From 9f3fc7ebf8c3b89426e25768604485e2402a6900 Mon Sep 17 00:00:00 2001 From: yihong Date: Mon, 10 Feb 2025 12:26:08 +0800 Subject: [PATCH] ci: make ci safe using zizmor (#13397) Signed-off-by: yihong0618 --- .github/workflows/api-tests.yml | 3 +++ .github/workflows/build-push.yml | 15 +++++++++++---- .github/workflows/db-migration-test.yml | 3 +++ .github/workflows/style.yml | 12 ++++++++++++ .github/workflows/tool-test-sdks.yaml | 3 +++ .../workflows/translate-i18n-base-on-english.yml | 1 + .github/workflows/vdb-tests.yml | 3 +++ .github/workflows/web-tests.yml | 3 +++ 8 files changed, 39 insertions(+), 4 deletions(-) diff --git a/.github/workflows/api-tests.yml b/.github/workflows/api-tests.yml index 98075c97cd..b6f6012760 100644 --- a/.github/workflows/api-tests.yml +++ b/.github/workflows/api-tests.yml @@ -26,6 +26,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - name: Setup Poetry and Python ${{ matrix.python-version }} uses: ./.github/actions/setup-poetry diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index 8e5279fb67..49ab983778 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -79,10 +79,12 @@ jobs: cache-to: type=gha,mode=max,scope=${{ matrix.service_name }} - name: Export digest + env: + DIGEST: ${{ steps.build.outputs.digest }} run: | mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" + sanitized_digest=${DIGEST#sha256:} + touch "/tmp/digests/${sanitized_digest}" - name: Upload digest uses: actions/upload-artifact@v4 @@ -132,10 +134,15 @@ jobs: - name: Create manifest list and push working-directory: /tmp/digests + env: + IMAGE_NAME: ${{ env[matrix.image_name_env] }} run: | docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env[matrix.image_name_env] }}@sha256:%s ' *) + $(printf "$IMAGE_NAME@sha256:%s " *) - name: Inspect image + env: + IMAGE_NAME: ${{ env[matrix.image_name_env] }} + IMAGE_VERSION: ${{ steps.meta.outputs.version }} run: | - docker buildx imagetools inspect ${{ env[matrix.image_name_env] }}:${{ steps.meta.outputs.version }} + docker buildx imagetools inspect "$IMAGE_NAME:$IMAGE_VERSION" diff --git a/.github/workflows/db-migration-test.yml b/.github/workflows/db-migration-test.yml index 3d881c4c3d..3328e4890a 100644 --- a/.github/workflows/db-migration-test.yml +++ b/.github/workflows/db-migration-test.yml @@ -19,6 +19,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - name: Setup Poetry and Python uses: ./.github/actions/setup-poetry diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml index c80037195a..76486b68e7 100644 --- a/.github/workflows/style.yml +++ b/.github/workflows/style.yml @@ -17,6 +17,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - name: Check changed files id: changed-files @@ -59,6 +62,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - name: Check changed files id: changed-files @@ -89,6 +95,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - name: Check changed files id: changed-files @@ -117,6 +126,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - name: Check changed files id: changed-files diff --git a/.github/workflows/tool-test-sdks.yaml b/.github/workflows/tool-test-sdks.yaml index fb4bcb9d66..76d8501451 100644 --- a/.github/workflows/tool-test-sdks.yaml +++ b/.github/workflows/tool-test-sdks.yaml @@ -26,6 +26,9 @@ jobs: steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v4 diff --git a/.github/workflows/translate-i18n-base-on-english.yml b/.github/workflows/translate-i18n-base-on-english.yml index 3f51b3b2c7..c63a8f5d6c 100644 --- a/.github/workflows/translate-i18n-base-on-english.yml +++ b/.github/workflows/translate-i18n-base-on-english.yml @@ -16,6 +16,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 2 # last 2 commits + persist-credentials: false - name: Check for file changes in i18n/en-US id: check_files diff --git a/.github/workflows/vdb-tests.yml b/.github/workflows/vdb-tests.yml index fab0b8c426..b18316bcd6 100644 --- a/.github/workflows/vdb-tests.yml +++ b/.github/workflows/vdb-tests.yml @@ -28,6 +28,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - name: Setup Poetry and Python ${{ matrix.python-version }} uses: ./.github/actions/setup-poetry diff --git a/.github/workflows/web-tests.yml b/.github/workflows/web-tests.yml index 5aee64b8e6..81968d7b71 100644 --- a/.github/workflows/web-tests.yml +++ b/.github/workflows/web-tests.yml @@ -22,6 +22,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - name: Check changed files id: changed-files