diff --git a/.github/workflows/_build-release.yml b/.github/workflows/_build-release.yml index d7ff19d75..ca52ce940 100644 --- a/.github/workflows/_build-release.yml +++ b/.github/workflows/_build-release.yml @@ -74,17 +74,20 @@ jobs: #- target: aarch64-pc-windows-msvc # os: windows-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.ref }} + persist-credentials: false - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: target: ${{ matrix.target }} - name: Install cross if: matrix.cross - uses: taiki-e/install-action@cross + uses: taiki-e/install-action@899b013517f9e7774591216672bf75a46bb9a481 # v2.9.4 + with: + tool: cross - name: Enable cross-compilation if: matrix.cross @@ -94,7 +97,7 @@ jobs: - name: Build run: ${{ env.CARGO }} build --release --locked --target ${{ matrix.target }} --workspace --exclude scarb-prove --exclude scarb-verify ${{ !inputs.include-cairols && '--exclude scarb-cairo-language-server' || ''}} --no-default-features ${{ inputs.include-lint && '--features scarb/scarb-lint' || ''}} - - uses: dtolnay/rust-toolchain@master + - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master if: inputs.include-stwo with: target: ${{ matrix.target }} @@ -102,7 +105,9 @@ jobs: - name: Install cross if: matrix.cross && inputs.include-stwo - uses: taiki-e/install-action@cross + uses: taiki-e/install-action@899b013517f9e7774591216672bf75a46bb9a481 # v2.9.4 + with: + tool: cross - name: Enable cross-compilation if: matrix.cross && inputs.include-stwo @@ -113,7 +118,7 @@ jobs: if: inputs.include-stwo run: ${{ env.CARGO }} build --release --locked --target ${{ matrix.target }} -p scarb-prove -p scarb-verify - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: target: ${{ matrix.target }} @@ -124,7 +129,7 @@ jobs: TARGET: ${{ matrix.target }} - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: build-${{ matrix.target }} path: scarb-${{ inputs.scarb-tag }}-${{ matrix.target }}.* @@ -151,17 +156,18 @@ jobs: os: windows-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.ref }} + persist-credentials: false - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable - name: Build xtasks run: cargo build -p xtask - name: Download artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: build-${{ matrix.target }} path: target/verify @@ -179,7 +185,7 @@ jobs: needs: build steps: - name: Download artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: artifacts-dl @@ -195,7 +201,7 @@ jobs: cat checksums.sha256 - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: checksums path: artifacts/checksums.* diff --git a/.github/workflows/build-dev.yml b/.github/workflows/build-dev.yml index b2e8353fa..931432100 100644 --- a/.github/workflows/build-dev.yml +++ b/.github/workflows/build-dev.yml @@ -36,10 +36,16 @@ on: type: boolean default: true +permissions: {} + jobs: dev-build: uses: ./.github/workflows/nightly.yml - secrets: inherit + permissions: + contents: write + secrets: + SCARB_NIGHTLIES_CONTENTS_WRITE: ${{ secrets.SCARB_NIGHTLIES_CONTENTS_WRITE }} + SLACK_NIGHTLY_FAILURE_WEBHOOK_URL: ${{ secrets.SLACK_NIGHTLY_FAILURE_WEBHOOK_URL }} with: dry_run: ${{ inputs.dry_run }} upgrade-cairo: ${{ inputs.upgrade-cairo }} diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index ef8880310..ca6b6ee4c 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -200,11 +200,14 @@ jobs: - uses: actions/checkout@v6 with: ref: ${{ needs.prepare.outputs.nightly_branch }} + persist-credentials: false - name: Create source code archives run: | - git archive "--prefix=scarb-${{ needs.prepare.outputs.nightly_tag }}/" -o "scarb-${{ needs.prepare.outputs.nightly_tag }}.zip" HEAD - git archive "--prefix=scarb-${{ needs.prepare.outputs.nightly_tag }}/" -o "scarb-${{ needs.prepare.outputs.nightly_tag }}.tar.gz" HEAD + git archive "--prefix=scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}/" -o "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.zip" HEAD + git archive "--prefix=scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}/" -o "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.tar.gz" HEAD + env: + NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG: ${{ needs.prepare.outputs.nightly_tag }} - name: Download artifacts uses: actions/download-artifact@v8 @@ -221,20 +224,21 @@ jobs: - name: Create GitHub release run: | gh release create \ - "${{ needs.prepare.outputs.nightly_tag }}" \ + "${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}" \ --repo software-mansion/scarb-nightlies \ ${{ !inputs.is_dev && '--latest' || '--latest=false' }} \ - --title "${{ needs.prepare.outputs.nightly_tag }}" \ + --title "${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}" \ --notes-file NIGHTLY_RELEASE_NOTES.md env: GH_TOKEN: ${{ secrets.SCARB_NIGHTLIES_CONTENTS_WRITE }} + NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG: ${{ needs.prepare.outputs.nightly_tag }} - name: Upload release assets run: | for file in \ ./artifacts/* \ - "scarb-${{ needs.prepare.outputs.nightly_tag }}.zip#Scarb source code (zip)" \ - "scarb-${{ needs.prepare.outputs.nightly_tag }}.tar.gz#Scarb source code (tar.gz)" + "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.zip#Scarb source code (zip)" \ + "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.tar.gz#Scarb source code (tar.gz)" do # If there isn't # in name, it means that it is a build artifact # and we need to remove version tag from the name, so it can be @@ -251,12 +255,13 @@ jobs: fi gh release upload \ - "${{ needs.prepare.outputs.nightly_tag }}" \ + "${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}" \ "$file" \ --repo software-mansion/scarb-nightlies done env: GH_TOKEN: ${{ secrets.SCARB_NIGHTLIES_CONTENTS_WRITE }} + NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG: ${{ needs.prepare.outputs.nightly_tag }} cleanup: runs-on: ubuntu-latest @@ -266,7 +271,9 @@ jobs: - uses: actions/checkout@v6 - name: Delete nightly branch run: | - git push origin -d ${{ needs.prepare.outputs.nightly_branch }} + git push origin -d ${NEEDS_PREPARE_OUTPUTS_NIGHTLY_BRANCH} + env: + NEEDS_PREPARE_OUTPUTS_NIGHTLY_BRANCH: ${{ needs.prepare.outputs.nightly_branch }} notify_failed: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b243e0996..18fe10bac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,8 +5,7 @@ on: tags: - v[0-9]+.* -permissions: - contents: write +permissions: {} jobs: check: @@ -22,11 +21,15 @@ jobs: name: draft release runs-on: ubuntu-latest needs: [ check, release ] + permissions: + contents: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Download artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: artifacts-dl @@ -40,11 +43,12 @@ jobs: - name: Draft GitHub release run: | gh release create \ - '${{ github.ref_name }}' \ + "${RELEASE_TAG}" \ ./artifacts/* \ --draft \ - --title '${{ github.ref_name }}' \ + --title "${RELEASE_TAG}" \ --generate-notes \ --verify-tag env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_TAG: ${{ github.ref_name }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..f7de7b0e0 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,35 @@ +name: Workflow Security Analysis + +on: + push: + branches: ["main"] + paths: + - ".github/workflows/_build_release.yml" + - ".github/workflows/nightly.yml" + - ".github/workflows/release.yml" + pull_request: + paths: + - ".github/workflows/_build_release.yml" + - ".github/workflows/nightly.yml" + - ".github/workflows/release.yml" + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + + - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + workspace: >- + .github/workflows/_build_release.yml + .github/workflows/nightly.yml + .github/workflows/release.yml