AI/dify
1
0
Fork 0
mirror of https://git.mirrors.martin98.com/https://github.com/langgenius/dify.git synced 2025-08-18 07:15:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

ci: make ci safe using zizmor (#13397)

Browse Source 
Signed-off-by: yihong0618 <zouzou0208@gmail.com>
This commit is contained in:
yihong 2025-02-10 12:26:08 +08:00 committed by GitHub
parent c8357da13b
commit 9f3fc7ebf8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 39 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/api-tests.yml vendored
View File

@ -26,6 +26,9 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Setup Poetry and Python ${{ matrix.python-version }} - name: Setup Poetry and Python ${{ matrix.python-version }}
uses: ./.github/actions/setup-poetry uses: ./.github/actions/setup-poetry

15
.github/workflows/build-push.yml vendored
View File

@ -79,10 +79,12 @@ jobs:
cache-to: type=gha,mode=max,scope=${{ matrix.service_name }} cache-to: type=gha,mode=max,scope=${{ matrix.service_name }}
- name: Export digest - name: Export digest
env:
DIGEST: ${{ steps.build.outputs.digest }}
run: | run: |
mkdir -p /tmp/digests mkdir -p /tmp/digests
digest="${{ steps.build.outputs.digest }}" sanitized_digest=${DIGEST#sha256:}
touch "/tmp/digests/${digest#sha256:}" touch "/tmp/digests/${sanitized_digest}"
- name: Upload digest - name: Upload digest
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4
@ -132,10 +134,15 @@ jobs:
- name: Create manifest list and push - name: Create manifest list and push
working-directory: /tmp/digests working-directory: /tmp/digests
env:
IMAGE_NAME: ${{ env[matrix.image_name_env] }}
run: | run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env[matrix.image_name_env] }}@sha256:%s ' *) $(printf "$IMAGE_NAME@sha256:%s " *)
- name: Inspect image - name: Inspect image
env:
IMAGE_NAME: ${{ env[matrix.image_name_env] }}
IMAGE_VERSION: ${{ steps.meta.outputs.version }}
run: | run: |
docker buildx imagetools inspect ${{ env[matrix.image_name_env] }}:${{ steps.meta.outputs.version }} docker buildx imagetools inspect "$IMAGE_NAME:$IMAGE_VERSION"

3
.github/workflows/db-migration-test.yml vendored
View File

@ -19,6 +19,9 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Setup Poetry and Python - name: Setup Poetry and Python
uses: ./.github/actions/setup-poetry uses: ./.github/actions/setup-poetry

12
.github/workflows/style.yml vendored
View File

@ -17,6 +17,9 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Check changed files - name: Check changed files
id: changed-files id: changed-files
@ -59,6 +62,9 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Check changed files - name: Check changed files
id: changed-files id: changed-files
@ -89,6 +95,9 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Check changed files - name: Check changed files
id: changed-files id: changed-files
@ -117,6 +126,9 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Check changed files - name: Check changed files
id: changed-files id: changed-files

3
.github/workflows/tool-test-sdks.yaml vendored
View File

@ -26,6 +26,9 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Use Node.js ${{ matrix.node-version }} - name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4 uses: actions/setup-node@v4

1
.github/workflows/translate-i18n-base-on-english.yml vendored
View File

@ -16,6 +16,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 2 # last 2 commits fetch-depth: 2 # last 2 commits
persist-credentials: false
- name: Check for file changes in i18n/en-US - name: Check for file changes in i18n/en-US
id: check_files id: check_files

3
.github/workflows/vdb-tests.yml vendored
View File

@ -28,6 +28,9 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Setup Poetry and Python ${{ matrix.python-version }} - name: Setup Poetry and Python ${{ matrix.python-version }}
uses: ./.github/actions/setup-poetry uses: ./.github/actions/setup-poetry

3
.github/workflows/web-tests.yml vendored
View File

@ -22,6 +22,9 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Check changed files - name: Check changed files
id: changed-files id: changed-files