From 04ae5b949dc41c264867fb3b01005501ad0091c8 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 28 May 2025 16:41:31 -0400 Subject: [PATCH 1/8] WIP: attempt to run `zizmor` via Docker Signed-off-by: William Woodruff --- Makefile | 20 ------ action.py | 164 ------------------------------------------- action.sh | 72 +++++++++++++++++++ action.yml | 7 +- dev-requirements.txt | 2 - uv.lock | 83 ---------------------- 6 files changed, 73 insertions(+), 275 deletions(-) delete mode 100755 action.py create mode 100755 action.sh delete mode 100644 dev-requirements.txt delete mode 100644 uv.lock diff --git a/Makefile b/Makefile index 1b26921..9fdb1f9 100644 --- a/Makefile +++ b/Makefile @@ -1,23 +1,3 @@ -VENV ?= .venv - -.PHONY: dev -dev: $(VENV)/pyvenv.cfg - -$(VENV)/pyvenv.cfg: dev-requirements.txt - uv venv $(VENV) - uv pip install -r $< - -.PHONY: lint -lint: $(VENV)/pyvenv.cfg - uv run ruff format --check && \ - uv run ruff check && \ - uv run mypy . - -.PHONY: format -format: $(VENV)/pyvenv.cfg - uv run ruff format && \ - uv run ruff check --fix - .PHONY: pinact pinact: pinact run --update --verify diff --git a/action.py b/action.py deleted file mode 100755 index fe29967..0000000 --- a/action.py +++ /dev/null @@ -1,164 +0,0 @@ -#!/usr/bin/env -S uv run --no-project --script - -# action.py: bootstrap and run `zizmor` as specified in `action.yml`. - - -import os -import shlex -import shutil -import subprocess -import sys -import tempfile -import typing -from collections import abc -from pathlib import Path - - -def _die(msg: str) -> typing.NoReturn: - print(f"::error::{msg}", file=sys.stdout) - print(f"Error: {msg}", file=sys.stderr) - sys.exit(1) - - -def _debug(msg: str): - print(f"::debug::{msg}", file=sys.stdout) - - -def _input[T](name: str, parser: abc.Callable[[str], T]) -> T: - """Get input from the user.""" - envname = f"GHA_ZIZMOR_{name.replace('-', '_').upper()}" - raw = os.getenv(envname) - if raw is None: - _die(f"Missing required environment variable {envname}") - - try: - return parser(raw) - except ValueError as exc: - _die(f"couldn't parse input {name}: {exc}") - - -def _tmpfile() -> Path: - runner_temp = os.getenv("RUNNER_TEMP") - if runner_temp is None: - _die("RUNNER_TEMP not set") - tmpfile = tempfile.NamedTemporaryFile( - delete=False, delete_on_close=False, dir=runner_temp - ) - return Path(tmpfile.name) - - -def _output(name: str, value: str): - output = os.getenv("GITHUB_OUTPUT") - if output is None: - _die("GITHUB_OUTPUT not set") - - with open(output, "a") as f: - print(f"{name}={value}", file=f) - - -def _strtobool(v: str) -> bool: - v = v.lower() - match v: - case "true" | "1" | "yes": - return True - case "false" | "0" | "no": - return False - case _: - raise ValueError(f"invalid boolean value: {v}") - - -def _persona(v: str) -> str: - if v not in {"regular", "pedantic", "auditor"}: - raise ValueError(f"invalid persona: {v}") - return v - - -def _min_severity(v: str) -> str | None: - if not v: - return None - - if v not in {"unknown", "informational", "low", "medium", "high"}: - raise ValueError(f"invalid minimum severity: {v}") - return v - - -def _min_confidence(v: str) -> str | None: - if not v: - return None - - if v not in {"unknown", "low", "medium", "high"}: - raise ValueError(f"invalid minimum confidence: {v}") - return v - - -def main(): - inputs = _input("inputs", shlex.split) - online_audits = _input("online-audits", _strtobool) - persona = _input("persona", _persona) - min_severity = _input("min-severity", _min_severity) - min_confidence = _input("min-confidence", _min_confidence) - version = _input("version", str) - token = _input("token", str) - advanced_security = _input("advanced-security", _strtobool) - - # Don't allow flag-like inputs. These won't have an affect anyways - # since we delimit with `--`, but we preempt any user temptation to try. - for input in inputs: - if input.startswith("-"): - _die(f"Invalid input: {input} looks like a flag") - - _debug(f"{inputs=} {version=} {advanced_security=}") - - uvx = shutil.which("uvx") - if uvx is None: - _die("uvx not found in PATH") - - _debug(f"uvx: {uvx}") - - # uvx uses `tool@version`, where `version` can be a version or "latest" - spec = f"zizmor@{version}" - - args = [uvx, spec, "--color=always"] - if advanced_security: - args.append("--format=sarif") - else: - args.append("--format=plain") - - if not online_audits: - args.append("--no-online-audits") - - args.append(f"--persona={persona}") - - if min_severity: - args.append(f"--min-severity={min_severity}") - - if min_confidence: - args.append(f"--min-confidence={min_confidence}") - - args.append("--") - args.extend(inputs) - - _debug(f"running: {args}") - - result = subprocess.run( - args, - env={ - "GH_TOKEN": token, - }, - stdout=subprocess.PIPE, - stderr=None, - ) - - if advanced_security: - sarif = _tmpfile() - sarif.write_bytes(result.stdout) - _output("sarif-file", str(sarif)) - else: - sys.stdout.buffer.write(result.stdout) - - if result.returncode != 0: - sys.exit(result.returncode) - - -if __name__ == "__main__": - main() diff --git a/action.sh b/action.sh new file mode 100755 index 0000000..d38a266 --- /dev/null +++ b/action.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash + +# action.sh: run zizmor via Docker + +set -euo pipefail + +dbg() { + echo "::debug::${*}" +} + +err() { + echo "::error::${*}" +} + +die() { + err "${*}" + exit 1 +} + +installed() { + command -v "${1}" >/dev/null 2>&1 +} + +run() { + dbg "${@}" + "${@}" +} + +installed docker || die "missing \`docker\` command" + +version_regex='^[0-9]+\.[0-9]+\.[0-9]+$' + +[[ "${GHA_ZIZMOR_VERSION}" == "latest" || "${GHA_ZIZMOR_VERSION}" =~ $version_regex ]] \ + || die "'version' must be 'latest' or an exact X.Y.Z version" + +arguments=() +arguments+=("--persona=${GHA_ZIZMOR_PERSONA}") + +[[ "${GHA_ZIZMOR_ADVANCED_SECURITY}" == true ]] && arguments+=("--format=sarif") +[[ "${GHA_ZIZMOR_ONLINE_AUDITS}" == "true" ]] || arguments+=("--no-online-audits") +[[ -n "${GHA_ZIZMOR_MIN_SEVERITY}" ]] && arguments+=("--min-severity=${GHA_ZIZMOR_MIN_SEVERITY}") +[[ -n "${GHA_ZIZMOR_MIN_CONFIDENCE}" ]] && arguments+=("--min-confidence=${GHA_ZIZMOR_MIN_CONFIDENCE}") + +image="ghcr.io/zizmorcore/zizmor:${GHA_ZIZMOR_VERSION}" + +output="${RUNNER_TEMP}/zizmor" + +# Notes: +# - We run the container with ${GITHUB_WORKSPACE} mounted as /workspace +# and with /workspace as the working directory, so that user inputs +# like '.' resolve correctly. +# - We pass the GitHub token as an environment variable so that zizmor +# can run online audits/perform online collection if requested. +# - We pass FORCE_COLOR=1 so that the output is always colored, even +# though we intentionally don't `docker run -it`. +# - ${GHA_ZIZMOR_INPUTS} is intentionally not quoted, so that +# it can expand according to the shell's word-splitting rules. +# However, we put it after `--` so that it can't be interpreted +# as one or more flags. +# +# shellcheck disable=SC2086 +docker run \ + --rm \ + --volume "${GITHUB_WORKSPACE}:/workspace:ro" \ + --workdir "/workspace" \ + --env "GH_TOKEN=${GHA_ZIZMOR_TOKEN}" \ + --env "FORCE_COLOR=1" \ + "${image}" \ + "${arguments[@]}" \ + -- \ + ${GHA_ZIZMOR_INPUTS} \ + | tee "${output}" diff --git a/action.yml b/action.yml index 2b1b4d6..790a683 100644 --- a/action.yml +++ b/action.yml @@ -60,15 +60,10 @@ inputs: runs: using: composite steps: - - name: Install uv - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1 - with: - enable-cache: false - - name: Run zizmor id: run-zizmor run: | - "${GITHUB_ACTION_PATH}/action.py" + "${GITHUB_ACTION_PATH}/action.sh" env: GHA_ZIZMOR_INPUTS: ${{ inputs.inputs }} GHA_ZIZMOR_ONLINE_AUDITS: ${{ inputs.online-audits }} diff --git a/dev-requirements.txt b/dev-requirements.txt deleted file mode 100644 index 4473938..0000000 --- a/dev-requirements.txt +++ /dev/null @@ -1,2 +0,0 @@ -ruff -mypy diff --git a/uv.lock b/uv.lock deleted file mode 100644 index b447ea4..0000000 --- a/uv.lock +++ /dev/null @@ -1,83 +0,0 @@ -version = 1 -revision = 1 -requires-python = ">=3.13" - -[[package]] -name = "mypy" -version = "1.15.0" -source = { registry = "https://pypi.org/simple" } -dependencies = [ - { name = "mypy-extensions" }, - { name = "typing-extensions" }, -] -sdist = { url = "https://files.pythonhosted.org/packages/ce/43/d5e49a86afa64bd3839ea0d5b9c7103487007d728e1293f52525d6d5486a/mypy-1.15.0.tar.gz", hash = "sha256:404534629d51d3efea5c800ee7c42b72a6554d6c400e6a79eafe15d11341fd43", size = 3239717 } -wheels = [ - { url = "https://files.pythonhosted.org/packages/6a/9b/fd2e05d6ffff24d912f150b87db9e364fa8282045c875654ce7e32fffa66/mypy-1.15.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:93faf3fdb04768d44bf28693293f3904bbb555d076b781ad2530214ee53e3445", size = 10788592 }, - { url = "https://files.pythonhosted.org/packages/74/37/b246d711c28a03ead1fd906bbc7106659aed7c089d55fe40dd58db812628/mypy-1.15.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:811aeccadfb730024c5d3e326b2fbe9249bb7413553f15499a4050f7c30e801d", size = 9753611 }, - { url = "https://files.pythonhosted.org/packages/a6/ac/395808a92e10cfdac8003c3de9a2ab6dc7cde6c0d2a4df3df1b815ffd067/mypy-1.15.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:98b7b9b9aedb65fe628c62a6dc57f6d5088ef2dfca37903a7d9ee374d03acca5", size = 11438443 }, - { url = "https://files.pythonhosted.org/packages/d2/8b/801aa06445d2de3895f59e476f38f3f8d610ef5d6908245f07d002676cbf/mypy-1.15.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:c43a7682e24b4f576d93072216bf56eeff70d9140241f9edec0c104d0c515036", size = 12402541 }, - { url = "https://files.pythonhosted.org/packages/c7/67/5a4268782eb77344cc613a4cf23540928e41f018a9a1ec4c6882baf20ab8/mypy-1.15.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:baefc32840a9f00babd83251560e0ae1573e2f9d1b067719479bfb0e987c6357", size = 12494348 }, - { url = "https://files.pythonhosted.org/packages/83/3e/57bb447f7bbbfaabf1712d96f9df142624a386d98fb026a761532526057e/mypy-1.15.0-cp313-cp313-win_amd64.whl", hash = "sha256:b9378e2c00146c44793c98b8d5a61039a048e31f429fb0eb546d93f4b000bedf", size = 9373648 }, - { url = "https://files.pythonhosted.org/packages/09/4e/a7d65c7322c510de2c409ff3828b03354a7c43f5a8ed458a7a131b41c7b9/mypy-1.15.0-py3-none-any.whl", hash = "sha256:5469affef548bd1895d86d3bf10ce2b44e33d86923c29e4d675b3e323437ea3e", size = 2221777 }, -] - -[[package]] -name = "mypy-extensions" -version = "1.1.0" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/a2/6e/371856a3fb9d31ca8dac321cda606860fa4548858c0cc45d9d1d4ca2628b/mypy_extensions-1.1.0.tar.gz", hash = "sha256:52e68efc3284861e772bbcd66823fde5ae21fd2fdb51c62a211403730b916558", size = 6343 } -wheels = [ - { url = "https://files.pythonhosted.org/packages/79/7b/2c79738432f5c924bef5071f933bcc9efd0473bac3b4aa584a6f7c1c8df8/mypy_extensions-1.1.0-py3-none-any.whl", hash = "sha256:1be4cccdb0f2482337c4743e60421de3a356cd97508abadd57d47403e94f5505", size = 4963 }, -] - -[[package]] -name = "ruff" -version = "0.11.10" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/e8/4c/4a3c5a97faaae6b428b336dcca81d03ad04779f8072c267ad2bd860126bf/ruff-0.11.10.tar.gz", hash = "sha256:d522fb204b4959909ecac47da02830daec102eeb100fb50ea9554818d47a5fa6", size = 4165632 } -wheels = [ - { url = "https://files.pythonhosted.org/packages/2f/9f/596c628f8824a2ce4cd12b0f0b4c0629a62dfffc5d0f742c19a1d71be108/ruff-0.11.10-py3-none-linux_armv6l.whl", hash = "sha256:859a7bfa7bc8888abbea31ef8a2b411714e6a80f0d173c2a82f9041ed6b50f58", size = 10316243 }, - { url = "https://files.pythonhosted.org/packages/3c/38/c1e0b77ab58b426f8c332c1d1d3432d9fc9a9ea622806e208220cb133c9e/ruff-0.11.10-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:968220a57e09ea5e4fd48ed1c646419961a0570727c7e069842edd018ee8afed", size = 11083636 }, - { url = "https://files.pythonhosted.org/packages/23/41/b75e15961d6047d7fe1b13886e56e8413be8467a4e1be0a07f3b303cd65a/ruff-0.11.10-py3-none-macosx_11_0_arm64.whl", hash = "sha256:1067245bad978e7aa7b22f67113ecc6eb241dca0d9b696144256c3a879663bca", size = 10441624 }, - { url = "https://files.pythonhosted.org/packages/b6/2c/e396b6703f131406db1811ea3d746f29d91b41bbd43ad572fea30da1435d/ruff-0.11.10-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f4854fd09c7aed5b1590e996a81aeff0c9ff51378b084eb5a0b9cd9518e6cff2", size = 10624358 }, - { url = "https://files.pythonhosted.org/packages/bd/8c/ee6cca8bdaf0f9a3704796022851a33cd37d1340bceaf4f6e991eb164e2e/ruff-0.11.10-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:8b4564e9f99168c0f9195a0fd5fa5928004b33b377137f978055e40008a082c5", size = 10176850 }, - { url = "https://files.pythonhosted.org/packages/e9/ce/4e27e131a434321b3b7c66512c3ee7505b446eb1c8a80777c023f7e876e6/ruff-0.11.10-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:5b6a9cc5b62c03cc1fea0044ed8576379dbaf751d5503d718c973d5418483641", size = 11759787 }, - { url = "https://files.pythonhosted.org/packages/58/de/1e2e77fc72adc7cf5b5123fd04a59ed329651d3eab9825674a9e640b100b/ruff-0.11.10-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:607ecbb6f03e44c9e0a93aedacb17b4eb4f3563d00e8b474298a201622677947", size = 12430479 }, - { url = "https://files.pythonhosted.org/packages/07/ed/af0f2340f33b70d50121628ef175523cc4c37619e98d98748c85764c8d88/ruff-0.11.10-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7b3a522fa389402cd2137df9ddefe848f727250535c70dafa840badffb56b7a4", size = 11919760 }, - { url = "https://files.pythonhosted.org/packages/24/09/d7b3d3226d535cb89234390f418d10e00a157b6c4a06dfbe723e9322cb7d/ruff-0.11.10-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2f071b0deed7e9245d5820dac235cbdd4ef99d7b12ff04c330a241ad3534319f", size = 14041747 }, - { url = "https://files.pythonhosted.org/packages/62/b3/a63b4e91850e3f47f78795e6630ee9266cb6963de8f0191600289c2bb8f4/ruff-0.11.10-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4a60e3a0a617eafba1f2e4186d827759d65348fa53708ca547e384db28406a0b", size = 11550657 }, - { url = "https://files.pythonhosted.org/packages/46/63/a4f95c241d79402ccdbdb1d823d156c89fbb36ebfc4289dce092e6c0aa8f/ruff-0.11.10-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:da8ec977eaa4b7bf75470fb575bea2cb41a0e07c7ea9d5a0a97d13dbca697bf2", size = 10489671 }, - { url = "https://files.pythonhosted.org/packages/6a/9b/c2238bfebf1e473495659c523d50b1685258b6345d5ab0b418ca3f010cd7/ruff-0.11.10-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:ddf8967e08227d1bd95cc0851ef80d2ad9c7c0c5aab1eba31db49cf0a7b99523", size = 10160135 }, - { url = "https://files.pythonhosted.org/packages/ba/ef/ba7251dd15206688dbfba7d413c0312e94df3b31b08f5d695580b755a899/ruff-0.11.10-py3-none-musllinux_1_2_i686.whl", hash = "sha256:5a94acf798a82db188f6f36575d80609072b032105d114b0f98661e1679c9125", size = 11170179 }, - { url = "https://files.pythonhosted.org/packages/73/9f/5c336717293203ba275dbfa2ea16e49b29a9fd9a0ea8b6febfc17e133577/ruff-0.11.10-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:3afead355f1d16d95630df28d4ba17fb2cb9c8dfac8d21ced14984121f639bad", size = 11626021 }, - { url = "https://files.pythonhosted.org/packages/d9/2b/162fa86d2639076667c9aa59196c020dc6d7023ac8f342416c2f5ec4bda0/ruff-0.11.10-py3-none-win32.whl", hash = "sha256:dc061a98d32a97211af7e7f3fa1d4ca2fcf919fb96c28f39551f35fc55bdbc19", size = 10494958 }, - { url = "https://files.pythonhosted.org/packages/24/f3/66643d8f32f50a4b0d09a4832b7d919145ee2b944d43e604fbd7c144d175/ruff-0.11.10-py3-none-win_amd64.whl", hash = "sha256:5cc725fbb4d25b0f185cb42df07ab6b76c4489b4bfb740a175f3a59c70e8a224", size = 11650285 }, - { url = "https://files.pythonhosted.org/packages/95/3a/2e8704d19f376c799748ff9cb041225c1d59f3e7711bc5596c8cfdc24925/ruff-0.11.10-py3-none-win_arm64.whl", hash = "sha256:ef69637b35fb8b210743926778d0e45e1bffa850a7c61e428c6b971549b5f5d1", size = 10765278 }, -] - -[[package]] -name = "typing-extensions" -version = "4.13.2" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/f6/37/23083fcd6e35492953e8d2aaaa68b860eb422b34627b13f2ce3eb6106061/typing_extensions-4.13.2.tar.gz", hash = "sha256:e6c81219bd689f51865d9e372991c540bda33a0379d5573cddb9a3a23f7caaef", size = 106967 } -wheels = [ - { url = "https://files.pythonhosted.org/packages/8b/54/b1ae86c0973cc6f0210b53d508ca3641fb6d0c56823f288d108bc7ab3cc8/typing_extensions-4.13.2-py3-none-any.whl", hash = "sha256:a439e7c04b49fec3e5d3e2beaa21755cadbbdc391694e28ccdd36ca4a1408f8c", size = 45806 }, -] - -[[package]] -name = "zizmor-action" -source = { virtual = "." } - -[package.dev-dependencies] -lint = [ - { name = "mypy" }, - { name = "ruff" }, -] - -[package.metadata] - -[package.metadata.requires-dev] -lint = [ - { name = "mypy" }, - { name = "ruff" }, -] From a586103808b4a6ef92e8cd2c908eeed8aaa9943f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 28 May 2025 16:49:30 -0400 Subject: [PATCH 2/8] fix output Signed-off-by: William Woodruff --- action.sh | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/action.sh b/action.sh index d38a266..bdf8a31 100755 --- a/action.sh +++ b/action.sh @@ -21,13 +21,14 @@ installed() { command -v "${1}" >/dev/null 2>&1 } -run() { - dbg "${@}" - "${@}" +output() { + echo "${1}=${2}" >> "${GITHUB_OUTPUT}" } installed docker || die "missing \`docker\` command" +output="${RUNNER_TEMP}/zizmor" + version_regex='^[0-9]+\.[0-9]+\.[0-9]+$' [[ "${GHA_ZIZMOR_VERSION}" == "latest" || "${GHA_ZIZMOR_VERSION}" =~ $version_regex ]] \ @@ -36,15 +37,17 @@ version_regex='^[0-9]+\.[0-9]+\.[0-9]+$' arguments=() arguments+=("--persona=${GHA_ZIZMOR_PERSONA}") -[[ "${GHA_ZIZMOR_ADVANCED_SECURITY}" == true ]] && arguments+=("--format=sarif") +if [[ "${GHA_ZIZMOR_ADVANCED_SECURITY}" == "true" ]]; then + arguments+=("--format=sarif") + output "sarif-file" "${output}" +fi + [[ "${GHA_ZIZMOR_ONLINE_AUDITS}" == "true" ]] || arguments+=("--no-online-audits") [[ -n "${GHA_ZIZMOR_MIN_SEVERITY}" ]] && arguments+=("--min-severity=${GHA_ZIZMOR_MIN_SEVERITY}") [[ -n "${GHA_ZIZMOR_MIN_CONFIDENCE}" ]] && arguments+=("--min-confidence=${GHA_ZIZMOR_MIN_CONFIDENCE}") image="ghcr.io/zizmorcore/zizmor:${GHA_ZIZMOR_VERSION}" -output="${RUNNER_TEMP}/zizmor" - # Notes: # - We run the container with ${GITHUB_WORKSPACE} mounted as /workspace # and with /workspace as the working directory, so that user inputs @@ -70,3 +73,4 @@ docker run \ -- \ ${GHA_ZIZMOR_INPUTS} \ | tee "${output}" + From 49c3dfb256ef99d60d6b501e78c94995a962e05a Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 28 May 2025 16:52:22 -0400 Subject: [PATCH 3/8] remove old lint.yml Signed-off-by: William Woodruff --- .github/workflows/lint.yml | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index d23651b..0000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Lint - -on: - push: - branches: - - main - pull_request: - -permissions: {} - -jobs: - lint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Install uv - uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0 - - - run: | - make lint From f87a573139305df498c5f0b3cba46653dfd3eb3a Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 28 May 2025 18:05:02 -0400 Subject: [PATCH 4/8] selftest with Windows runner Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 6 +++++- README.md | 24 ++++++++++++++++++++++++ action.sh | 2 +- 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index eb7291f..7c249b9 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -11,7 +11,11 @@ permissions: {} jobs: selftest: - runs-on: ubuntu-latest + strategy: + matrix: + runner: [ubuntu-latest, windows-latest] + + runs-on: ${{ matrix.runner }} permissions: security-events: write diff --git a/README.md b/README.md index e3b4412..878f643 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ Run [`zizmor`] from GitHub Actions! - [`token`](#token) - [`advanced-security`](#advanced-security) - [Permissions](#permissions) +- [Troubleshooting](#troubleshooting) ## Quickstart @@ -24,6 +25,8 @@ This section lists a handful of quick-start examples to get you up and running with `zizmor` and `zizmor-action`. See the [Inputs](#inputs) section for more details on how `zizmor-action` can be configured. +If you run into any issues, please see the [Troubleshooting] section! + ### Usage with Github Advanced Security (recommended) > [!IMPORTANT] @@ -235,6 +238,26 @@ contents: read security-events: write"} ``` +## Troubleshooting + +### "Cannot run this action without Docker" + +This action uses a container to run `zizmor`, which means that it +needs access to a container runtime (like Docker). + +If you see this error, it _probably_ means that you are running the +action from a self-hosted runner, or from one of the GitHub-hosted runners +that does not have Docker installed. For example, the GitHub-hosted +macOS runners do not have Docker installed by default. + +For self-hosted runners, you should install Docker (or a compatible +container runtime) onto the runner. + +For GitHub-hosted runners, you should switch to `ubuntu-latest` or another +Linux or Windows-based runner that comes with Docker by default. You _may_ be +able to use [docker/setup-docker-action] to install Docker on other runners, +but this is **not officially supported** by this action. + [`zizmor`]: https://docs.zizmor.sh [Advanced Security]: https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security [About code scanning alerts - Pull request check failures for code scanning alerts]: https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#pull-request-check-failures-for-code-scanning-alerts @@ -242,3 +265,4 @@ security-events: write"} [Audit Rules]: https://docs.zizmor.sh/audits/ [Using personas]: https://docs.zizmor.sh/usage/#using-personas [Filtering results]: https://docs.zizmor.sh/usage/#filtering-results +[docker/setup-docker-action]: https://github.com/docker/setup-docker-action diff --git a/action.sh b/action.sh index bdf8a31..9b22c4a 100755 --- a/action.sh +++ b/action.sh @@ -25,7 +25,7 @@ output() { echo "${1}=${2}" >> "${GITHUB_OUTPUT}" } -installed docker || die "missing \`docker\` command" +installed docker || die "Cannot run this action without Docker" output="${RUNNER_TEMP}/zizmor" From f1caf3fa22952aa8926399666b37cab9fb5ec741 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 28 May 2025 18:06:20 -0400 Subject: [PATCH 5/8] action: remove uv step Signed-off-by: William Woodruff --- action.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/action.yml b/action.yml index 02f6343..790a683 100644 --- a/action.yml +++ b/action.yml @@ -60,11 +60,6 @@ inputs: runs: using: composite steps: - - name: Install uv - uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0 - with: - enable-cache: false - - name: Run zizmor id: run-zizmor run: | From c4228e328454a0d18c65f0cedff0cf6e0ba37fd4 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 28 May 2025 18:08:18 -0400 Subject: [PATCH 6/8] drop Windows test Signed-off-by: William Woodruff --- .github/workflows/selftest.yml | 6 +----- README.md | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 7c249b9..eb7291f 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -11,11 +11,7 @@ permissions: {} jobs: selftest: - strategy: - matrix: - runner: [ubuntu-latest, windows-latest] - - runs-on: ${{ matrix.runner }} + runs-on: ubuntu-latest permissions: security-events: write diff --git a/README.md b/README.md index 878f643..0942044 100644 --- a/README.md +++ b/README.md @@ -254,7 +254,7 @@ For self-hosted runners, you should install Docker (or a compatible container runtime) onto the runner. For GitHub-hosted runners, you should switch to `ubuntu-latest` or another -Linux or Windows-based runner that comes with Docker by default. You _may_ be +Linux-based runner that comes with Docker by default. You _may_ be able to use [docker/setup-docker-action] to install Docker on other runners, but this is **not officially supported** by this action. From 43678f1ec2b14ad6f69d2286b343dcef4d96a538 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 28 May 2025 18:11:35 -0400 Subject: [PATCH 7/8] action: add a RUNNER_OS check Signed-off-by: William Woodruff --- action.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/action.sh b/action.sh index 9b22c4a..e463ef3 100755 --- a/action.sh +++ b/action.sh @@ -8,6 +8,10 @@ dbg() { echo "::debug::${*}" } +warn() { + echo "::warning::${*}" +} + err() { echo "::error::${*}" } @@ -27,6 +31,8 @@ output() { installed docker || die "Cannot run this action without Docker" +[[ "${RUNNER_OS}" != "Linux" ]] && warn "Unsupported runner OS: ${RUNNER_OS}" + output="${RUNNER_TEMP}/zizmor" version_regex='^[0-9]+\.[0-9]+\.[0-9]+$' From 88f9e17e15df868f4136f485a77de8eab7a5dba6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 4 Jun 2025 21:08:20 -0400 Subject: [PATCH 8/8] prep README --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0942044..04adc88 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,9 @@ Run [`zizmor`] from GitHub Actions! > [!WARNING] -> This action is not ready for public use! +> This action is ready for public use, but it is still in early development. +> Please report any issues you encounter, and be aware that backwards +> incompatible changes may be made until a stable version is released. ## Table of Contents