workflows: zizmor audit

userdocs · Jan 6, 2025 · 21b243b · 21b243b
1 parent 3ba39b2
commit 21b243b
Show file tree

Hide file tree

Showing 9 changed files with 116 additions and 81 deletions.
diff --git a/.github/workflows/ci-alpine-build.yml b/.github/workflows/ci-alpine-build.yml
@@ -23,7 +23,7 @@ on:
 
 jobs:
   build-alpine:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -48,6 +48,8 @@ jobs:
     steps:
       - name: Checkout ${{ inputs.distinct_id }}
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Host - phased updates ${{ inputs.distinct_id }}
         run: printf '%s\n' 'APT::Get::Always-Include-Phased-Updates "false";' | sudo tee /etc/apt/apt.conf.d/99-phased-updates
@@ -62,24 +64,28 @@ jobs:
         run: sudo apt install libpipeline1 qemu-user-static binfmt-support
 
       - name: Host - Create Docker template env file ${{ inputs.distinct_id }}
+        env:
+          set_skip_icu: ${{ inputs.icu }}
+          set_workflow_files: ${{ inputs.workflow-files }}
+          set_build_debug: ${{ inputs.debug }}
         run: |
           printf '%s\n' "qbt_build_dir=${{ env.qbt_build_dir }}" > env.custom
           printf '%s\n' "qbt_libtorrent_version=${{ matrix.qbt_libtorrent_version }}" >> env.custom
           printf '%s\n' "qbt_qt_version=${{ matrix.qbt_qt_version }}" >> env.custom
           printf '%s\n' "qbt_build_tool=${{ matrix.qbt_build_tool }}" >> env.custom
           printf '%s\n' "qbt_cross_name=${{ matrix.qbt_cross_name }}" >> env.custom
           printf '%s\n' "qbt_patches_url=${{ github.repository }}" >> env.custom
-          printf '%s\n' "qbt_skip_icu=${{ inputs.icu }}" >> env.custom
+          printf '%s\n' "qbt_skip_icu=${set_skip_icu}" >> env.custom
           printf '%s\n' "qbt_boost_tag=" >> env.custom
           printf '%s\n' "qbt_libtorrent_tag=" >> env.custom
           printf '%s\n' "qbt_qt_tag=" >> env.custom
           printf '%s\n' "qbt_qbittorrent_tag=" >> env.custom
           printf '%s\n' "qbt_libtorrent_master_jamfile=" >> env.custom
-          printf '%s\n' "qbt_workflow_files=${{ inputs.workflow-files }}" >> env.custom
+          printf '%s\n' "qbt_workflow_files=${set_workflow_files}" >> env.custom
           printf '%s\n' "qbt_workflow_artifacts=" >> env.custom
           printf '%s\n' "qbt_cache_dir=" >> env.custom
-          printf '%s\n' "qbt_optimise_strip=${{ inputs.debug }}" >> env.custom
-          printf '%s\n' "qbt_build_debug=${{ inputs.debug }}" >> env.custom
+          printf '%s\n' "qbt_optimise_strip=" >> env.custom
+          printf '%s\n' "qbt_build_debug=${set_build_debug}" >> env.custom
           printf '%s\n' "qbt_revision_url=${{ github.repository }}" >> env.custom
           printf '%s\n' "qbt_standard=" >> env.custom
           printf '%s\n' "qbt_static_ish=" >> env.custom
@@ -98,8 +104,9 @@ jobs:
 
       - name: Host - qBittorrent v5 transition ${{ inputs.distinct_id }}
         run: |
-          if [[ -f "${{ env.qbt_build_dir }}/release_info/disable-qt5" ]]; then
+          if [[ -f "${qbt_build_dir}/release_info/disable-qt5" ]]; then
               printf '%s\n' "disable_qt5=yes" >> $GITHUB_ENV
+              printf '%s\n' "Found file: \`disable-qt5\`: settings \`disable_qt5=yes\` to yes" >> $GITHUB_STEP_SUMMARY
           fi
 
       # - name: Docker - Copy repo patches to build folder ${{ inputs.distinct_id }}

diff --git a/.github/workflows/ci-alpine-release.yml b/.github/workflows/ci-alpine-release.yml
@@ -10,7 +10,7 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -30,6 +30,8 @@ jobs:
     steps:
       - name: Checkout ${{ inputs.distinct_id }}
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Pandoc - Bootstrap
         run: |

diff --git a/.github/workflows/ci-auto-rerun-failed-jobs-action.yml b/.github/workflows/ci-auto-rerun-failed-jobs-action.yml
@@ -0,0 +1,44 @@
+name: ci auto rerun failed jobs
+
+on:
+  workflow_dispatch:
+    inputs:
+      run_id:
+        description: "The run id of the workflow to rerun"
+        required: true
+      attempts:
+        description: "The number of attempts to rerun the workflow"
+        required: true
+      retries:
+        description: "The number of retries to rerun the workflow"
+        required: true
+      github_repo:
+        description: "The repository to rerun the workflow"
+        required: false
+      distinct_id:
+        description: "The distinct id of the workflow to rerun"
+        required: false
+
+run-name: ci auto rerun failed jobs - attempt ${{ inputs.attempts }}
+
+jobs:
+  gh-cli-rerun:
+    name: rerun - attempt ${{ inputs.attempts }}
+    permissions:
+      actions: write
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: "${{ secrets.AUTO_RERUN || github.token }}"
+    steps:
+      - name: Host - Checkout action ${{ inputs.distinct_id }}
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - uses: userdocs/gh-cli-workflow-reruns/actions/auto-rerun-failed@main
+        with:
+          run_id: ${{ inputs.run_id }}
+          attempts: ${{ inputs.attempts }}
+          retries: ${{ inputs.retries }}
+          github_repo: ${{ inputs.github_repo || github.repository }}
+          distinct_id: ${{ inputs.distinct_id || github.run_id }}
diff --git a/.github/workflows/ci-auto-rerun-failed-jobs.yml b/.github/workflows/ci-auto-rerun-failed-jobs.yml
diff --git a/.github/workflows/ci-debian-build.yml b/.github/workflows/ci-debian-build.yml
@@ -22,7 +22,10 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -82,14 +85,20 @@ jobs:
     steps:
       - name: Checkout ${{ inputs.distinct_id }}
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Bootstrap all ${{ inputs.distinct_id }}
         run: bash qbittorrent-nox-static.sh -bs-a
 
       - name: Host - qBittorrent v5 transition ${{ inputs.distinct_id }}
         run: |
-          if [[ -f "${{ env.qbt_build_dir }}/release_info/disable-qt5" ]]; then
+
+      - name: Host - qBittorrent v5 transition ${{ inputs.distinct_id }}
+        run: |
+          if [[ -f "${qbt_build_dir}/release_info/disable-qt5" ]]; then
               printf '%s\n' "disable_qt5=yes" >> $GITHUB_ENV
+              printf '%s\n' "Found file: \`disable-qt5\` -> setting env: \`disable_qt5=yes\`" >> $GITHUB_STEP_SUMMARY
           fi
 
       - name: glibc ${{ inputs.distinct_id }}
@@ -136,7 +145,7 @@ jobs:
         if: env.disable_qt5 != 'yes'
         run: bash qbittorrent-nox-static.sh qbittorrent
 
-      - name: Archive code coverage results ${{ inputs.distinct_id }}
+      - name: Upload ${{ env.artifact_name }} artifacts ${{ inputs.distinct_id }}
         if: env.disable_qt5 != 'yes'
         uses: actions/upload-artifact@v4
         with:

diff --git a/.github/workflows/ci-main-reusable-caller.yml b/.github/workflows/ci-main-reusable-caller.yml
@@ -104,18 +104,22 @@ jobs:
       cancel-in-progress: true
     permissions:
       actions: write
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     env:
       GH_TOKEN: "${{ secrets.AUTO_RERUN || github.token }}"
       github_repo: "" # To use ci-auto-rerun-failed-jobs.yml hosted in a remote repository else default to the current repository. Requires PAT token AUTO_RERUN
+      retries: ${{ github.event.inputs.retries || '1' }}
+      distinct_id: ${{ github.event.inputs.distinct_id }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: ci-auto-rerun-failed-jobs via ${{ env.github_repo || github.repository }}
         run: >
-          gh workflow run ci-auto-rerun-failed-jobs.yml
-          --repo "${{ env.github_repo || github.repository }}"
-          -f github_repo=${{ github.repository }}
-          -f run_id=${{ github.run_id }}
-          -f attempts=${{ github.run_attempt }}
-          -f retries=${{ github.event.inputs.retries || '1' }}
-          -f distinct_id=${{ github.event.inputs.distinct_id }}
+          gh workflow run ci-auto-rerun-failed-jobs-action.yml
+          --repo "${github_repo:-$GITHUB_REPOSITORY}"
+          -f github_repo=${GITHUB_REPOSITORY}
+          -f run_id=${GITHUB_RUN_ID}
+          -f attempts=${GITHUB_RUN_ATTEMPT}
+          -f retries=${retries}
+          -f distinct_id=${distinct_id}
diff --git a/.github/workflows/sh_checker.yml b/.github/workflows/sh_checker.yml
@@ -9,9 +9,12 @@ concurrency:
 
 jobs:
   sh-checker:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - name: Run the sh-checker
         uses: luizm/[email protected]
         env:

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,27 @@
+name: zizmor workflow audits
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor-workflow-audits:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: zizmor workflow audits
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pip install zizmor
+
+          printf '%b\n' "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          zizmor . --gh-token $GITHUB_TOKEN >> $GITHUB_STEP_SUMMARY
+          printf '%b' "\`\`\`" >> $GITHUB_STEP_SUMMARY
diff --git a/qbittorrent-nox-static.sh b/qbittorrent-nox-static.sh
@@ -2145,7 +2145,7 @@ while (("${#}")); do
 			printf '\n%b\n\n' " ${color_cyan}${qbt_install_dir_short}/patches/qbittorrent/${app_version[qbittorrent]}/patch${color_end}"
 			exit
 			;;
-		-h-bs-c | --help-boot-cmake)
+		-h-bs-c | --help-boot-strap-cmake)
 			printf '\n%b\n' " ${unicode_cyan_light_circle} ${text_bold}${text_underlined}Here is the help description for this flag:${color_end}"
 			printf '\n%b\n' " This bootstrap will install cmake and ninja build to the build directory"
 			printf '\n%b\n\n'"${color_green_light} Usage:${color_end} ${color_cyan_light}${qbt_working_dir_short}/$(basename -- "$0")${color_end} ${color_blue_light}-bs-c${color_end}"