particle-os/particle-os-cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore(ci): Add Github Action auditing

Browse source
This commit is contained in:
Gerald Pinder 2024-12-14 13:17:40 -05:00
parent 469c6044a6
commit 41031848df
7 changed files with 72 additions and 106 deletions
Download patch file Download diff file Expand all files Collapse all files

15
.github/workflows/build-pr.yml vendored
View file

@ -30,6 +30,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -64,6 +65,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -100,6 +102,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -134,6 +137,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -165,6 +169,7 @@ jobs:
# Setup repo and add caching
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -183,6 +188,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -201,6 +207,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -233,6 +240,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -271,6 +279,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -312,6 +321,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -360,6 +370,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -406,6 +417,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -449,6 +461,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -485,6 +498,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -525,6 +539,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}

15
.github/workflows/build.yml vendored
View file

@ -25,6 +25,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -43,6 +44,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -78,6 +80,7 @@ jobs:
# Setup repo and add caching
- uses: actions/checkout@v4
with:
persist-credentials: false
ref: main
- name: Login to GitHub Container Registry
@ -119,6 +122,7 @@ jobs:
# Setup repo and add caching
- uses: actions/checkout@v4
with:
persist-credentials: false
ref: main
- name: Login to GitHub Container Registry
@ -158,6 +162,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -204,6 +209,7 @@ jobs:
# Setup repo and add caching
- uses: actions/checkout@v4
with:
persist-credentials: false
ref: main
- name: Login to GitHub Container Registry
@ -240,6 +246,7 @@ jobs:
# Setup repo and add caching
- uses: actions/checkout@v4
with:
persist-credentials: false
ref: main
- name: Run integration tests
@ -275,6 +282,7 @@ jobs:
# Setup repo and add caching
- uses: actions/checkout@v4
with:
persist-credentials: false
ref: main
- name: Expose GitHub Runtime
@ -311,6 +319,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
ref: main
- name: Expose GitHub Runtime
@ -355,6 +364,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -406,6 +416,7 @@ jobs:
# Setup repo and add caching
- uses: actions/checkout@v4
with:
persist-credentials: false
ref: main
@ -514,6 +525,7 @@ jobs:
# Setup repo and add caching
- uses: actions/checkout@v4
with:
persist-credentials: false
ref: main
@ -560,6 +572,7 @@ jobs:
# Setup repo and add caching
- uses: actions/checkout@v4
with:
persist-credentials: false
ref: main
@ -598,6 +611,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
@ -641,6 +655,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}

3
.github/workflows/flakehub-tagged.yml vendored
View file

@ -16,8 +16,9 @@ jobs:
id-token: "write"
contents: "read"
steps:
- uses: "actions/checkout@v3"
- uses: "actions/checkout@v4"
with:
persist-credentials: false
ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
- uses: "DeterminateSystems/nix-installer-action@main"
- uses: "DeterminateSystems/flakehub-push@main"

48
.github/workflows/post-release.yml vendored
View file

@ -1,48 +0,0 @@
name: Post-release version bump
# how to trigger: https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow
on:
workflow_dispatch:
env:
CARGO_TERM_COLOR: always
jobs:
ci:
if: github.repository == 'blue-build/cli'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/cache@v4
with:
path: |
target/
~/.cargo/bin/
~/.cargo/git/db/
~/.cargo/registry/index/
~/.cargo/registry/cache/
key: ${{ runner.os }}-cargo-build-stable-${{ hashFiles('**/Cargo.toml') }}
- name: Install just
run: sudo snap install --edge --classic just
# Cargo returns an exit code of 1 if already installed
- name: Install cargo-release
continue-on-error: true
run: cargo install cargo-release --force
- name: Git setup
run: just cargo-post-release --execute
- name: Create PR
uses: peter-evans/create-pull-request@v5
with:
delete-branch: true
base: "main"
title: "Bump Version after Release"
body: |
Bump version after release
This PR has been auto-generated

57
.github/workflows/release.yml vendored
View file

@ -1,57 +0,0 @@
name: Release
on:
workflow_dispatch:
env:
CARGO_TERM_COLOR: always
jobs:
release:
if: github.repository == 'blue-build/cli'
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
packages: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/cache@v4
with:
path: |
target/
~/.cargo/bin/
~/.cargo/git/db/
~/.cargo/registry/index/
~/.cargo/registry/cache/
key: ${{ runner.os }}-cargo-build-stable-${{ hashFiles('**/Cargo.toml') }}
- name: Install just
run: sudo snap install --edge --classic just
# Cargo returns an exit code of 1 if already installed
- name: Install cargo-release
continue-on-error: true
run: cargo install cargo-release --force
- name: Git setup
run: |
git config user.name github-actions
git config user.email github-actions@github.com
- name: Setup release
run: just cargo-release --execute
- name: Create PR
uses: peter-evans/create-pull-request@v5
with:
delete-branch: true
base: "main"
title: "Preparing Next Release"
body: |
Preparing next release
This PR has been auto-generated

4
.github/workflows/tag.yml vendored
View file

@ -27,6 +27,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
fetch-tags: true
@ -61,6 +62,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
fetch-tags: true
@ -83,6 +85,7 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
fetch-tags: true
@ -122,6 +125,7 @@ jobs:
# Setup repo and add caching
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
fetch-tags: true

36
.github/workflows/zizmor.yml vendored Normal file
View file

@ -0,0 +1,36 @@
name: GitHub Actions Security Analysis with zizmor 🌈
on:
push:
branches: ["main"]
pull_request:
branches: ["**"]
jobs:
zizmor:
name: zizmor latest via PyPI
runs-on: ubuntu-latest
permissions:
security-events: write
# required for workflows in private repositories
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@v4
- name: Run zizmor 🌈
run: uvx zizmor --format sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: zizmor