Skip to content

Zizmor report related fixes #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
anujm1 merged 5 commits into from
Apr 30, 2025
Merged

Zizmor report related fixes #73

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1c5a040
permission fixes
en-j-g Apr 29, 2025
b811182
workflow permission updates
en-j-g Apr 29, 2025
62accba
Merge branch '3.0' into feature/wf-permission-updates
anujm1 Apr 30, 2025
29b9463
Update .github/workflows/check-spec.yml
anujm1 Apr 30, 2025
c7ac8c2
Update check-spec.yml
anujm1 Apr 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/check-circular-deps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ on:
- .github/workflows/check-circular-deps.yml
- '**.spec'

permissions: read-all

jobs:
spec-check:
name: Circular dependency check
Expand All @@ -20,6 +22,8 @@ jobs:
# Checkout the branch of our repo that triggered this action
- name: Workflow trigger checkout
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Check for circular dependencies
run: |
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/check-entangled-specs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,9 @@ jobs:
# Checkout the branch of our repo that triggered this action
- name: Workflow trigger checkout
uses: actions/checkout@v4

with:
persist-credentials: false

# For consistency, we use the same major/minor version of Python that Azure Linux ships
- name: Setup Python 3.12
uses: actions/setup-python@v5
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/check-license-map.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ jobs:
# Checkout the branch of our repo that triggered this action
- name: Workflow trigger checkout
uses: actions/checkout@v4

with:
persist-credentials: false

- name: Setup Python 3.12
uses: actions/setup-python@v5
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/check-manifests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ jobs:
steps:
- name: Check out code
uses: actions/checkout@v4
with:
persist-credentials: false

# This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond
- name: Define missing rpm macros
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/check-package-cgmanifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ jobs:
steps:
- name: Check out code
uses: actions/checkout@v4
with:
persist-credentials: false

# This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond
- name: Define missing rpm macros
Expand All @@ -33,9 +35,12 @@ jobs:
- name: Get base commit for PRs
if: ${{ github.event_name == 'pull_request' }}
run: |
git fetch origin ${{ github.base_ref }}
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
base_ref="${BASE_REF}"
git fetch origin $base_ref
echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
echo "Merging ${{ github.sha }} into $base_ref"
env:
BASE_REF: ${{ github.base_ref }}

- name: Get base commit for Pushes
if: ${{ github.event_name == 'push' }}
Expand Down
10 changes: 8 additions & 2 deletions .github/workflows/check-source-signatures.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ on:
- .github/workflows/check-source-signatures.yml
- '**.spec'

permissions: read-all

jobs:
spec-check:
name: Source Signature Check
Expand All @@ -24,6 +26,7 @@ jobs:
- name: Workflow trigger checkout
uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0

# For consistency, we use the same major/minor version of Python that Azure Linux ships
Expand All @@ -38,8 +41,11 @@ jobs:
- name: Get base commit for PRs
if: ${{ github.event_name == 'pull_request' }}
run: |
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
base_ref="${BASE_REF}"
echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
echo "Merging ${{ github.sha }} into $base_ref"
env:
BASE_REF: ${{ github.base_ref }}

- name: Get base commit for Pushes
if: ${{ github.event_name == 'push' }}
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/check-spec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false

# For consistency, we use the same major/minor version of Python that Azure Linux ships
- name: Setup Python 3.12
Expand All @@ -37,15 +38,18 @@ jobs:
- name: Get base commit for PRs
if: ${{ github.event_name == 'pull_request' }}
run: |
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
base_ref="${BASE_REF}"
echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
echo "Merging ${{ github.sha }} into $base_ref"
env:
BASE_REF: ${{ github.base_ref }}

- name: Get base commit for Pushes
if: ${{ github.event_name == 'push' }}
run: |
echo "base_sha=${{ github.event.before }}" >> "$GITHUB_ENV"
echo "Merging ${{ github.sha }} into ${{ github.event.before }}"

- name: Get the changed files
run: |
git config --global --add safe.directory '*'
Expand All @@ -63,6 +67,7 @@ jobs:
with:
ref: '3.0'
path: '3.0-checkout'
persist-credentials: false

- name: Verify .spec files
if: ${{ env.updated-specs != '' }}
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/check-static-glibc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ jobs:
# Checkout the branch of our repo that triggered this action
- name: Workflow trigger checkout
uses: actions/checkout@v4
with:
persist-credentials: false

# For consistency, we use the same major/minor version of Python that Azure Linux ships
- name: Setup Python 3.12
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/go-test-coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ jobs:

- name: Check out code into the Go module directory
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Check go.mod
run: |
Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/lint-specs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,17 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false

- name: Get base commit for PRs
if: ${{ github.event_name == 'pull_request' }}
run: |
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"

base_ref="${BASE_REF}"
echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
echo "Merging ${{ github.sha }} into $base_ref"
env:
BASE_REF: ${{ github.base_ref }}

- name: Get base commit for Pushes
if: ${{ github.event_name == 'push' }}
run: |
Expand All @@ -50,6 +54,7 @@ jobs:
with:
ref: '3.0'
path: '3.0-checkout'
persist-credentials: false

# Our linter is based on the spec-cleaner tool from the folks at openSUSE
# We apply a patch to modify it for our needs
Expand All @@ -59,6 +64,7 @@ jobs:
repository: 'rpm-software-management/spec-cleaner'
ref: 'spec-cleaner-1.2.0'
path: 'spec-cleaner'
persist-credentials: false

# For consistency, we use the same major/minor version of Python that Azure Linux ships
- name: Setup Python 3.12
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ on:
- "**.spec"
- "**.patch"

permissions: read-all

jobs:
lint:
name: Lint Workflows and Code
Expand All @@ -32,6 +34,8 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false

- name: Lint
uses: github/super-linter/slim@v7
env:
Expand Down
13 changes: 10 additions & 3 deletions .github/workflows/merge-conflict-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ on:
pull_request:
branches: [main, 3.0*]

permissions: read-all

jobs:
spec-check:
name: Github Merge Conflict Check
Expand All @@ -16,13 +18,18 @@ jobs:
# Checkout the branch of our repo that triggered this action
- name: Workflow trigger checkout
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Get base commit for PRs
if: ${{ github.event_name == 'pull_request' }}
run: |
git fetch origin ${{ github.base_ref }}
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
base_ref="${BASE_REF}"
git fetch origin $base_ref
echo "base_sha=$(git rev-parse origin/$base_ref)" >> $GITHUB_ENV
echo "Merging ${{ github.sha }} into $base_ref"
env:
BASE_REF: ${{ github.base_ref }}

- name: Get base commit for Pushes
if: ${{ github.event_name == 'push' }}
Expand Down