actions/install-action
1
0
Fork 0
mirror of https://github.com/taiki-e/install-action.git synced 2026-04-21 15:10:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

zizmor: Apply more lints

Browse Source
This commit is contained in:
Taiki Endo
2026-03-30 01:55:32 +09:00
parent fd0f63e180
commit 41213fbc0e
5 changed files with 28 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.github/workflows/ci.yml vendored
View File

@@ -51,7 +51,8 @@ jobs:
contents: write # for creating branch for pr contents: write # for creating branch for pr
pull-requests: write # unused (used in `codegen-automerge: true` case) pull-requests: write # unused (used in `codegen-automerge: true` case)
security-events: write # for github/codeql-action/* security-events: write # for github/codeql-action/*
secrets: inherit secrets:
PR_TOKEN_APP_PRIVATE_KEY: ${{ secrets.PR_TOKEN_APP_PRIVATE_KEY }}
test: test:
strategy: strategy:
@@ -99,7 +100,11 @@ jobs:
- run: rm -- Cargo.toml - run: rm -- Cargo.toml
- name: Generate tool list - name: Generate tool list
id: tool-list id: tool-list
run: tools/ci/tool-list.sh "${{ matrix.tool }}" "${{ matrix.os }}" "${{ matrix.bash }}" >>"${GITHUB_OUTPUT}" run: tools/ci/tool-list.sh "${TOOL}" "${OS}" "${BASH}" >>"${GITHUB_OUTPUT}"
env:
TOOL: ${{ matrix.tool }}
OS: ${{ matrix.os }}
BASH: ${{ matrix.bash }}
- run: | - run: |
printf '%s\n' 'C:\msys64\mingw32\bin' >>"${GITHUB_PATH}" printf '%s\n' 'C:\msys64\mingw32\bin' >>"${GITHUB_PATH}"
printf '%s\n' 'C:\msys64\usr\bin' >>"${GITHUB_PATH}" printf '%s\n' 'C:\msys64\usr\bin' >>"${GITHUB_PATH}"
@@ -264,7 +269,7 @@ jobs:
sed -i /etc/yum.repos.d/*.repo -e 's!^mirrorlist!#mirrorlist!' \ sed -i /etc/yum.repos.d/*.repo -e 's!^mirrorlist!#mirrorlist!' \
-e 's!^#baseurl=http://mirror.centos.org/!baseurl=https://vault.centos.org/!' -e 's!^#baseurl=http://mirror.centos.org/!baseurl=https://vault.centos.org/!'
sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
if [[ "${{ matrix.container }}" == "centos:6" ]]; then if [[ "${CONTAINER}" == "centos:6" ]]; then
# CentOS 6's curl (7.19.7) has no curl has no --proto/--tlsv1.2. # CentOS 6's curl (7.19.7) has no curl has no --proto/--tlsv1.2.
yum install -y gcc openssl-devel yum install -y gcc openssl-devel
curl -fsSL --retry 10 https://curl.se/download/curl-7.34.0.tar.gz | tar xzf - curl -fsSL --retry 10 https://curl.se/download/curl-7.34.0.tar.gz | tar xzf -
@@ -278,13 +283,17 @@ jobs:
https://vault.ius.io/el6/x86_64/packages/p/perl-Git18-1.8.5.5-4.ius.el6.noarch.rpm \ https://vault.ius.io/el6/x86_64/packages/p/perl-Git18-1.8.5.5-4.ius.el6.noarch.rpm \
https://vault.ius.io/el6/x86_64/packages/g/git18-1.8.5.5-4.ius.el6.x86_64.rpm https://vault.ius.io/el6/x86_64/packages/g/git18-1.8.5.5-4.ius.el6.x86_64.rpm
fi fi
env:
CONTAINER: ${{ matrix.container }}
if: startsWith(matrix.container, 'centos') if: startsWith(matrix.container, 'centos')
- uses: taiki-e/checkout-action@v1 - uses: taiki-e/checkout-action@v1
# cross attempts to install rust-src when Cargo.toml is available even if `cross --version` # cross attempts to install rust-src when Cargo.toml is available even if `cross --version`
- run: rm -- Cargo.toml - run: rm -- Cargo.toml
- name: Generate tool list - name: Generate tool list
id: tool-list id: tool-list
run: tools/ci/tool-list.sh "" "${{ matrix.container }}" >>"${GITHUB_OUTPUT}" run: tools/ci/tool-list.sh "" "${CONTAINER}" >>"${GITHUB_OUTPUT}"
env:
CONTAINER: ${{ matrix.container }}
# remove bash installed by checkout-action # remove bash installed by checkout-action
- run: apk --no-cache del bash - run: apk --no-cache del bash
shell: sh shell: sh

3
.github/workflows/manifest.yml vendored
View File

@@ -37,7 +37,8 @@ jobs:
permissions: permissions:
contents: write # for creating branch for pr contents: write # for creating branch for pr
pull-requests: write # for gh pr review --approve pull-requests: write # for gh pr review --approve
secrets: inherit secrets:
PR_TOKEN_APP_PRIVATE_KEY: ${{ secrets.PR_TOKEN_APP_PRIVATE_KEY }}
with: with:
script: tools/manifest.sh script: tools/manifest.sh
commit-script: tools/ci/manifest.sh commit-script: tools/ci/manifest.sh

7
.github/workflows/release.yml vendored
View File

@@ -26,6 +26,10 @@ defaults:
run: run:
shell: bash --noprofile --norc -CeEuxo pipefail {0} shell: bash --noprofile --norc -CeEuxo pipefail {0}
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
jobs: jobs:
prepare: prepare:
if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action' if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action'
@@ -435,7 +439,8 @@ jobs:
contents: write # for taiki-e/create-gh-release-action contents: write # for taiki-e/create-gh-release-action
id-token: write # for rust-lang/crates-io-auth-action id-token: write # for rust-lang/crates-io-auth-action
attestations: write # unused (used when options for uploading binaries are set) attestations: write # unused (used when options for uploading binaries are set)
secrets: inherit secrets:
PUSH_TOKEN: ${{ secrets.PUSH_TOKEN }}
with: with:
version: ${{ inputs.version }} version: ${{ inputs.version }}
tag-prefix: install-action-manifest-schema- tag-prefix: install-action-manifest-schema-

2
.github/zizmor.yml vendored
View File

@@ -2,7 +2,7 @@
# https://docs.zizmor.sh/configuration/ # https://docs.zizmor.sh/configuration/
rules: rules:
secrets-inherit: { disable: true } anonymous-definition: { disable: true }
unpinned-uses: unpinned-uses:
config: config:
policies: policies:

29
tools/tidy.sh
View File

@@ -86,11 +86,6 @@ check_config() {
check_install() { check_install() {
for tool in "$@"; do for tool in "$@"; do
if ! type -P "${tool}" >/dev/null; then if ! type -P "${tool}" >/dev/null; then
if [[ "${tool}" == 'python3' ]]; then
if type -P python >/dev/null; then
continue
fi
fi
error "'${tool}' is required to run this check" error "'${tool}' is required to run this check"
return 1 return 1
fi fi
@@ -132,10 +127,6 @@ EOF
exit 1 exit 1
fi fi
py_suffix=''
if type -P python3 >/dev/null; then
py_suffix=3
fi
yq() { uvx yq "$@"; } yq() { uvx yq "$@"; }
tomlq() { uvx --from yq tomlq "$@"; } tomlq() { uvx --from yq tomlq "$@"; }
case "$(uname -s)" in case "$(uname -s)" in
@@ -700,7 +691,7 @@ elif check_install shellcheck; then
# Exclude SC2096 due to the way the temporary script is created. # Exclude SC2096 due to the way the temporary script is created.
shellcheck_exclude=SC2096 shellcheck_exclude=SC2096
info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in \`\$(git ls-files '*Dockerfile*')\`" info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in \`\$(git ls-files '*Dockerfile*')\`"
if check_install jq python3 parse-dockerfile; then if check_install jq parse-dockerfile; then
shellcheck_for_dockerfile() { shellcheck_for_dockerfile() {
local text=$1 local text=$1
local shell=$2 local shell=$2
@@ -833,7 +824,7 @@ elif check_install shellcheck; then
# Exclude SC2096 due to the way the temporary script is created. # Exclude SC2096 due to the way the temporary script is created.
shellcheck_exclude=SC2086,SC2096,SC2129 shellcheck_exclude=SC2086,SC2096,SC2129
info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in .github/workflows/*.yml and **/action.yml" info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in .github/workflows/*.yml and **/action.yml"
if check_install jq python3 uv; then if check_install jq uv; then
shellcheck_for_gha() { shellcheck_for_gha() {
local text=$1 local text=$1
local shell=$2 local shell=$2
@@ -846,16 +837,8 @@ elif check_install shellcheck; then
*) return ;; *) return ;;
esac esac
text="#!/usr/bin/env ${shell%' {0}'}"$'\n'"${text}" text="#!/usr/bin/env ${shell%' {0}'}"$'\n'"${text}"
# Use python because sed doesn't support .*?.
text=$(
"python${py_suffix}" - <<EOF
import re
text = re.sub(r"\\\${{.*?}}", "\${__GHA_SYNTAX__}", r'''${text}''')
print(text)
EOF
)
case "${ostype}" in case "${ostype}" in
windows) text=${text//$'\r'/} ;; # Python print emits \r\n. windows) text=${text//$'\r'/} ;; # Parse error on git bash/msys2 bash.
esac esac
local color=auto local color=auto
if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then
@@ -989,11 +972,11 @@ if [[ ${#zizmor_targets[@]} -gt 0 ]]; then
warn "this check is skipped on NetBSD/OpenBSD/Dragonfly/illumos/Solaris due to installing zizmor is hard on these platform" warn "this check is skipped on NetBSD/OpenBSD/Dragonfly/illumos/Solaris due to installing zizmor is hard on these platform"
elif check_install zizmor; then elif check_install zizmor; then
# zizmor can also be used via uvx, but old version will be installed if glibc version is old. # zizmor can also be used via uvx, but old version will be installed if glibc version is old.
# Do not use `zizmor -q .` here because it also attempts to check submodules. # Do not use `zizmor .` here because it also attempts to check submodules.
IFS=' ' IFS=' '
info "running \`zizmor -q ${zizmor_targets[*]}\`" info "running \`zizmor -q --pedantic ${zizmor_targets[*]}\`"
IFS=$'\n\t' IFS=$'\n\t'
zizmor -q "${zizmor_targets[@]}" zizmor -q --pedantic "${zizmor_targets[@]}"
fi fi
fi fi
printf '\n' printf '\n'