Mirrors/chatmail-core
1
0
Fork 0
mirror of https://github.com/chatmail/core.git synced 2026-05-08 17:36:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

ci: audit workflows with zizmor

Browse Source
This commit is contained in:
link2xt
2025-02-14 23:18:34 +00:00
committed by l
parent 5c3d1e7dae
commit 96704eb73d
13 changed files with 93 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.github/workflows/ci.yml vendored
View File

@@ -16,6 +16,8 @@ on:
branches: branches:
- main - main
permissions: {}
env: env:
RUSTFLAGS: -Dwarnings RUSTFLAGS: -Dwarnings
@@ -29,6 +31,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Install rustfmt and clippy - name: Install rustfmt and clippy
run: rustup toolchain install $RUSTUP_TOOLCHAIN --profile minimal --component rustfmt --component clippy run: rustup toolchain install $RUSTUP_TOOLCHAIN --profile minimal --component rustfmt --component clippy
- name: Cache rust cargo artifacts - name: Cache rust cargo artifacts
@@ -49,6 +52,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Rebuild constants - name: Rebuild constants
run: npm run build:core:constants run: npm run build:core:constants
- name: Check that constants are not changed - name: Check that constants are not changed
@@ -61,6 +65,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: EmbarkStudios/cargo-deny-action@v2 - uses: EmbarkStudios/cargo-deny-action@v2
with: with:
arguments: --all-features --workspace arguments: --all-features --workspace
@@ -74,6 +79,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Check provider database - name: Check provider database
run: scripts/update-provider-database.sh run: scripts/update-provider-database.sh
@@ -86,6 +92,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Cache rust cargo artifacts - name: Cache rust cargo artifacts
uses: swatinem/rust-cache@v2 uses: swatinem/rust-cache@v2
- name: Rustdoc - name: Rustdoc
@@ -111,6 +118,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Install Rust ${{ matrix.rust }} - name: Install Rust ${{ matrix.rust }}
run: rustup toolchain install --profile minimal ${{ matrix.rust }} run: rustup toolchain install --profile minimal ${{ matrix.rust }}
@@ -147,6 +155,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Cache rust cargo artifacts - name: Cache rust cargo artifacts
uses: swatinem/rust-cache@v2 uses: swatinem/rust-cache@v2
@@ -171,6 +180,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Cache rust cargo artifacts - name: Cache rust cargo artifacts
uses: swatinem/rust-cache@v2 uses: swatinem/rust-cache@v2
@@ -192,6 +202,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Install tox - name: Install tox
run: pip install tox run: pip install tox
@@ -234,6 +245,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Download libdeltachat.a - name: Download libdeltachat.a
uses: actions/download-artifact@v4 uses: actions/download-artifact@v4
@@ -286,6 +298,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Install python - name: Install python
uses: actions/setup-python@v5 uses: actions/setup-python@v5

14
.github/workflows/deltachat-rpc-server.yml vendored
View File

@@ -17,6 +17,8 @@ on:
release: release:
types: [published] types: [published]
permissions: {}
jobs: jobs:
# Build a version statically linked against musl libc # Build a version statically linked against musl libc
# to avoid problems with glibc version incompatibility. # to avoid problems with glibc version incompatibility.
@@ -31,6 +33,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: DeterminateSystems/magic-nix-cache-action@main
@@ -55,6 +58,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: DeterminateSystems/magic-nix-cache-action@main
@@ -80,6 +84,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Setup rust target - name: Setup rust target
run: rustup target add ${{ matrix.arch }}-apple-darwin run: rustup target add ${{ matrix.arch }}-apple-darwin
@@ -105,6 +110,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: DeterminateSystems/magic-nix-cache-action@main
@@ -132,6 +138,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: DeterminateSystems/magic-nix-cache-action@main
@@ -258,8 +265,9 @@ jobs:
if: github.event_name == 'release' if: github.event_name == 'release'
env: env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
REF_NAME: ${{ github.ref_name }}
run: | run: |
gh release upload ${{ github.ref_name }} \ gh release upload "$REF_NAME" \
--repo ${{ github.repository }} \ --repo ${{ github.repository }} \
bin/* dist/* bin/* dist/*
@@ -280,6 +288,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: actions/setup-python@v5 - uses: actions/setup-python@v5
with: with:
python-version: "3.11" python-version: "3.11"
@@ -385,8 +394,9 @@ jobs:
if: github.event_name == 'release' if: github.event_name == 'release'
env: env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
REF_NAME: ${{ github.ref_name }}
run: | run: |
gh release upload ${{ github.ref_name }} \ gh release upload "$REF_NAME" \
--repo ${{ github.repository }} \ --repo ${{ github.repository }} \
deltachat-rpc-server/npm-package/*.tgz deltachat-rpc-server/npm-package/*.tgz

3
.github/workflows/jsonrpc-client-npm-package.yml vendored
View File

@@ -4,6 +4,8 @@ on:
release: release:
types: [published] types: [published]
permissions: {}
jobs: jobs:
pack-module: pack-module:
name: "Publish @deltachat/jsonrpc-client" name: "Publish @deltachat/jsonrpc-client"
@@ -15,6 +17,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
with: with:

3
.github/workflows/jsonrpc.yml vendored
View File

@@ -6,6 +6,8 @@ on:
pull_request: pull_request:
branches: [main] branches: [main]
permissions: {}
env: env:
CARGO_TERM_COLOR: always CARGO_TERM_COLOR: always
RUST_MIN_STACK: "8388608" RUST_MIN_STACK: "8388608"
@@ -17,6 +19,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Use Node.js 18.x - name: Use Node.js 18.x
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:

5
.github/workflows/nix.yml vendored
View File

@@ -12,6 +12,8 @@ on:
branches: branches:
- main - main
permissions: {}
jobs: jobs:
format: format:
name: check flake formatting name: check flake formatting
@@ -20,6 +22,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: DeterminateSystems/magic-nix-cache-action@main
- run: nix fmt - run: nix fmt
@@ -80,6 +83,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: DeterminateSystems/magic-nix-cache-action@main
- run: nix build .#${{ matrix.installable }} - run: nix build .#${{ matrix.installable }}
@@ -99,6 +103,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: DeterminateSystems/magic-nix-cache-action@main
- run: nix build .#${{ matrix.installable }} - run: nix build .#${{ matrix.installable }}

3
.github/workflows/node-docs.yml vendored
View File

@@ -10,6 +10,8 @@ on:
branches: branches:
- main - main
permissions: {}
jobs: jobs:
generate: generate:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -17,6 +19,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Use Node.js 18.x - name: Use Node.js 18.x
uses: actions/setup-node@v4 uses: actions/setup-node@v4

5
.github/workflows/node-package.yml vendored
View File

@@ -6,6 +6,8 @@ on:
- "*" - "*"
- "!py-*" - "!py-*"
permissions: {}
jobs: jobs:
prebuild: prebuild:
name: Prebuild name: Prebuild
@@ -17,6 +19,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
with: with:
node-version: "18" node-version: "18"
@@ -78,6 +81,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
with: with:
node-version: "18" node-version: "18"
@@ -142,6 +146,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
with: with:
node-version: "18" node-version: "18"

3
.github/workflows/node-tests.yml vendored
View File

@@ -15,6 +15,8 @@ on:
branches: branches:
- main - main
permissions: {}
jobs: jobs:
tests: tests:
name: Tests name: Tests
@@ -26,6 +28,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
with: with:
node-version: "18" node-version: "18"

3
.github/workflows/publish-deltachat-rpc-client-pypi.yml vendored
View File

@@ -5,6 +5,8 @@ on:
release: release:
types: [published] types: [published]
permissions: {}
jobs: jobs:
build: build:
name: Build distribution name: Build distribution
@@ -14,6 +16,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Install pypa/build - name: Install pypa/build
run: python3 -m pip install build run: python3 -m pip install build
- name: Build a binary wheel and a source tarball - name: Build a binary wheel and a source tarball

3
.github/workflows/repl.yml vendored
View File

@@ -7,6 +7,8 @@ name: Build Windows REPL .exe
on: on:
workflow_dispatch: workflow_dispatch:
permissions: {}
jobs: jobs:
build_repl: build_repl:
name: Build REPL example name: Build REPL example
@@ -15,6 +17,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: DeterminateSystems/magic-nix-cache-action@main
- name: Build - name: Build

6
.github/workflows/upload-docs.yml vendored
View File

@@ -6,6 +6,8 @@ on:
- main - main
- build_jsonrpc_docs_ci - build_jsonrpc_docs_ci
permissions: {}
jobs: jobs:
build-rs: build-rs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -14,6 +16,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Build the documentation with cargo - name: Build the documentation with cargo
run: | run: |
cargo doc --package deltachat --no-deps --document-private-items cargo doc --package deltachat --no-deps --document-private-items
@@ -31,6 +34,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
fetch-depth: 0 # Fetch history to calculate VCS version number. fetch-depth: 0 # Fetch history to calculate VCS version number.
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: DeterminateSystems/magic-nix-cache-action@main
@@ -50,6 +54,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
fetch-depth: 0 # Fetch history to calculate VCS version number. fetch-depth: 0 # Fetch history to calculate VCS version number.
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: DeterminateSystems/magic-nix-cache-action@main
@@ -72,6 +77,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
fetch-depth: 0 # Fetch history to calculate VCS version number. fetch-depth: 0 # Fetch history to calculate VCS version number.
- name: Use Node.js - name: Use Node.js
uses: actions/setup-node@v4 uses: actions/setup-node@v4

3
.github/workflows/upload-ffi-docs.yml vendored
View File

@@ -9,6 +9,8 @@ on:
branches: branches:
- main - main
permissions: {}
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -17,6 +19,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
show-progress: false show-progress: false
persist-credentials: false
- name: Build the documentation with cargo - name: Build the documentation with cargo
run: | run: |
cargo doc --package deltachat_ffi --no-deps cargo doc --package deltachat_ffi --no-deps

31
.github/workflows/zizmor-scan.yml vendored Normal file
View File

@@ -0,0 +1,31 @@
name: GitHub Actions Security Analysis with zizmor
on:
push:
branches: ["main"]
pull_request:
branches: ["**"]
jobs:
zizmor:
name: zizmor latest via PyPI
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@v5
- name: Run zizmor
run: uvx zizmor --format sarif . > results.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: zizmor