mirrors/ruff
1
0
Fork 0
mirror of https://github.com/astral-sh/ruff.git synced 2025-09-27 12:29:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Upgrade zizmor to the latest version in CI (#15300)

Browse source 
## Summary

This PR upgrades zizmor to the latest release in our CI. zizmor is a
static analyzer checking for security issues in GitHub workflows. The
new release finds some new issues in our workflows; this PR fixes some
of the issues, and adds ignores for some other issues.

The issues fixed in this PR are new cases of zizmor's
[`template-injection`](https://woodruffw.github.io/zizmor/audits/#template-injection)
rule being emitted. The issues I'm ignoring for now are all to do with
the
[`cache-poisoning`](https://woodruffw.github.io/zizmor/audits/#cache-poisoning)
rule. The main reason I'm fixing some but ignoring others is that I'm
confident fixing the template-injection diagnostics won't have any
impact on how our workflows operate in CI, but I'm worried that fixing
the cache-poisoning diagnostics could slow down our CI a fair bit. I
don't mind if somebody else is motivated to try to fix these
diagnostics, but for now I think I'd prefer to just ignore them; it
doesn't seem high-priority enough to try to fix them right now :-)

## Test Plan

- `uvx pre-commit run -a --hook-stage=manual` passes locally
- Let's see if CI passes on this PR...
This commit is contained in:
Alex Waygood 2025-01-06 15:07:46 +00:00 committed by GitHub
parent 636288038f
commit d45c1ee44f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 17 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.github/workflows/build-docker.yml vendored
View file

@ -48,11 +48,13 @@ jobs:
- name: Check tag consistency - name: Check tag consistency
if: ${{ inputs.plan != '' && !fromJson(inputs.plan).announcement_tag_is_implicit }} if: ${{ inputs.plan != '' && !fromJson(inputs.plan).announcement_tag_is_implicit }}
env:
TAG: ${{ inputs.plan != '' && fromJson(inputs.plan).announcement_tag || 'dry-run' }}
run: | run: |
version=$(grep "version = " pyproject.toml | sed -e 's/version = "\(.*\)"/\1/g') version=$(grep "version = " pyproject.toml | sed -e 's/version = "\(.*\)"/\1/g')
if [ "${{ fromJson(inputs.plan).announcement_tag }}" != "${version}" ]; then if [ "${TAG}" != "${version}" ]; then
echo "The input tag does not match the version from pyproject.toml:" >&2 echo "The input tag does not match the version from pyproject.toml:" >&2
echo "${{ fromJson(inputs.plan).announcement_tag }}" >&2 echo "${TAG}" >&2
echo "${version}" >&2 echo "${version}" >&2
exit 1 exit 1
else else
@ -175,6 +177,8 @@ jobs:
- name: Generate Dynamic Dockerfile Tags - name: Generate Dynamic Dockerfile Tags
shell: bash shell: bash
env:
TAG_VALUE: ${{ fromJson(inputs.plan).announcement_tag }}
run: | run: |
set -euo pipefail set -euo pipefail
@ -195,8 +199,8 @@ jobs:
# Loop through all base tags and append its docker metadata pattern to the list # Loop through all base tags and append its docker metadata pattern to the list
# Order is on purpose such that the label org.opencontainers.image.version has the first pattern with the full version # Order is on purpose such that the label org.opencontainers.image.version has the first pattern with the full version
IFS=','; for TAG in ${BASE_TAGS}; do IFS=','; for TAG in ${BASE_TAGS}; do
TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ version }},suffix=-${TAG},value=${{ fromJson(inputs.plan).announcement_tag }}\n" TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ version }},suffix=-${TAG},value=${TAG_VALUE}\n"
TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ major }}.{{ minor }},suffix=-${TAG},value=${{ fromJson(inputs.plan).announcement_tag }}\n" TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ major }}.{{ minor }},suffix=-${TAG},value=${TAG_VALUE}}\n"
TAG_PATTERNS="${TAG_PATTERNS}type=raw,value=${TAG}\n" TAG_PATTERNS="${TAG_PATTERNS}type=raw,value=${TAG}\n"
done done

3
.github/workflows/publish-docs.yml vendored
View file

@ -33,8 +33,9 @@ jobs:
python-version: 3.12 python-version: 3.12
- name: "Set docs version" - name: "Set docs version"
env:
version: ${{ (inputs.plan != '' && fromJson(inputs.plan).announcement_tag) || inputs.ref }}
run: | run: |
version="${{ (inputs.plan != '' && fromJson(inputs.plan).announcement_tag) || inputs.ref }}"
# if version is missing, use 'latest' # if version is missing, use 'latest'
if [ -z "$version" ]; then if [ -z "$version" ]; then
echo "Using 'latest' as version" echo "Using 'latest' as version"

6
.github/zizmor.yml vendored
View file

@ -1,6 +1,12 @@
# Configuration for the zizmor static analysis tool, run via pre-commit in CI # Configuration for the zizmor static analysis tool, run via pre-commit in CI
# https://woodruffw.github.io/zizmor/configuration/ # https://woodruffw.github.io/zizmor/configuration/
#
# TODO: can we remove the ignores here so that our workflows are more secure?
rules: rules:
dangerous-triggers: dangerous-triggers:
ignore: ignore:
- pr-comment.yaml - pr-comment.yaml
cache-poisoning:
ignore:
- build-docker.yml
- publish-playground.yml

2
.pre-commit-config.yaml
View file

@ -91,7 +91,7 @@ repos:
# zizmor detects security vulnerabilities in GitHub Actions workflows. # zizmor detects security vulnerabilities in GitHub Actions workflows.
# Additional configuration for the tool is found in `.github/zizmor.yml` # Additional configuration for the tool is found in `.github/zizmor.yml`
- repo: https://github.com/woodruffw/zizmor-pre-commit - repo: https://github.com/woodruffw/zizmor-pre-commit
rev: v0.10.0 rev: v1.0.0
hooks: hooks:
- id: zizmor - id: zizmor