git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-16 01:25:14 +08:00
Code Issues Actions 15 Packages Projects Releases Wiki Activity
abd400a972
curl-curl/.github/workflows/checksrc.yml
Viktor Szakats e522f47986
GHA/checksrc: check GHA rules with zizmor 
The pedantic level is experimental. If it causes issues, we may just
disable it alongside the ignore comments.

Also:
- silence error:
  ```
   INFO audit: zizmor: completed label.yml
  error[dangerous-triggers]: use of fundamentally insecure workflow trigger
    --> label.yml:13:1
     |
  13 | 'on': [pull_request_target]
     | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely
     |
     = note: audit confidence -> Medium
  ```
- fix pedantic warning:
  ```
   INFO audit: zizmor: completed label.yml
  warning[excessive-permissions]: overly broad permissions
    --> label.yml:1:1
  ...  |
  24 | |         with:
  25 | |           repo-token: '${{ secrets.GITHUB_TOKEN }}'
     | |____________________________________________________- default permissions used due to no permissions: block
     |
     = note: audit confidence -> Medium
  ```
- silence `template-injection` false positives like:
  ```
  - note: ${{ matrix.build.torture && 'test-torture' || 'test-ci' }} may expand into attacker-controllable code
  - note: ${{ contains(matrix.build.install_steps, 'pytest') && 'caddy httpd vsftpd' || '' }} may expand into attacker-controllable code
  ```
  It doesn't seem like these could be controlled by an attacker.
  Let me know if I'm missing something.

Closes #17278
2025-05-07 23:11:09 +02:00

135 lines
3.7 KiB
YAML
Raw Blame History

# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# SPDX-License-Identifier: curl
# This workflow contains checks at the source code level only.
name: Source
'on':
push:
branches:
- master
- '*/ci'
paths-ignore:
- '**/*.md'
- '.circleci/**'
- 'appveyor.*'
- 'plan9/**'
- 'tests/data/**'
- 'winbuild/**'
pull_request:
branches:
- master
paths-ignore:
- '**/*.md'
- '.circleci/**'
- 'appveyor.*'
- 'plan9/**'
- 'tests/data/**'
- 'winbuild/**'
permissions: {}
jobs:
checksrc:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
name: checkout
- name: check
run: git ls-files -z "*.[ch]" | xargs -0 -n1 ./scripts/checksrc.pl
codespell-cmakelint-pytype-ruff:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
name: checkout
- name: install
env:
DEBIAN_FRONTEND: noninteractive
run: |
sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
sudo apt-get -o Dpkg::Use-Pty=0 update
sudo rm -f /var/lib/man-db/auto-update
sudo apt-get -o Dpkg::Use-Pty=0 install \
codespell python3-pip python3-networkx python3-pydot python3-yaml \
python3-toml python3-markupsafe python3-jinja2 python3-tabulate \
python3-typing-extensions python3-libcst python3-impacket \
python3-websockets python3-pytest
python3 -m pip install --break-system-packages cmakelint==1.4.3 pytype==2024.9.13 ruff==0.6.8
- name: spellcheck
run: |
codespell \
--skip scripts/mk-ca-bundle.pl \
--skip src/tool_hugehelp.c \
--skip scripts/wcurl \
-I .github/scripts/codespell-ignore.txt \
CMake include m4 scripts src lib
- name: cmakelint
run: scripts/cmakelint.sh
- name: pytype
run: find . -name '*.py' -exec pytype -j auto -k {} +
- name: ruff
run: ruff check --extend-select=B007,B016,C405,C416,COM818,D200,D213,D204,D401,D415,FURB129,N818,PERF401,PERF403,PIE790,PIE808,PLW0127,Q004,RUF010,SIM101,SIM117,SIM118,TRY400,TRY401
reuse:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
name: checkout
- name: REUSE Compliance Check
uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5
miscchecks:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
name: checkout
- name: shellcheck
run: .github/scripts/shellcheck.sh
- name: spacecheck
run: .github/scripts/spacecheck.pl
- name: yamlcheck
run: .github/scripts/yamlcheck.sh
# we allow some extra in source code
- name: badwords
run: |
grep -Ev '(\\bwill| url | dir )' .github/scripts/badwords.txt | \
.github/scripts/badwords.pl $(git ls-files -- src lib include)
ghacheck:
name: GHA analysis
runs-on: macos-latest
timeout-minutes: 1
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
name: checkout
- name: zizmor
run: |
brew install zizmor
zizmor --pedantic .github/workflows/*.yml
Reference in New Issue View Git Blame Copy Permalink