns 112.71 ns]
       change: [-1.3447% -0.3916% +0.4941%] (p = 0.42 > 0.05)
Found 15 outliers among 100 measurements (15.00%)

3 (3.00%) low severe

3 (3.00%) low mild

2 (2.00%) high mild

7 (7.00%) high severe

coalesce_acked_from_zero 1000+1 entries: No change in performance detected.

       time:   [92.390 ns 92.504 ns 92.642 ns]
       change: [-1.4598% -0.5633% +0.2991%] (p = 0.23 > 0.05)
Found 11 outliers among 100 measurements (11.00%)

3 (3.00%) high mild

8 (8.00%) high severe

RxStreamOrderer::inbound_frame(): 💔 Performance has regressed.

       time:   [115.61 ms 115.76 ms 116.00 ms]
       change: [+2.0289% +2.1781% +2.3990%] (p = 0.00 < 0.05)
Found 6 outliers among 100 measurements (6.00%)

5 (5.00%) low mild

1 (1.00%) high severe

SentPackets::take_ranges: No change in performance detected.

       time:   [5.2594 µs 5.4213 µs 5.5820 µs]
       change: [-4.4075% +4.4640% +20.072%] (p = 0.66 > 0.05)
Found 5 outliers among 100 measurements (5.00%)

4 (4.00%) high mild

1 (1.00%) high severe

transfer/pacing-false/varying-seeds: 💚 Performance has improved.

       time:   [38.554 ms 38.639 ms 38.731 ms]
       change: [-4.3819% -4.0800% -3.7992%] (p = 0.00 < 0.05)
Found 2 outliers among 100 measurements (2.00%)

1 (1.00%) high mild

1 (1.00%) high severe

transfer/pacing-true/varying-seeds: 💚 Performance has improved.

       time:   [38.803 ms 38.877 ms 38.956 ms]
       change: [-4.3862% -4.1173% -3.8398%] (p = 0.00 < 0.05)
Found 2 outliers among 100 measurements (2.00%)

1 (1.00%) low mild

1 (1.00%) high severe

transfer/pacing-false/same-seed: 💚 Performance has improved.

       time:   [38.525 ms 38.596 ms 38.675 ms]
       change: [-4.6651% -4.3964% -4.1315%] (p = 0.00 < 0.05)
Found 1 outliers among 100 measurements (1.00%)

1 (1.00%) high severe

transfer/pacing-true/same-seed: 💚 Performance has improved.

       time:   [38.782 ms 38.859 ms 38.948 ms]
       change: [-3.7565% -3.4805% -3.2003%] (p = 0.00 < 0.05)
Found 3 outliers among 100 measurements (3.00%)

2 (2.00%) low mild

1 (1.00%) high severe

1-conn/1-100mb-resp/mtu-1504 (aka. Download)/client: No change in performance detected.

       time:   [859.18 ms 868.86 ms 878.69 ms]
       thrpt:  [113.81 MiB/s 115.09 MiB/s 116.39 MiB/s]
change:
       time:   [-1.0002% +0.6645% +2.3102%] (p = 0.42 > 0.05)
       thrpt:  [-2.2580% -0.6601% +1.0103%]

1-conn/10_000-parallel-1b-resp/mtu-1504 (aka. RPS)/client: No change in performance detected.

       time:   [317.98 ms 321.59 ms 325.19 ms]
       thrpt:  [30.752 Kelem/s 31.095 Kelem/s 31.448 Kelem/s]
change:
       time:   [-0.8415% +0.7822% +2.4338%] (p = 0.35 > 0.05)
       thrpt:  [-2.3760% -0.7761% +0.8487%]

1-conn/1-1b-resp/mtu-1504 (aka. HPS)/client: No change in performance detected.

       time:   [25.500 ms 25.662 ms 25.831 ms]
       thrpt:  [38.713  elem/s 38.968  elem/s 39.216  elem/s]
change:
       time:   [-1.1386% -0.2228% +0.6856%] (p = 0.64 > 0.05)
       thrpt:  [-0.6810% +0.2233% +1.1517%]
Found 1 outliers among 100 measurements (1.00%)

1 (1.00%) high mild

1-conn/1-100mb-resp/mtu-1504 (aka. Upload)/client: Change within noise threshold.

       time:   [1.8469 s 1.8641 s 1.8809 s]
       thrpt:  [53.167 MiB/s 53.646 MiB/s 54.146 MiB/s]
change:
       time:   [-3.4917% -2.2276% -0.9128%] (p = 0.00 < 0.05)
       thrpt:  [+0.9212% +2.2783% +3.6180%]

Client/server transfer results

Transfer of 33554432 bytes over loopback.

Client	Server	CC	Pacing	MTU	Mean [ms]	Min [ms]	Max [ms]
gquiche	gquiche			1504	554.9 ± 63.1	515.1	716.6
neqo	gquiche	reno	on	1504	759.3 ± 67.1	721.1	929.6
neqo	gquiche	reno		1504	788.0 ± 14.1	767.4	818.8
neqo	gquiche	cubic	on	1504	749.5 ± 37.6	713.9	851.0
neqo	gquiche	cubic		1504	744.0 ± 32.6	724.9	833.1
msquic	msquic			1504	160.2 ± 91.7	91.1	371.6
neqo	msquic	reno	on	1504	207.7 ± 8.4	197.0	224.4
neqo	msquic	reno		1504	205.7 ± 13.6	192.3	241.4
neqo	msquic	cubic	on	1504	265.5 ± 83.4	206.8	425.3
neqo	msquic	cubic		1504	208.4 ± 11.0	193.5	225.1
gquiche	neqo	reno	on	1504	665.4 ± 89.9	538.6	791.2
gquiche	neqo	reno		1504	649.0 ± 87.8	519.4	816.8
gquiche	neqo	cubic	on	1504	662.2 ± 70.7	553.2	766.5
gquiche	neqo	cubic		1504	647.1 ± 73.7	534.9	753.4
msquic	neqo	reno	on	1504	500.6 ± 103.6	437.4	740.7
msquic	neqo	reno		1504	435.2 ± 12.1	422.2	457.8
msquic	neqo	cubic	on	1504	435.0 ± 8.9	427.1	452.5
msquic	neqo	cubic		1504	436.2 ± 9.2	419.6	445.5
neqo	neqo	reno	on	1504	417.4 ± 11.3	399.1	436.3
neqo	neqo	reno		1504	413.9 ± 10.4	401.0	431.8
neqo	neqo	cubic	on	1504	435.6 ± 38.0	406.8	538.8
neqo	neqo	cubic		1504	479.1 ± 97.3	418.9	687.7

⬇️ Download logs

[larseggert]

Need to commit this to main to verify that the actions are correctly running. PR is otherwise running actions from main without the needed changes :-(