From db5ecd7f172e6cbd94e002004f3db3f0c60f98e1 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Sat, 9 Nov 2024 05:49:25 -0500 Subject: [PATCH] Make GHA permissions explicit and often narrower This adds YAML in a number of places. Related documentation: - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions - https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28 To preserve clarity, this also reduces stylistic inconsistencies, and uses a slightly more spacious style where top-level keys in a job are separated by blank lines. --- .github/workflows/ci.yml | 32 +++++++++++++++++++--- .github/workflows/cifuzz.yml | 51 ++++++++++++++++++++--------------- .github/workflows/cron.yml | 14 ++++++---- .github/workflows/msrv.yml | 7 +++++ .github/workflows/release.yml | 17 ++++++++++++ 5 files changed, 91 insertions(+), 30 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4f690763028..49316892e55 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,9 +1,5 @@ name: ci -env: - CARGO_TERM_COLOR: always - CLICOLOR: 1 - on: push: branches: @@ -17,10 +13,19 @@ on: - main workflow_dispatch: +permissions: + contents: read + +env: + CARGO_TERM_COLOR: always + CLICOLOR: 1 + jobs: pure-rust-build: runs-on: ubuntu-latest + container: debian:bookworm + steps: - uses: actions/checkout@v4 - name: Prerequisites @@ -32,6 +37,7 @@ jobs: test: runs-on: ubuntu-latest + steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable @@ -56,7 +62,9 @@ jobs: - windows-latest - macos-latest - ubuntu-latest + runs-on: ${{ matrix.os }} + steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable @@ -82,6 +90,7 @@ jobs: test-fixtures-windows: runs-on: windows-latest + steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable @@ -118,9 +127,11 @@ jobs: test-32bit: runs-on: ubuntu-latest + strategy: matrix: target: [ armv7-linux-androideabi ] + steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable @@ -142,6 +153,7 @@ jobs: lint: runs-on: ubuntu-latest + steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@master @@ -166,6 +178,7 @@ jobs: cargo-deny: runs-on: ubuntu-latest + strategy: matrix: checks: @@ -183,11 +196,15 @@ jobs: wasm: name: WebAssembly + runs-on: ubuntu-latest + continue-on-error: true + strategy: matrix: target: [ wasm32-unknown-unknown, wasm32-wasi ] + steps: - uses: actions/checkout@master - name: Install Rust @@ -215,10 +232,13 @@ jobs: # However, when changes are made to `etc/copy-packetline.sh`, re-enable the other platforms for testing. # - macos-latest # - windows-latest + runs-on: ${{ matrix.os }} + defaults: run: shell: bash + steps: - uses: actions/checkout@v4 - name: Check that working tree is initially clean @@ -237,6 +257,7 @@ jobs: # Dummy job to have a stable name for the "all tests pass" requirement tests-pass: name: Tests pass + needs: - pure-rust-build - test @@ -246,8 +267,11 @@ jobs: - cargo-deny - wasm - check-packetline + if: always() # always run even if dependencies fail + runs-on: ubuntu-latest + steps: # fail if ANY dependency has failed or cancelled - if: "contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')" diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 89ce4123d43..6840d0dde35 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -1,4 +1,5 @@ name: CIFuzz + on: pull_request: branches: @@ -14,25 +15,33 @@ on: - '*.toml' - Makefile workflow_dispatch: + jobs: - Fuzzing: - runs-on: ubuntu-latest - steps: - - name: Build Fuzzers - id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master - with: - oss-fuzz-project-name: 'gitoxide' - language: rust - - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master - with: - oss-fuzz-project-name: 'gitoxide' - language: rust - fuzz-seconds: 600 - - name: Upload Crash - uses: actions/upload-artifact@v4 - if: failure() && steps.build.outcome == 'success' - with: - name: artifacts - path: ./out/artifacts + Fuzzing: + runs-on: ubuntu-latest + + permissions: + contents: read + actions: write + + steps: + - name: Build Fuzzers + id: build + uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master + with: + oss-fuzz-project-name: 'gitoxide' + language: rust + + - name: Run Fuzzers + uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master + with: + oss-fuzz-project-name: 'gitoxide' + language: rust + fuzz-seconds: 600 + + - name: Upload Crash + uses: actions/upload-artifact@v4 + if: failure() && steps.build.outcome == 'success' + with: + name: artifacts + path: ./out/artifacts diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml index c4479841d8a..a341675c629 100644 --- a/.github/workflows/cron.yml +++ b/.github/workflows/cron.yml @@ -1,15 +1,19 @@ name: cron on: - schedule: + schedule: - cron: '0 13,1 * * *' workflow_dispatch: +permissions: + contents: read + jobs: stress: runs-on: ubuntu-latest + steps: - - uses: actions/checkout@v4 - - uses: Swatinem/rust-cache@v2 - - name: stress - run: make stress + - uses: actions/checkout@v4 + - uses: Swatinem/rust-cache@v2 + - name: stress + run: make stress diff --git a/.github/workflows/msrv.yml b/.github/workflows/msrv.yml index 3474f081d55..a0c7fa429e4 100644 --- a/.github/workflows/msrv.yml +++ b/.github/workflows/msrv.yml @@ -13,19 +13,26 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: check-msrv: name: cargo check MSRV + strategy: matrix: os: - windows-2022 - ubuntu-latest + runs-on: ${{ matrix.os }} + env: # dictated by `firefox` to support the `helix` editor, but now probably effectively be controlled by `jiff`, which also aligns with `regex`. # IMPORTANT: adjust etc/msrv-badge.svg as well rust_version: 1.74.0 + steps: - uses: actions/checkout@v4 - uses: extractions/setup-just@v2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 05f9f503606..50a4a88e342 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,6 +12,9 @@ on: - 'v*' workflow_dispatch: +permissions: + contents: read # Set more permissively in jobs that need `write`. + defaults: run: shell: bash @@ -21,6 +24,9 @@ jobs: create-release: runs-on: ubuntu-latest + permissions: + contents: write + # env: # # Set to force version number, e.g., when no tag exists. # VERSION: TEST-0.0.0 @@ -204,6 +210,9 @@ jobs: runs-on: ${{ matrix.os }} + permissions: + contents: write + env: RUST_BACKTRACE: '1' # Emit backtraces on panics. CARGO_TERM_COLOR: always @@ -295,6 +304,9 @@ jobs: # These features need to be exactly the same as the features in build-release. feature: [ small, lean, max, max-pure ] + permissions: + contents: write + env: BASH_ENV: ./helpers.sh REPOSITORY: ${{ github.repository }} @@ -354,6 +366,9 @@ jobs: needs: [ create-release, build-release, build-macos-universal2-release ] + permissions: + contents: write + env: REPOSITORY: ${{ github.repository }} VERSION: ${{ needs.create-release.outputs.version }} @@ -435,7 +450,9 @@ jobs: os: windows-latest rust: stable target: i686-pc-windows-gnu + runs-on: ${{ matrix.os }} + steps: - uses: actions/checkout@v4 - name: Install Rust