diff --git a/.github/actions/capiext/action.yml b/.github/actions/capiext/action.yml index 49562725f46782..ed69c8ac5ea709 100644 --- a/.github/actions/capiext/action.yml +++ b/.github/actions/capiext/action.yml @@ -46,7 +46,7 @@ runs: - name: Run test-spec with previous CAPI extension binaries id: check shell: bash - run: | + run: | # zizmor: ignore[template-injection] touch spec/ruby/optional/capi/ext/*.$DLEXT [ ! -f spec/ruby/optional/capi/ext/\*.$DLEXT ] ${{ inputs.make }} SPECOPTS=optional/capi test-spec diff --git a/.github/actions/compilers/action.yml b/.github/actions/compilers/action.yml index ab5b56a889672a..d20d2a16090b6a 100644 --- a/.github/actions/compilers/action.yml +++ b/.github/actions/compilers/action.yml @@ -81,7 +81,9 @@ runs: using: composite steps: - shell: bash - run: docker pull --quiet 'ghcr.io/ruby/ruby-ci-image:${{ inputs.tag }}' + run: docker pull --quiet "ghcr.io/ruby/ruby-ci-image:${INPUT_TAG}" + env: + INPUT_TAG: ${{ inputs.tag }} - name: Enable Launchable conditionally id: enable-launchable @@ -99,28 +101,28 @@ runs: docker run --rm --user=root - --volume '${{ github.workspace }}:/github/workspace:ro' + --volume "${GITHUB_WORKSPACE}:/github/workspace:ro" --workdir=/github/workspace --entrypoint=/github/workspace/.github/actions/compilers/entrypoint.sh --env CI --env GITHUB_ACTION - --env INPUT_WITH_GCC='${{ inputs.with_gcc || inputs.tag }}' - --env INPUT_CFLAGS='${{ inputs.CFLAGS }}' - --env INPUT_CXXFLAGS='${{ inputs.CXXFLAGS }}' - --env INPUT_OPTFLAGS='${{ inputs.OPTFLAGS }}' - --env INPUT_CPPFLAGS='${{ inputs.cppflags }}' - --env INPUT_APPEND_CONFIGURE='${{ inputs.append_configure }}' - --env INPUT_CHECK='${{ inputs.check }}' - --env INPUT_TEST_ALL='${{ inputs.test_all }}' - --env INPUT_TEST_SPEC='${{ inputs.test_spec }}' - --env INPUT_ENABLE_SHARED='${{ inputs.enable_shared }}' - --env INPUT_STATIC_EXTS='${{ inputs.static_exts }}' - --env LAUNCHABLE_ORGANIZATION='${{ github.repository_owner }}' - --env LAUNCHABLE_WORKSPACE='${{ github.event.repository.name }}' - --env LAUNCHABLE_ENABLED='${{ steps.enable-launchable.outputs.enable-launchable || false }}' - --env GITHUB_PR_HEAD_SHA='${{ github.event.pull_request.head.sha || github.sha }}' - --env GITHUB_PULL_REQUEST_URL='${{ github.event.pull_request.html_url }}' - --env GITHUB_REF='${{ github.ref }}' + --env INPUT_WITH_GCC + --env INPUT_CFLAGS + --env INPUT_CXXFLAGS + --env INPUT_OPTFLAGS + --env INPUT_CPPFLAGS + --env INPUT_APPEND_CONFIGURE + --env INPUT_CHECK + --env INPUT_TEST_ALL + --env INPUT_TEST_SPEC + --env INPUT_ENABLE_SHARED + --env INPUT_STATIC_EXTS + --env LAUNCHABLE_ORGANIZATION + --env LAUNCHABLE_WORKSPACE + --env LAUNCHABLE_ENABLED + --env GITHUB_PR_HEAD_SHA + --env GITHUB_PULL_REQUEST_URL + --env GITHUB_REF --env GITHUB_ACTIONS --env GITHUB_RUN_ID --env GITHUB_REPOSITORY @@ -130,4 +132,23 @@ runs: --env GITHUB_SHA --env GITHUB_HEAD_REF --env GITHUB_SERVER_URL - 'ghcr.io/ruby/ruby-ci-image:${{ inputs.tag }}' + "ghcr.io/ruby/ruby-ci-image:${INPUT_TAG}" + env: + INPUT_TAG: ${{ inputs.tag }} + INPUT_WITH_GCC: ${{ inputs.with_gcc || inputs.tag }} + INPUT_CFLAGS: ${{ inputs.CFLAGS }} + INPUT_CXXFLAGS: ${{ inputs.CXXFLAGS }} + INPUT_OPTFLAGS: ${{ inputs.OPTFLAGS }} + INPUT_CPPFLAGS: ${{ inputs.cppflags }} + INPUT_APPEND_CONFIGURE: ${{ inputs.append_configure }} + INPUT_CHECK: ${{ inputs.check }} + INPUT_TEST_ALL: ${{ inputs.test_all }} + INPUT_TEST_SPEC: ${{ inputs.test_spec }} + INPUT_ENABLE_SHARED: ${{ inputs.enable_shared }} + INPUT_STATIC_EXTS: ${{ inputs.static_exts }} + LAUNCHABLE_ORGANIZATION: ${{ github.repository_owner }} + LAUNCHABLE_WORKSPACE: ${{ github.event.repository.name }} + LAUNCHABLE_ENABLED: ${{ steps.enable-launchable.outputs.enable-launchable || false }} + GITHUB_PR_HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }} + GITHUB_PULL_REQUEST_URL: ${{ github.event.pull_request.html_url }} + GITHUB_REF: ${{ github.ref }} diff --git a/.github/actions/launchable/setup/action.yml b/.github/actions/launchable/setup/action.yml index 16af8fc3fd74d6..e0547633022da7 100644 --- a/.github/actions/launchable/setup/action.yml +++ b/.github/actions/launchable/setup/action.yml @@ -144,20 +144,26 @@ runs: - name: Set environment variables for Launchable shell: bash - run: | + run: | # zizmor: ignore[github-env] : # GITHUB_PULL_REQUEST_URL are used for commenting test reports in Launchable Github App. : # https://github.com/launchableinc/cli/blob/v1.80.1/launchable/utils/link.py#L42 - echo "GITHUB_PULL_REQUEST_URL=${{ github.event.pull_request.html_url }}" >> $GITHUB_ENV + echo "GITHUB_PULL_REQUEST_URL=${INPUT_PR_HTML_URL}" >> $GITHUB_ENV : # The following envs are necessary in Launchable tokenless authentication. : # https://github.com/launchableinc/cli/blob/v1.80.1/launchable/utils/authentication.py#L20 - echo "LAUNCHABLE_ORGANIZATION=${{ github.repository_owner }}" >> $GITHUB_ENV - echo "LAUNCHABLE_WORKSPACE=${{ github.event.repository.name }}" >> $GITHUB_ENV + echo "LAUNCHABLE_ORGANIZATION=${INPUT_REPOSITORY_OWNER}" >> $GITHUB_ENV + echo "LAUNCHABLE_WORKSPACE=${INPUT_REPOSITORY_NAME}" >> $GITHUB_ENV : # https://github.com/launchableinc/cli/blob/v1.80.1/launchable/utils/authentication.py#L71 - echo "GITHUB_PR_HEAD_SHA=${{ github.event.pull_request.head.sha || github.sha }}" >> $GITHUB_ENV - echo "LAUNCHABLE_TOKEN=${{ inputs.launchable-token }}" >> $GITHUB_ENV + echo "GITHUB_PR_HEAD_SHA=${INPUT_PR_HEAD_SHA}" >> $GITHUB_ENV + echo "LAUNCHABLE_TOKEN=${INPUT_LAUNCHABLE_TOKEN}" >> $GITHUB_ENV : # To prevent a slowdown in CI, disable request retries when the Launchable server is unstable. echo "LAUNCHABLE_SKIP_TIMEOUT_RETRY=1" >> $GITHUB_ENV echo "LAUNCHABLE_COMMIT_TIMEOUT=1" >> $GITHUB_ENV + env: + INPUT_PR_HTML_URL: ${{ github.event.pull_request.html_url }} + INPUT_REPOSITORY_OWNER: ${{ github.repository_owner }} + INPUT_REPOSITORY_NAME: ${{ github.event.repository.name }} + INPUT_PR_HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }} + INPUT_LAUNCHABLE_TOKEN: ${{ inputs.launchable-token }} if: steps.enable-launchable.outputs.enable-launchable - name: Set up path @@ -165,7 +171,7 @@ runs: working-directory: ${{ inputs.srcdir }} # Since updated PATH variable will be available in only subsequent actions, we need to add the path beforehand. # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path - run: echo "$(python -msite --user-base)/bin" >> $GITHUB_PATH + run: echo "$(python -msite --user-base)/bin" >> $GITHUB_PATH # zizmor: ignore[github-env] if: >- ${{ steps.enable-launchable.outputs.enable-launchable @@ -178,22 +184,22 @@ runs: id: setup-launchable shell: bash working-directory: ${{ inputs.srcdir }} - run: | + run: | # zizmor: ignore[github-env] set -x pip install --user launchable : # The build name cannot include a slash, so we replace the string here. - github_ref="${{ github.ref }}" + github_ref="${INPUT_GITHUB_REF}" github_ref="${github_ref//\//_}" : # With the --name option, we need to configure a unique identifier for this build. : # To avoid setting the same build name as the CI which runs on other branches, we use the branch name here. build_name="${github_ref}_${GITHUB_PR_HEAD_SHA}" - test_opts="${{ inputs.test-opts }}" + test_opts="${INPUT_TEST_OPTS}" test_opts="${test_opts// /}" test_opts="${test_opts//=/:}" test_all_test_suite='test-all' btest_test_suite='btest' test_spec_test_suite='test-spec' - if [ "${{ inputs.is-yjit }}" = "true" ]; then + if [ "${INPUT_IS_YJIT}" = "true" ]; then test_all_test_suite="yjit-${test_all_test_suite}" btest_test_suite="yjit-${btest_test_suite}" test_spec_test_suite="yjit-${test_spec_test_suite}" @@ -206,10 +212,10 @@ runs: session=$(launchable record session \ --build "${build_name}" \ --observation \ - --flavor os="${{ inputs.os }}" \ - --flavor test_task="${{ inputs.test-task }}" \ + --flavor os="${INPUT_OS}" \ + --flavor test_task="${INPUT_TEST_TASK}" \ --flavor test_opts="${test_opts}" \ - --flavor workflow="${{ github.workflow }}" \ + --flavor workflow="${INPUT_WORKFLOW}" \ --test-suite ${suite} \ ) echo "${target}_session=${session}" >> $GITHUB_OUTPUT @@ -230,6 +236,12 @@ runs: echo launchable_setup_dir=$(pwd) >> $GITHUB_OUTPUT if: steps.enable-launchable.outputs.enable-launchable env: + INPUT_GITHUB_REF: ${{ github.ref }} + INPUT_TEST_OPTS: ${{ inputs.test-opts }} + INPUT_IS_YJIT: ${{ inputs.is-yjit }} + INPUT_OS: ${{ inputs.os }} + INPUT_TEST_TASK: ${{ inputs.test-task }} + INPUT_WORKFLOW: ${{ github.workflow }} test_all_enabled: ${{ steps.global.outputs.test_all_enabled }} btest_enabled: ${{ steps.global.outputs.btest_enabled }} test_spec_enabled: ${{ steps.global.outputs.test_spec_enabled }} diff --git a/.github/actions/setup/directories/action.yml b/.github/actions/setup/directories/action.yml index 4f71ee592a6607..aeaa8d9783ba68 100644 --- a/.github/actions/setup/directories/action.yml +++ b/.github/actions/setup/directories/action.yml @@ -74,8 +74,11 @@ runs: # their bash manually installed. - shell: bash run: | - mkdir -p ${{ inputs.srcdir }} - mkdir -p ${{ inputs.builddir }} + mkdir -p "${INPUT_SRCDIR}" + mkdir -p "${INPUT_BUILDDIR}" + env: + INPUT_SRCDIR: ${{ inputs.srcdir }} + INPUT_BUILDDIR: ${{ inputs.builddir }} # Did you know that actions/checkout works without git(1)? We are # checking that here. @@ -99,6 +102,7 @@ runs: with: path: ${{ inputs.srcdir }} fetch-depth: ${{ inputs.fetch-depth }} + persist-credentials: false - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -113,16 +117,16 @@ runs: # This is for MinGW. - if: runner.os == 'Windows' shell: bash - run: echo "GNUMAKEFLAGS=-j$((2 * NUMBER_OF_PROCESSORS))" >> $GITHUB_ENV + run: echo "GNUMAKEFLAGS=-j$((2 * NUMBER_OF_PROCESSORS))" >> $GITHUB_ENV # zizmor: ignore[github-env] - if: runner.os == 'Linux' shell: bash - run: echo "GNUMAKEFLAGS=-sj$((1 + $(nproc)))" >> "$GITHUB_ENV" + run: echo "GNUMAKEFLAGS=-sj$((1 + $(nproc)))" >> "$GITHUB_ENV" # zizmor: ignore[github-env] # macOS' GNU make is so old that they doesn't understand `GNUMAKEFLAGS`. - if: runner.os == 'macOS' shell: bash - run: echo "MAKEFLAGS=-j$((1 + $(sysctl -n hw.activecpu)))" >> "$GITHUB_ENV" + run: echo "MAKEFLAGS=-j$((1 + $(sysctl -n hw.activecpu)))" >> "$GITHUB_ENV" # zizmor: ignore[github-env] - if: inputs.makeup shell: bash @@ -170,16 +174,22 @@ runs: done # drop {a..z}.rb if case-insensitive filesystem grep -F A.rb a.rb > /dev/null && set "${@:27}" - echo clean="cd ${{ inputs.builddir }} && rm $*" >> $GITHUB_OUTPUT + echo clean="cd ${INPUT_BUILDDIR} && rm $*" >> $GITHUB_OUTPUT + env: + INPUT_BUILDDIR: ${{ inputs.builddir }} - if: inputs.clean == 'true' shell: bash id: clean run: | - echo distclean='cd ${{ inputs.builddir }} && ${{ inputs.make-command }} distclean' >> $GITHUB_OUTPUT - echo remained-files='find ${{ inputs.builddir }} -ls' >> $GITHUB_OUTPUT - [ "${{ inputs.builddir }}" = "${{ inputs.srcdir }}" ] || - echo final='rmdir ${{ inputs.builddir }}' >> $GITHUB_OUTPUT + echo distclean="cd ${INPUT_BUILDDIR} && ${INPUT_MAKE_COMMAND} distclean" >> $GITHUB_OUTPUT + echo remained-files="find ${INPUT_BUILDDIR} -ls" >> $GITHUB_OUTPUT + [ "${INPUT_BUILDDIR}" = "${INPUT_SRCDIR}" ] || + echo final="rmdir ${INPUT_BUILDDIR}" >> $GITHUB_OUTPUT + env: + INPUT_BUILDDIR: ${{ inputs.builddir }} + INPUT_SRCDIR: ${{ inputs.srcdir }} + INPUT_MAKE_COMMAND: ${{ inputs.make-command }} - name: clean uses: gacts/run-and-post-run@81b6ce503cde93862cec047c54652e45c5dca991 # v1.4.3 diff --git a/.github/actions/setup/macos/action.yml b/.github/actions/setup/macos/action.yml index d0072ff82890c4..9cd37a9b126992 100644 --- a/.github/actions/setup/macos/action.yml +++ b/.github/actions/setup/macos/action.yml @@ -17,7 +17,7 @@ runs: - name: Set ENV shell: bash - run: | + run: | # zizmor: ignore[github-env] dir_config() { local args=() lib var="$1"; shift for lib in "$@"; do diff --git a/.github/actions/setup/ubuntu/action.yml b/.github/actions/setup/ubuntu/action.yml index a9e5b419519818..b4454d49c72c96 100644 --- a/.github/actions/setup/ubuntu/action.yml +++ b/.github/actions/setup/ubuntu/action.yml @@ -26,7 +26,7 @@ runs: steps: - name: set SETARCH shell: bash - run: echo "SETARCH=${setarch}" >> "$GITHUB_ENV" + run: echo "SETARCH=${setarch}" >> "$GITHUB_ENV" # zizmor: ignore[github-env] env: setarch: ${{ inputs.arch && format('setarch {0} --', inputs.arch) }} diff --git a/.github/workflows/annocheck.yml b/.github/workflows/annocheck.yml index da37341e62d3cd..e7351adc0c9d59 100644 --- a/.github/workflows/annocheck.yml +++ b/.github/workflows/annocheck.yml @@ -65,6 +65,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: /.github + persist-credentials: false - uses: ./.github/actions/setup/directories with: diff --git a/.github/workflows/auto_review_pr.yml b/.github/workflows/auto_review_pr.yml index a399a712c9d146..9c826666483724 100644 --- a/.github/workflows/auto_review_pr.yml +++ b/.github/workflows/auto_review_pr.yml @@ -20,6 +20,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0 with: diff --git a/.github/workflows/baseruby.yml b/.github/workflows/baseruby.yml index 324721130d0db1..4563a455fc05b0 100644 --- a/.github/workflows/baseruby.yml +++ b/.github/workflows/baseruby.yml @@ -54,6 +54,8 @@ jobs: bundler: none - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup/ubuntu diff --git a/.github/workflows/bundled_gems.yml b/.github/workflows/bundled_gems.yml index eaaf688b96ba01..5fffa0d6954d13 100644 --- a/.github/workflows/bundled_gems.yml +++ b/.github/workflows/bundled_gems.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] with: token: ${{ (github.repository == 'ruby/ruby' && !startsWith(github.event_name, 'pull')) && secrets.MATZBOT_AUTO_UPDATE_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/check_dependencies.yml b/.github/workflows/check_dependencies.yml index 492b8727bfc3f6..1919e4f7bf2365 100644 --- a/.github/workflows/check_dependencies.yml +++ b/.github/workflows/check_dependencies.yml @@ -31,6 +31,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup/ubuntu if: ${{ contains(matrix.os, 'ubuntu') }} diff --git a/.github/workflows/check_misc.yml b/.github/workflows/check_misc.yml index 8a783e4268b1ae..6569c4f726fcfa 100644 --- a/.github/workflows/check_misc.yml +++ b/.github/workflows/check_misc.yml @@ -21,6 +21,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ (github.repository == 'ruby/ruby' && !startsWith(github.event_name, 'pull')) && secrets.MATZBOT_AUTO_UPDATE_TOKEN || secrets.GITHUB_TOKEN }} + persist-credentials: false - uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0 with: @@ -94,6 +95,7 @@ jobs: repository: ruby/rdoc ref: ${{ steps.rdoc.outputs.ref }} path: .bundle/gems/rdoc-${{ steps.rdoc.outputs.version }} + persist-credentials: false if: ${{ steps.rdoc.outputs.ref != '' }} - name: Generate rdoc scripts diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/check_sast.yml similarity index 89% rename from .github/workflows/codeql-analysis.yml rename to .github/workflows/check_sast.yml index bad68d55a92116..dee4ca0ee9a767 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/check_sast.yml @@ -1,4 +1,4 @@ -name: 'CodeQL' +name: 'Check SAST tool' on: push: @@ -30,6 +30,24 @@ permissions: # added using https://github.com/step-security/secure-workflows contents: read jobs: + zizmor: + name: zizmor + + runs-on: ubuntu-latest + + permissions: + contents: read + security-events: write + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0 + continue-on-error: true + analyze: name: Analyze runs-on: ubuntu-latest @@ -59,6 +77,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install libraries if: ${{ contains(matrix.os, 'macos') }} diff --git a/.github/workflows/compilers.yml b/.github/workflows/compilers.yml index fb80471e8b983f..d02adc30e2da89 100644 --- a/.github/workflows/compilers.yml +++ b/.github/workflows/compilers.yml @@ -52,7 +52,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } # Set fetch-depth: 10 so that Launchable can receive commits information. - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } - name: 'clang 22 LTO' @@ -75,7 +75,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } - name: 'GCC 15 LTO' uses: './.github/actions/compilers' @@ -105,7 +105,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } - { uses: './.github/actions/compilers', name: 'clang 23', with: { tag: 'clang-23' }, timeout-minutes: 5 } - { uses: './.github/actions/compilers', name: 'clang 22', with: { tag: 'clang-22' }, timeout-minutes: 5 } @@ -127,7 +127,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } - { uses: './.github/actions/compilers', name: 'clang 13', with: { tag: 'clang-13' }, timeout-minutes: 5 } - { uses: './.github/actions/compilers', name: 'clang 12', with: { tag: 'clang-12' }, timeout-minutes: 5 } @@ -148,7 +148,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } # -Wno-strict-prototypes is necessary with current clang-15 since # older autoconf generate functions without prototype and -pedantic @@ -174,7 +174,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } - { uses: './.github/actions/compilers', name: 'C++20', with: { CXXFLAGS: '-std=c++20 -Werror=pedantic -pedantic-errors -Wno-c++11-long-long' }, timeout-minutes: 5 } - { uses: './.github/actions/compilers', name: 'C++23', with: { CXXFLAGS: '-std=c++23 -Werror=pedantic -pedantic-errors -Wno-c++11-long-long' }, timeout-minutes: 5 } @@ -194,7 +194,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } - { uses: './.github/actions/compilers', name: 'disable-jit', with: { append_configure: '--disable-yjit --disable-zjit' }, timeout-minutes: 5 } - { uses: './.github/actions/compilers', name: 'disable-yjit', with: { append_configure: '--disable-yjit' }, timeout-minutes: 5 } @@ -216,7 +216,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } - { uses: './.github/actions/compilers', name: 'NDEBUG', with: { cppflags: '-DNDEBUG' }, timeout-minutes: 5 } - { uses: './.github/actions/compilers', name: 'RUBY_DEBUG', with: { cppflags: '-DRUBY_DEBUG' }, timeout-minutes: 5 } @@ -236,7 +236,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } - { uses: './.github/actions/compilers', name: 'HASH_DEBUG', with: { cppflags: '-DHASH_DEBUG' }, timeout-minutes: 5 } - { uses: './.github/actions/compilers', name: 'ID_TABLE_DEBUG', with: { cppflags: '-DID_TABLE_DEBUG' }, timeout-minutes: 5 } @@ -256,7 +256,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } - { uses: './.github/actions/compilers', name: 'USE_LAZY_LOAD', with: { cppflags: '-DUSE_LAZY_LOAD' }, timeout-minutes: 5 } - { uses: './.github/actions/compilers', name: 'USE_SYMBOL_GC=0', with: { cppflags: '-DUSE_SYMBOL_GC=0' }, timeout-minutes: 5 } @@ -276,7 +276,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } - { uses: './.github/actions/compilers', name: 'GC_DEBUG_STRESS_TO_CLASS', with: { cppflags: '-DGC_DEBUG_STRESS_TO_CLASS' }, timeout-minutes: 5 } - { uses: './.github/actions/compilers', name: 'GC_ENABLE_LAZY_SWEEP=0', with: { cppflags: '-DGC_ENABLE_LAZY_SWEEP=0' }, timeout-minutes: 5 } @@ -295,7 +295,7 @@ jobs: services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } } steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - { uses: './.github/actions/setup/directories', with: { srcdir: 'src', builddir: 'build', makeup: true, fetch-depth: 10 } } - { uses: './.github/actions/compilers', name: 'VM_DEBUG_BP_CHECK', with: { cppflags: '-DVM_DEBUG_BP_CHECK' }, timeout-minutes: 5 } - { uses: './.github/actions/compilers', name: 'VM_DEBUG_VERIFY_METHOD_CACHE', with: { cppflags: '-DVM_DEBUG_VERIFY_METHOD_CACHE' }, timeout-minutes: 5 } @@ -321,7 +321,7 @@ jobs: - 'compileC' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github } + with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false } - uses: ./.github/actions/slack with: label: 'omnibus' diff --git a/.github/workflows/cygwin.yml b/.github/workflows/cygwin.yml index 0e3b2e17c29927..eb90647b7e830d 100644 --- a/.github/workflows/cygwin.yml +++ b/.github/workflows/cygwin.yml @@ -41,6 +41,8 @@ jobs: - run: git config --global core.autocrlf input - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Cygwin uses: cygwin/cygwin-install-action@master diff --git a/.github/workflows/default_gems_list.yml b/.github/workflows/default_gems_list.yml index f6f8d820e541b3..0634933499c0fa 100644 --- a/.github/workflows/default_gems_list.yml +++ b/.github/workflows/default_gems_list.yml @@ -23,7 +23,7 @@ jobs: if: ${{ github.repository == 'ruby/ruby' }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] with: token: ${{ (github.repository == 'ruby/ruby' && !startsWith(github.event_name, 'pull')) && secrets.MATZBOT_AUTO_UPDATE_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index b1041b951a4ff1..6727fbc004120e 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -65,6 +65,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: /.github + persist-credentials: false - name: Install libraries uses: ./.github/actions/setup/macos diff --git a/.github/workflows/mingw.yml b/.github/workflows/mingw.yml index 27e21e36389f77..f7e46b7e4c59c3 100644 --- a/.github/workflows/mingw.yml +++ b/.github/workflows/mingw.yml @@ -172,6 +172,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: /.github + persist-credentials: false - uses: ./.github/actions/setup/directories with: diff --git a/.github/workflows/modgc.yml b/.github/workflows/modgc.yml index f8016d813d5eeb..6ad4e84ccbf467 100644 --- a/.github/workflows/modgc.yml +++ b/.github/workflows/modgc.yml @@ -52,6 +52,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: /.github + persist-credentials: false - name: Install libraries (macOS) uses: ./.github/actions/setup/macos @@ -100,8 +101,8 @@ jobs: - name: Run configure env: arch: ${{ matrix.arch }} - run: >- - $SETARCH ../src/configure -C --disable-install-doc --with-modular-gc=${{ env.MODULAR_GC_DIR }} + run: | + ${SETARCH} ../src/configure -C --disable-install-doc --with-modular-gc="${MODULAR_GC_DIR}" \ ${arch:+--target=$arch-$OSTYPE --host=$arch-$OSTYPE} - uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2 @@ -111,7 +112,7 @@ jobs: echo 'MSPECOPT=-B../src/spec/mmtk.mspec' >> $GITHUB_ENV if: ${{ matrix.gc.name == 'mmtk' }} - - run: $SETARCH make + - run: ${SETARCH} make - name: Build Modular GC run: | @@ -119,7 +120,7 @@ jobs: make install-modular-gc MODULAR_GC=${{ matrix.gc.name }} MMTK_BUILD=${{ matrix.gc.mmtk_build }} make distclean-modular-gc MODULAR_GC=${{ matrix.gc.name }} - - run: $SETARCH make hello + - run: ${SETARCH} make hello - name: Set test options for skipped tests run: | @@ -145,7 +146,7 @@ jobs: test -n "${LAUNCHABLE_STDOUT}" && exec 1> >(tee "${LAUNCHABLE_STDOUT}") test -n "${LAUNCHABLE_STDERR}" && exec 2> >(tee "${LAUNCHABLE_STDERR}") - $SETARCH make -s ${{ matrix.test_task }} \ + ${SETARCH} make -s ${{ matrix.test_task }} \ ${TESTS:+TESTS="$TESTS"} \ ${{ !contains(matrix.test_task, 'bundle') && 'RUBYOPT=-w' || '' }} timeout-minutes: ${{ matrix.gc.timeout || 40 }} @@ -158,7 +159,7 @@ jobs: - name: make skipped tests run: | - $SETARCH make -s test-all TESTS="${TESTS//-n!\//-n/}" + ${SETARCH} make -s test-all TESTS="${TESTS//-n!\//-n/}" env: GNUMAKEFLAGS: '' RUBY_TESTOPTS: '-v --tty=no' diff --git a/.github/workflows/parse_y.yml b/.github/workflows/parse_y.yml index fddc9358b5addd..13ca6ad5d3fba1 100644 --- a/.github/workflows/parse_y.yml +++ b/.github/workflows/parse_y.yml @@ -55,6 +55,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: /.github + persist-credentials: false - uses: ./.github/actions/setup/ubuntu diff --git a/.github/workflows/post_push.yml b/.github/workflows/post_push.yml index 95ac8b202fb99f..1352dd2cc7ce30 100644 --- a/.github/workflows/post_push.yml +++ b/.github/workflows/post_push.yml @@ -28,7 +28,7 @@ jobs: REDMINE_SYS_API_KEY: ${{ secrets.REDMINE_SYS_API_KEY }} if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/ruby_') }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] with: fetch-depth: 500 # for notify-slack-commits token: ${{ secrets.MATZBOT_AUTO_UPDATE_TOKEN }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 970a31dda7f7ce..7db5d2f1891f0b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,20 +16,24 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0 with: ruby-version: 3.3.4 - name: Store Ruby version + env: + RUBY_VERSION: ${{ github.event.client_payload.version || github.event.inputs.version }} run: | - echo "RUBY_VERSION=${{ github.event.client_payload.version || github.event.inputs.version }}" >> $GITHUB_ENV + echo "RUBY_VERSION=${RUBY_VERSION}" >> $GITHUB_ENV - name: Store ABI version - run: echo "ABI_VERSION=$(echo ${{ env.RUBY_VERSION }} | cut -d '.' -f 1-2)" >> $GITHUB_ENV + run: echo "ABI_VERSION=$(echo ${RUBY_VERSION} | cut -d '.' -f 1-2)" >> $GITHUB_ENV - name: Copy draft package `/tmp` to `/pub` directory - run: tool/release.sh ${{ env.RUBY_VERSION }} + run: tool/release.sh ${RUBY_VERSION} env: AWS_ACCESS_KEY_ID: ${{ secrets.FTP_R_L_O_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.FTP_R_L_O_AWS_SECRET_ACCESS_KEY }} @@ -39,19 +43,19 @@ jobs: run: | curl -X POST \ -H "Fastly-Key: ${{ secrets.FASTLY_PURGE_TOKEN }}" \ - https://api.fastly.com/purge/cache.ruby-lang.org/pub/ruby/${{ env.ABI_VERSION }}/ruby-${{ env.RUBY_VERSION }}.tar.gz + https://api.fastly.com/purge/cache.ruby-lang.org/pub/ruby/${ABI_VERSION}/ruby-${RUBY_VERSION}.tar.gz curl -X POST \ -H "Fastly-Key: ${{ secrets.FASTLY_PURGE_TOKEN }}" \ - https://api.fastly.com/purge/cache.ruby-lang.org/pub/ruby/${{ env.ABI_VERSION }}/ruby-${{ env.RUBY_VERSION }}.tar.xz + https://api.fastly.com/purge/cache.ruby-lang.org/pub/ruby/${ABI_VERSION}/ruby-${RUBY_VERSION}.tar.xz curl -X POST \ -H "Fastly-Key: ${{ secrets.FASTLY_PURGE_TOKEN }}" \ - https://api.fastly.com/purge/cache.ruby-lang.org/pub/ruby/${{ env.ABI_VERSION }}/ruby-${{ env.RUBY_VERSION }}.zip + https://api.fastly.com/purge/cache.ruby-lang.org/pub/ruby/${ABI_VERSION}/ruby-${RUBY_VERSION}.zip - name: Create a release on GitHub run: | - RELEASE_TAG=$(ruby tool/ruby-version.rb tag "${{ env.RUBY_VERSION }}") + RELEASE_TAG=$(ruby tool/ruby-version.rb tag "${RUBY_VERSION}") echo $RELEASE_TAG - PREVIOUS_RELEASE_TAG=$(ruby tool/ruby-version.rb previous-tag "${{ env.RUBY_VERSION }}") + PREVIOUS_RELEASE_TAG=$(ruby tool/ruby-version.rb previous-tag "${RUBY_VERSION}") echo $PREVIOUS_RELEASE_TAG tool/gen-github-release.rb $PREVIOUS_RELEASE_TAG $RELEASE_TAG --no-dry-run env: @@ -73,7 +77,7 @@ jobs: -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/ruby/docker-images/actions/workflows/build.yml/dispatches \ - -d '{"ref": "master", "inputs": {"ruby_version": "${{ env.RUBY_VERSION }}"}}' + -d "{\"ref\": \"master\", \"inputs\": {\"ruby_version\": \"${RUBY_VERSION}\"}}" - name: Build snapcraft packages run: | @@ -82,7 +86,7 @@ jobs: -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/ruby/snap.ruby/dispatches \ - -d '{"event_type": "build", "client_payload": {"ruby_version": "${{ env.RUBY_VERSION }}"}}' + -d "{\"event_type\": \"build\", \"client_payload\": {\"ruby_version\": \"${RUBY_VERSION}\"}}" - name: Store the latest LTS version of OpenSSL run: | @@ -95,7 +99,7 @@ jobs: -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/rbenv/ruby-build/dispatches \ - -d '{"event_type": "update-ruby", "client_payload": {"ruby_version": "${{ env.RUBY_VERSION }}", "openssl_version": "${{ env.OPENSSL_VERSION }}"}}' + -d "{\"event_type\": \"update-ruby\", \"client_payload\": {\"ruby_version\": \"${RUBY_VERSION}\", \"openssl_version\": \"${OPENSSL_VERSION}\"}}" - name: Update all-ruby definition run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5d4474d978f51a..c45277abe88a64 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,4 +15,4 @@ jobs: -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/ruby/actions/dispatches \ - -d '{"event_type": "${{ github.ref }}"}' + -d "{\"event_type\": \"$GITHUB_REF\"}" diff --git a/.github/workflows/rust-warnings.yml b/.github/workflows/rust-warnings.yml index df65245ca157ec..07ec32133dc0c9 100644 --- a/.github/workflows/rust-warnings.yml +++ b/.github/workflows/rust-warnings.yml @@ -37,6 +37,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust run: rustup default beta diff --git a/.github/workflows/spec_guards.yml b/.github/workflows/spec_guards.yml index 50491c082da766..029f4a6bd43962 100644 --- a/.github/workflows/spec_guards.yml +++ b/.github/workflows/spec_guards.yml @@ -46,6 +46,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0 with: diff --git a/.github/workflows/sync_default_gems.yml b/.github/workflows/sync_default_gems.yml index 051bdd14d1a446..8355159e249e57 100644 --- a/.github/workflows/sync_default_gems.yml +++ b/.github/workflows/sync_default_gems.yml @@ -31,7 +31,7 @@ jobs: if: ${{ github.repository == 'ruby/ruby' }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] name: Check out ruby/ruby with: token: ${{ github.repository == 'ruby/ruby' && secrets.MATZBOT_AUTO_UPDATE_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index f99bffa16c6a5c..0de982cbe4f369 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -64,6 +64,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: /.github + persist-credentials: false - uses: ./.github/actions/setup/ubuntu with: @@ -222,6 +223,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup/ubuntu @@ -240,6 +243,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: ruby/ruby-bench + persist-credentials: false path: ruby-bench # If you want to skip failing benchmark, consider using `--excludes`. diff --git a/.github/workflows/wasm.yml b/.github/workflows/wasm.yml index 7c4d29b4c16283..b9f02735dd8992 100644 --- a/.github/workflows/wasm.yml +++ b/.github/workflows/wasm.yml @@ -63,6 +63,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: /.github + persist-credentials: false - uses: ./.github/actions/setup/directories with: diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index b50d1310154491..1b9be96ab7b189 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -68,6 +68,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + persist-credentials: false sparse-checkout-cone-mode: false sparse-checkout: /.github diff --git a/.github/workflows/yjit-macos.yml b/.github/workflows/yjit-macos.yml index d7509c8bf5d8ed..23a49a9291ebf0 100644 --- a/.github/workflows/yjit-macos.yml +++ b/.github/workflows/yjit-macos.yml @@ -42,6 +42,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - run: RUST_BACKTRACE=1 cargo test working-directory: yjit @@ -87,6 +89,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: /.github + persist-credentials: false - name: Install libraries uses: ./.github/actions/setup/macos diff --git a/.github/workflows/yjit-ubuntu.yml b/.github/workflows/yjit-ubuntu.yml index 5aed6bbc2b3a72..1ff0b1deb3b765 100644 --- a/.github/workflows/yjit-ubuntu.yml +++ b/.github/workflows/yjit-ubuntu.yml @@ -37,6 +37,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # For now we can't run cargo test --offline because it complains about the # capstone dependency, even though the dependency is optional @@ -69,6 +71,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # Check that we don't have linting errors in release mode, too - run: cargo clippy --all-targets --all-features @@ -125,6 +129,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: /.github + persist-credentials: false - uses: ./.github/actions/setup/ubuntu diff --git a/.github/workflows/zjit-macos.yml b/.github/workflows/zjit-macos.yml index 2086635c8815c8..232d26ed2bd752 100644 --- a/.github/workflows/zjit-macos.yml +++ b/.github/workflows/zjit-macos.yml @@ -72,6 +72,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: /.github + persist-credentials: false - name: Install libraries uses: ./.github/actions/setup/macos @@ -173,6 +174,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup/macos @@ -194,6 +197,7 @@ jobs: - name: Checkout ruby-bench uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + persist-credentials: false repository: ruby/ruby-bench path: ruby-bench diff --git a/.github/workflows/zjit-ubuntu.yml b/.github/workflows/zjit-ubuntu.yml index 637a46b82e82f6..9045555555b651 100644 --- a/.github/workflows/zjit-ubuntu.yml +++ b/.github/workflows/zjit-ubuntu.yml @@ -42,6 +42,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - run: cargo clippy --all-targets --all-features working-directory: zjit @@ -108,6 +110,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: /.github + persist-credentials: false - uses: ./.github/actions/setup/ubuntu @@ -230,6 +233,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup/ubuntu @@ -248,6 +253,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: ruby/ruby-bench + persist-credentials: false path: ruby-bench # If you want to skip failing benchmark, consider using `--excludes`. diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000000000..dc96bc4167f8c8 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,29 @@ +# Ignore existing findings (baseline) +# Composite action findings are suppressed inline with # zizmor: ignore +rules: + dangerous-triggers: + ignore: + - auto_request_review.yml + - auto_review_pr.yml + - labeler.yml + - pr-playground.yml + dependabot-cooldown: + ignore: + - dependabot.yml + excessive-permissions: + ignore: + - post_push.yml + - publish.yml + - release.yml + - wsl.yml + misfeature: + ignore: + - mingw.yml + - windows.yml + unpinned-images: + ignore: + - compilers.yml + unpinned-uses: + ignore: + - cygwin.yml + - wsl.yml