From 93ea0b33c357ab5e56584967e551b351d558ff99 Mon Sep 17 00:00:00 2001 From: Taiki Endo Date: Mon, 9 Mar 2026 00:28:28 +0900 Subject: [PATCH] Avoid triggering zizmor ref-confusion --- CHANGELOG.md | 2 ++ tools/publish.sh | 14 ++++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b4282774..f8195d0b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,8 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com ## [Unreleased] +- Avoid triggering [zizmor ref-confusion](https://docs.zizmor.sh/audits/#ref-confusion) when using this action in form of `uses: taiki-e/install-action@v2` or `uses: taiki-e/install-action@`. + ## [2.68.23] - 2026-03-08 - Update `zizmor@latest` to 1.23.0. diff --git a/tools/publish.sh b/tools/publish.sh index 2b6b7db0..cf2d548e 100755 --- a/tools/publish.sh +++ b/tools/publish.sh @@ -121,9 +121,9 @@ retry git push origin refs/heads/main retry git push origin refs/tags/"${tag}" major_version_tag="v${version%%.*}" -git branch "${major_version_tag}" +git branch "releases/${major_version_tag}" git tag -f "${major_version_tag}" -refs=("refs/heads/${major_version_tag}" "+refs/tags/${major_version_tag}") +refs=("refs/heads/releases/${major_version_tag}" "+refs/tags/${major_version_tag}") tools=() for tool in tools/codegen/base/*.json; do @@ -142,8 +142,9 @@ tools+=( # Non-manifest-based tools. tools+=(valgrind) +branches=() for tool in "${tools[@]}"; do - git checkout -b "${tool}" + git checkout -b "releases/${tool}" sed -E "${in_place[@]}" action.yml \ -e "s/required: true/required: false/g" \ -e "s/# default: #publish:tool/default: ${tool}/g" @@ -151,11 +152,12 @@ for tool in "${tools[@]}"; do git commit -m "${tool}" git tag -f "${tool}" git checkout main - refs+=("+refs/heads/${tool}" "+refs/tags/${tool}") + refs+=("+refs/heads/releases/${tool}" "+refs/tags/${tool}") + branches+=("releases/${tool}") done retry git push origin --atomic "${refs[@]}" -git branch -d "${major_version_tag}" -git branch -D "${tools[@]}" +git branch -d "releases/${major_version_tag}" +git branch -D "${branches[@]}" schema_workspace=/tmp/workspace rm -rf -- "${schema_workspace}"