Skip to content

Commit e7c1bd6

Browse files
blowdartblowdart
committed
Remove dangerous template expansion: https://docs.zizmor.sh/audits/#template-injection
Delete coverage-report action as it's not being used.
1 parent a778c74 commit e7c1bd6

File tree

3 files changed

+16
-51
lines changed

3 files changed

+16
-51
lines changed

.github/workflows/ci-manual-build-test-sign.yml

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ env:
2323
DOTNET_GENERATE_ASPNET_CERTIFICATE: false
2424
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
2525
DOTNET_CLI_TELEMETRY_OPTOUT: true
26-
nupkgDirectory: ${{ github.workspace}}/nupkgs
26+
NUPKGDIRECTORY: ${{ github.workspace}}/nupkgs
2727

2828
jobs:
2929
build:
@@ -58,32 +58,32 @@ jobs:
5858
run: dotnet test --configuration Release --no-restore --no-build --property:PublicRelease=${{ inputs.public_release }}
5959

6060
- name: 'Pack release'
61-
run: dotnet pack --configuration Release --no-restore --no-build --output ${{ env.nupkgDirectory }} --property:PublicRelease=${{ inputs.public_release }}
61+
run: dotnet pack --configuration Release --no-restore --no-build --output ${NUPKGDIRECTORY} --property:PublicRelease=${{ inputs.public_release }}
6262

6363
- name: 'List artifact directory'
6464
shell: pwsh
6565
run: >
66-
Get-ChildItem -Path ${{ env.nupkgDirectory }} -Recurse -Force
66+
Get-ChildItem -Path ${env:NUPKGDIRECTORY} -Recurse -Force
6767
6868
- name: 'Extract SBOMs'
6969
shell: pwsh
7070
run: >
71-
Get-ChildItem -Path ${{ env.nupkgDirectory }} -Filter *.nupkg -Force | ForEach-Object {
71+
Get-ChildItem -Path ${env:NUPKGDIRECTORY} -Filter *.nupkg -Force | ForEach-Object {
7272
Expand-Archive $_.FullName "$($_.DirectoryName)/$($_.Basename)" -Force
73-
Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json" -Destination "${{ env.nupkgDirectory }}/$($_.Basename).spdx.json"
74-
Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json.sha256" -Destination "${{ env.nupkgDirectory }}/$($_.Basename).spdx.json.sha256"
73+
Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json" -Destination "${env:NUPKGDIRECTORY}/$($_.Basename).spdx.json"
74+
Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json.sha256" -Destination "${env:NUPKGDIRECTORY}/$($_.Basename).spdx.json.sha256"
7575
Remove-Item "$($_.DirectoryName)/$($_.Basename)" -Force -Recurse }
7676
7777
- name: 'List artifact directory'
7878
shell: pwsh
7979
run: >
80-
Get-ChildItem -Path ${{ env.nupkgDirectory }} -Recurse -Force
80+
Get-ChildItem -Path ${env:NUPKGDIRECTORY} -Recurse -Force
8181
8282
- name: Upload unsigned nupkgs
8383
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
8484
with:
8585
name: build-artifacts
86-
path: ${{ env.nupkgDirectory }}/*
86+
path: ${NUPKGDIRECTORY}/*
8787
retention-days: 7
8888

8989
sign:
@@ -106,12 +106,12 @@ jobs:
106106
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
107107
with:
108108
name: build-artifacts
109-
path : ${{ env.nupkgDirectory }}
109+
path : ${NUPKGDIRECTORY}
110110

111111
- name: List assets to be signed
112112
shell: pwsh
113113
run: >
114-
Get-ChildItem -Path ${{ env.nupkgDirectory }} -Include *.nupkg -Recurse -Force
114+
Get-ChildItem -Path ${env:NUPKGDIRECTORY} -Include *.nupkg -Recurse -Force
115115
116116
- name: Authenticate to Azure
117117
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # 2.3.0
@@ -124,13 +124,13 @@ jobs:
124124
- name: Sign
125125
shell: pwsh
126126
run: >
127-
./sign/sign code azure-key-vault *.nupkg --base-directory ${{ env.nupkgDirectory }} --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}" --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE }}"
127+
./sign/sign code azure-key-vault *.nupkg --base-directory ${env:NUPKGDIRECTORY} --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}" --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE }}"
128128
129129
- name: Upload signed nupkgs
130130
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
131131
with:
132132
name: signed-artifacts
133-
path: ${{ env.nupkgDirectory }}/*
133+
path: ${NUPKGDIRECTORY}/*
134134
retention-days: 7
135135

136136
publish:
@@ -154,18 +154,18 @@ jobs:
154154
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
155155
with:
156156
name: signed-artifacts
157-
path : ${{ env.nupkgDirectory }}
157+
path : ${NUPKGDIRECTORY}
158158

159159
- name: List assets to be published
160160
shell: pwsh
161161
run: >
162-
Get-ChildItem -Path ${{ env.nupkgDirectory }} -Filter *.nupkg -Recurse -Force
162+
Get-ChildItem -Path ${env:NUPKGDIRECTORY} -Filter *.nupkg -Recurse -Force
163163
164164
# Use --skip-duplicate to prevent errors if a package with the same version already exists.
165165
# This allows a retory of a failed workflow, already published packages will be skipped without error.
166166
- name: Publish NuGet package
167167
shell: pwsh
168168
run: >
169-
foreach($file in (Get-ChildItem "${{ env.nupkgDirectory }}" -Recurse -Filter *.nupkg)) {
169+
foreach($file in (Get-ChildItem "${env:NUPKGDIRECTORY}" -Recurse -Filter *.nupkg)) {
170170
dotnet nuget push $file --api-key "${{ secrets.NUGET_APIKEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
171171
}

.github/workflows/upload-coverage-report.yml

Lines changed: 0 additions & 35 deletions
This file was deleted.

idunno.Bluesky.sln

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
2525
THIRD-PARTY-NOTICES.txt = THIRD-PARTY-NOTICES.txt
2626
trimTest.ps1 = trimTest.ps1
2727
version.json = version.json
28+
zizmor.yml = zizmor.yml
2829
EndProjectSection
2930
EndProject
3031
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{C94F8041-6886-4D0F-82DC-8AF2B41FF649}"
@@ -73,7 +74,6 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "workflows", "workflows", "{
7374
.github\workflows\codeql-analysis.yml = .github\workflows\codeql-analysis.yml
7475
.github\workflows\dependency-review.yml = .github\workflows\dependency-review.yml
7576
.github\workflows\generate-publish-docs.yml = .github\workflows\generate-publish-docs.yml
76-
.github\workflows\upload-coverage-report.yml = .github\workflows\upload-coverage-report.yml
7777
EndProjectSection
7878
EndProject
7979
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Samples.Timeline", "samples\Samples.Timeline\Samples.Timeline.csproj", "{AB11676F-150A-4AD3-A34B-01AE0C9A1065}"

0 commit comments

Comments
 (0)