[pull] master from ruby:master

.github/actions/capiext/action.yml

@@ -46,7 +46,7 @@ runs:
     - name: Run test-spec with previous CAPI extension binaries
       id: check
       shell: bash
-      run: |
+      run: | # zizmor: ignore[template-injection]
         touch spec/ruby/optional/capi/ext/*.$DLEXT
         [ ! -f spec/ruby/optional/capi/ext/\*.$DLEXT ]
         ${{ inputs.make }} SPECOPTS=optional/capi test-spec

.github/actions/compilers/action.yml

@@ -81,7 +81,9 @@ runs:
   using: composite
   steps:
     - shell: bash
-      run: docker pull --quiet 'ghcr.io/ruby/ruby-ci-image:${{ inputs.tag }}'
+      run: docker pull --quiet "ghcr.io/ruby/ruby-ci-image:${INPUT_TAG}"
+      env:
+        INPUT_TAG: ${{ inputs.tag }}
 
     - name: Enable Launchable conditionally
       id: enable-launchable
@@ -99,28 +101,28 @@ runs:
         docker run
         --rm
         --user=root
-        --volume '${{ github.workspace }}:/github/workspace:ro'
+        --volume "${GITHUB_WORKSPACE}:/github/workspace:ro"
         --workdir=/github/workspace
         --entrypoint=/github/workspace/.github/actions/compilers/entrypoint.sh
         --env CI
         --env GITHUB_ACTION
-        --env INPUT_WITH_GCC='${{ inputs.with_gcc || inputs.tag }}'
-        --env INPUT_CFLAGS='${{ inputs.CFLAGS }}'
-        --env INPUT_CXXFLAGS='${{ inputs.CXXFLAGS }}'
-        --env INPUT_OPTFLAGS='${{ inputs.OPTFLAGS }}'
-        --env INPUT_CPPFLAGS='${{ inputs.cppflags }}'
-        --env INPUT_APPEND_CONFIGURE='${{ inputs.append_configure }}'
-        --env INPUT_CHECK='${{ inputs.check }}'
-        --env INPUT_TEST_ALL='${{ inputs.test_all }}'
-        --env INPUT_TEST_SPEC='${{ inputs.test_spec }}'
-        --env INPUT_ENABLE_SHARED='${{ inputs.enable_shared }}'
-        --env INPUT_STATIC_EXTS='${{ inputs.static_exts }}'
-        --env LAUNCHABLE_ORGANIZATION='${{ github.repository_owner }}'
-        --env LAUNCHABLE_WORKSPACE='${{ github.event.repository.name }}'
-        --env LAUNCHABLE_ENABLED='${{ steps.enable-launchable.outputs.enable-launchable || false }}'
-        --env GITHUB_PR_HEAD_SHA='${{ github.event.pull_request.head.sha || github.sha }}'
-        --env GITHUB_PULL_REQUEST_URL='${{ github.event.pull_request.html_url }}'
-        --env GITHUB_REF='${{ github.ref }}'
+        --env INPUT_WITH_GCC
+        --env INPUT_CFLAGS
+        --env INPUT_CXXFLAGS
+        --env INPUT_OPTFLAGS
+        --env INPUT_CPPFLAGS
+        --env INPUT_APPEND_CONFIGURE
+        --env INPUT_CHECK
+        --env INPUT_TEST_ALL
+        --env INPUT_TEST_SPEC
+        --env INPUT_ENABLE_SHARED
+        --env INPUT_STATIC_EXTS
+        --env LAUNCHABLE_ORGANIZATION
+        --env LAUNCHABLE_WORKSPACE
+        --env LAUNCHABLE_ENABLED
+        --env GITHUB_PR_HEAD_SHA
+        --env GITHUB_PULL_REQUEST_URL
+        --env GITHUB_REF
         --env GITHUB_ACTIONS
         --env GITHUB_RUN_ID
         --env GITHUB_REPOSITORY
@@ -130,4 +132,23 @@ runs:
         --env GITHUB_SHA
         --env GITHUB_HEAD_REF
         --env GITHUB_SERVER_URL
-        'ghcr.io/ruby/ruby-ci-image:${{ inputs.tag }}'
+        "ghcr.io/ruby/ruby-ci-image:${INPUT_TAG}"
+      env:
+        INPUT_TAG: ${{ inputs.tag }}
+        INPUT_WITH_GCC: ${{ inputs.with_gcc || inputs.tag }}
+        INPUT_CFLAGS: ${{ inputs.CFLAGS }}
+        INPUT_CXXFLAGS: ${{ inputs.CXXFLAGS }}
+        INPUT_OPTFLAGS: ${{ inputs.OPTFLAGS }}
+        INPUT_CPPFLAGS: ${{ inputs.cppflags }}
+        INPUT_APPEND_CONFIGURE: ${{ inputs.append_configure }}
+        INPUT_CHECK: ${{ inputs.check }}
+        INPUT_TEST_ALL: ${{ inputs.test_all }}
+        INPUT_TEST_SPEC: ${{ inputs.test_spec }}
+        INPUT_ENABLE_SHARED: ${{ inputs.enable_shared }}
+        INPUT_STATIC_EXTS: ${{ inputs.static_exts }}
+        LAUNCHABLE_ORGANIZATION: ${{ github.repository_owner }}
+        LAUNCHABLE_WORKSPACE: ${{ github.event.repository.name }}
+        LAUNCHABLE_ENABLED: ${{ steps.enable-launchable.outputs.enable-launchable || false }}
+        GITHUB_PR_HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
+        GITHUB_PULL_REQUEST_URL: ${{ github.event.pull_request.html_url }}
+        GITHUB_REF: ${{ github.ref }}

.github/actions/launchable/setup/action.yml

@@ -144,28 +144,34 @@ runs:
 
     - name: Set environment variables for Launchable
       shell: bash
-      run: |
+      run: | # zizmor: ignore[github-env]
         : # GITHUB_PULL_REQUEST_URL are used for commenting test reports in Launchable Github App.
         : # https://github.com/launchableinc/cli/blob/v1.80.1/launchable/utils/link.py#L42
-        echo "GITHUB_PULL_REQUEST_URL=${{ github.event.pull_request.html_url }}" >> $GITHUB_ENV
+        echo "GITHUB_PULL_REQUEST_URL=${INPUT_PR_HTML_URL}" >> $GITHUB_ENV
         : # The following envs are necessary in Launchable tokenless authentication.
         : # https://github.com/launchableinc/cli/blob/v1.80.1/launchable/utils/authentication.py#L20
-        echo "LAUNCHABLE_ORGANIZATION=${{ github.repository_owner }}" >> $GITHUB_ENV
-        echo "LAUNCHABLE_WORKSPACE=${{ github.event.repository.name }}" >> $GITHUB_ENV
+        echo "LAUNCHABLE_ORGANIZATION=${INPUT_REPOSITORY_OWNER}" >> $GITHUB_ENV
+        echo "LAUNCHABLE_WORKSPACE=${INPUT_REPOSITORY_NAME}" >> $GITHUB_ENV
         : # https://github.com/launchableinc/cli/blob/v1.80.1/launchable/utils/authentication.py#L71
-        echo "GITHUB_PR_HEAD_SHA=${{ github.event.pull_request.head.sha || github.sha }}" >> $GITHUB_ENV
-        echo "LAUNCHABLE_TOKEN=${{ inputs.launchable-token }}" >> $GITHUB_ENV
+        echo "GITHUB_PR_HEAD_SHA=${INPUT_PR_HEAD_SHA}" >> $GITHUB_ENV
+        echo "LAUNCHABLE_TOKEN=${INPUT_LAUNCHABLE_TOKEN}" >> $GITHUB_ENV
         : # To prevent a slowdown in CI, disable request retries when the Launchable server is unstable.
         echo "LAUNCHABLE_SKIP_TIMEOUT_RETRY=1" >> $GITHUB_ENV
         echo "LAUNCHABLE_COMMIT_TIMEOUT=1" >> $GITHUB_ENV
+      env:
+        INPUT_PR_HTML_URL: ${{ github.event.pull_request.html_url }}
+        INPUT_REPOSITORY_OWNER: ${{ github.repository_owner }}
+        INPUT_REPOSITORY_NAME: ${{ github.event.repository.name }}
+        INPUT_PR_HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
+        INPUT_LAUNCHABLE_TOKEN: ${{ inputs.launchable-token }}
       if: steps.enable-launchable.outputs.enable-launchable
 
     - name: Set up path
       shell: bash
       working-directory: ${{ inputs.srcdir }}
       # Since updated PATH variable will be available in only subsequent actions, we need to add the path beforehand.
       # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path
-      run: echo "$(python -msite --user-base)/bin" >> $GITHUB_PATH
+      run: echo "$(python -msite --user-base)/bin" >> $GITHUB_PATH # zizmor: ignore[github-env]
       if: >-
         ${{
         steps.enable-launchable.outputs.enable-launchable
@@ -178,22 +184,22 @@ runs:
       id: setup-launchable
       shell: bash
       working-directory: ${{ inputs.srcdir }}
-      run: |
+      run: | # zizmor: ignore[github-env]
         set -x
         pip install --user launchable
         : # The build name cannot include a slash, so we replace the string here.
-        github_ref="${{ github.ref }}"
+        github_ref="${INPUT_GITHUB_REF}"
         github_ref="${github_ref//\//_}"
         : # With the --name option, we need to configure a unique identifier for this build.
         : # To avoid setting the same build name as the CI which runs on other branches, we use the branch name here.
         build_name="${github_ref}_${GITHUB_PR_HEAD_SHA}"
-        test_opts="${{ inputs.test-opts }}"
+        test_opts="${INPUT_TEST_OPTS}"
         test_opts="${test_opts// /}"
         test_opts="${test_opts//=/:}"
         test_all_test_suite='test-all'
         btest_test_suite='btest'
         test_spec_test_suite='test-spec'
-        if [ "${{ inputs.is-yjit }}" = "true" ]; then
+        if [ "${INPUT_IS_YJIT}" = "true" ]; then
           test_all_test_suite="yjit-${test_all_test_suite}"
           btest_test_suite="yjit-${btest_test_suite}"
           test_spec_test_suite="yjit-${test_spec_test_suite}"
@@ -206,10 +212,10 @@ runs:
           session=$(launchable record session \
             --build "${build_name}" \
             --observation \
-            --flavor os="${{ inputs.os }}" \
-            --flavor test_task="${{ inputs.test-task }}" \
+            --flavor os="${INPUT_OS}" \
+            --flavor test_task="${INPUT_TEST_TASK}" \
             --flavor test_opts="${test_opts}" \
-            --flavor workflow="${{ github.workflow }}" \
+            --flavor workflow="${INPUT_WORKFLOW}" \
             --test-suite ${suite} \
             )
           echo "${target}_session=${session}" >> $GITHUB_OUTPUT
@@ -230,6 +236,12 @@ runs:
         echo launchable_setup_dir=$(pwd) >> $GITHUB_OUTPUT
       if: steps.enable-launchable.outputs.enable-launchable
       env:
+        INPUT_GITHUB_REF: ${{ github.ref }}
+        INPUT_TEST_OPTS: ${{ inputs.test-opts }}
+        INPUT_IS_YJIT: ${{ inputs.is-yjit }}
+        INPUT_OS: ${{ inputs.os }}
+        INPUT_TEST_TASK: ${{ inputs.test-task }}
+        INPUT_WORKFLOW: ${{ github.workflow }}
         test_all_enabled: ${{ steps.global.outputs.test_all_enabled }}
         btest_enabled: ${{ steps.global.outputs.btest_enabled }}
         test_spec_enabled: ${{ steps.global.outputs.test_spec_enabled }}

.github/actions/setup/directories/action.yml

@@ -74,8 +74,11 @@ runs:
     # their bash manually installed.
     - shell: bash
       run: |
-        mkdir -p ${{ inputs.srcdir }}
-        mkdir -p ${{ inputs.builddir }}
+        mkdir -p "${INPUT_SRCDIR}"
+        mkdir -p "${INPUT_BUILDDIR}"
+      env:
+        INPUT_SRCDIR: ${{ inputs.srcdir }}
+        INPUT_BUILDDIR: ${{ inputs.builddir }}
 
     # Did you know that actions/checkout works without git(1)?  We are
     # checking that here.
@@ -99,6 +102,7 @@ runs:
       with:
         path: ${{ inputs.srcdir }}
         fetch-depth: ${{ inputs.fetch-depth }}
+        persist-credentials: false
 
     - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
       with:
@@ -113,16 +117,16 @@ runs:
     # This is for MinGW.
     - if: runner.os == 'Windows'
       shell: bash
-      run: echo "GNUMAKEFLAGS=-j$((2 * NUMBER_OF_PROCESSORS))" >> $GITHUB_ENV
+      run: echo "GNUMAKEFLAGS=-j$((2 * NUMBER_OF_PROCESSORS))" >> $GITHUB_ENV # zizmor: ignore[github-env]
 
     - if: runner.os == 'Linux'
       shell: bash
-      run: echo "GNUMAKEFLAGS=-sj$((1 + $(nproc)))" >> "$GITHUB_ENV"
+      run: echo "GNUMAKEFLAGS=-sj$((1 + $(nproc)))" >> "$GITHUB_ENV" # zizmor: ignore[github-env]
 
     # macOS' GNU make is so old that they doesn't understand `GNUMAKEFLAGS`.
     - if: runner.os == 'macOS'
       shell: bash
-      run: echo "MAKEFLAGS=-j$((1 + $(sysctl -n hw.activecpu)))" >> "$GITHUB_ENV"
+      run: echo "MAKEFLAGS=-j$((1 + $(sysctl -n hw.activecpu)))" >> "$GITHUB_ENV" # zizmor: ignore[github-env]
 
     - if: inputs.makeup
       shell: bash
@@ -170,16 +174,22 @@ runs:
         done
         # drop {a..z}.rb if case-insensitive filesystem
         grep -F A.rb a.rb > /dev/null && set "${@:27}"
-        echo clean="cd ${{ inputs.builddir }} && rm $*" >> $GITHUB_OUTPUT
+        echo clean="cd ${INPUT_BUILDDIR} && rm $*" >> $GITHUB_OUTPUT
+      env:
+        INPUT_BUILDDIR: ${{ inputs.builddir }}
 
     - if: inputs.clean == 'true'
       shell: bash
       id: clean
       run: |
-        echo distclean='cd ${{ inputs.builddir }} && ${{ inputs.make-command }} distclean' >> $GITHUB_OUTPUT
-        echo remained-files='find ${{ inputs.builddir }} -ls' >> $GITHUB_OUTPUT
-        [ "${{ inputs.builddir }}" = "${{ inputs.srcdir }}" ] ||
-        echo final='rmdir ${{ inputs.builddir }}' >> $GITHUB_OUTPUT
+        echo distclean="cd ${INPUT_BUILDDIR} && ${INPUT_MAKE_COMMAND} distclean" >> $GITHUB_OUTPUT
+        echo remained-files="find ${INPUT_BUILDDIR} -ls" >> $GITHUB_OUTPUT
+        [ "${INPUT_BUILDDIR}" = "${INPUT_SRCDIR}" ] ||
+        echo final="rmdir ${INPUT_BUILDDIR}" >> $GITHUB_OUTPUT
+      env:
+        INPUT_BUILDDIR: ${{ inputs.builddir }}
+        INPUT_SRCDIR: ${{ inputs.srcdir }}
+        INPUT_MAKE_COMMAND: ${{ inputs.make-command }}
 
     - name: clean
       uses: gacts/run-and-post-run@81b6ce503cde93862cec047c54652e45c5dca991 # v1.4.3

.github/actions/setup/macos/action.yml

@@ -17,7 +17,7 @@ runs:
 
     - name: Set ENV
       shell: bash
-      run: |
+      run: | # zizmor: ignore[github-env]
         dir_config() {
           local args=() lib var="$1"; shift
           for lib in "$@"; do

.github/actions/setup/ubuntu/action.yml

@@ -26,7 +26,7 @@ runs:
   steps:
     - name: set SETARCH
       shell: bash
-      run: echo "SETARCH=${setarch}" >> "$GITHUB_ENV"
+      run: echo "SETARCH=${setarch}" >> "$GITHUB_ENV" # zizmor: ignore[github-env]
       env:
         setarch: ${{ inputs.arch && format('setarch {0} --', inputs.arch) }}
 

.github/workflows/annocheck.yml

@@ -65,6 +65,7 @@ jobs:
         with:
           sparse-checkout-cone-mode: false
           sparse-checkout: /.github
+          persist-credentials: false
 
       - uses: ./.github/actions/setup/directories
         with:

.github/workflows/auto_review_pr.yml

@@ -20,6 +20,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
         with:

.github/workflows/baseruby.yml

@@ -54,6 +54,8 @@ jobs:
           bundler: none
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup/ubuntu
 

.github/workflows/bundled_gems.yml

@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked]
         with:
           token: ${{ (github.repository == 'ruby/ruby' && !startsWith(github.event_name, 'pull')) && secrets.MATZBOT_AUTO_UPDATE_TOKEN || secrets.GITHUB_TOKEN }}
 

.github/workflows/check_dependencies.yml

@@ -31,6 +31,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup/ubuntu
         if: ${{ contains(matrix.os, 'ubuntu') }}

.github/workflows/check_misc.yml

@@ -21,6 +21,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ (github.repository == 'ruby/ruby' && !startsWith(github.event_name, 'pull')) && secrets.MATZBOT_AUTO_UPDATE_TOKEN || secrets.GITHUB_TOKEN }}
+          persist-credentials: false
 
       - uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
         with:
@@ -94,6 +95,7 @@ jobs:
           repository: ruby/rdoc
           ref: ${{ steps.rdoc.outputs.ref }}
           path: .bundle/gems/rdoc-${{ steps.rdoc.outputs.version }}
+          persist-credentials: false
         if: ${{ steps.rdoc.outputs.ref != '' }}
 
       - name: Generate rdoc scripts

.github/workflows/codeql-analysis.yml → .github/workflows/check_sast.yml

@@ -1,4 +1,4 @@
-name: 'CodeQL'
+name: 'Check SAST tool'
 
 on:
   push:
@@ -30,6 +30,24 @@ permissions: # added using https://github.com/step-security/secure-workflows
   contents: read
 
 jobs:
+  zizmor:
+    name: zizmor
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
+        continue-on-error: true
+
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
@@ -59,6 +77,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install libraries
         if: ${{ contains(matrix.os, 'macos') }}