Skip to content

Commit 7425e25

Browse files
dunglasdunglas
committed
ci: fix issues and lint with zizmor
1 parent 99bb871 commit 7425e25

6 files changed

Lines changed: 82 additions & 28 deletions

File tree

.github/workflows/docker.yaml

Lines changed: 21 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,7 @@ jobs:
8989
if: ${{ !fromJson(steps.check.outputs.skip) }}
9090
with:
9191
ref: ${{ steps.check.outputs.ref }}
92+
persist-credentials: false
9293
- name: Set up Docker Buildx
9394
if: ${{ !fromJson(steps.check.outputs.skip) }}
9495
uses: docker/setup-buildx-action@v3
@@ -135,12 +136,13 @@ jobs:
135136
steps:
136137
- name: Prepare
137138
id: prepare
138-
run: |
139-
platform=${{ matrix.platform }}
140-
echo "sanitized_platform=${platform//\//-}" >> "${GITHUB_OUTPUT}"
139+
run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}"
140+
env:
141+
PLATFORM: ${{ matrix.platform }}
141142
- uses: actions/checkout@v5
142143
with:
143144
ref: ${{ needs.prepare.outputs.ref }}
145+
persist-credentials: false
144146
- name: Set up Docker Buildx
145147
uses: docker/setup-buildx-action@v3
146148
with:
@@ -182,13 +184,14 @@ jobs:
182184
run: |
183185
mkdir -p /tmp/metadata/builder /tmp/metadata/runner
184186
185-
builderDigest=$(jq -r '."builder-${{ matrix.variant }}"."containerimage.digest"' <<< "${METADATA}")
187+
builderDigest=$(jq -r ".\"builder-${VARIANT}\".\"containerimage.digest\"" <<< "${METADATA}")
186188
touch "/tmp/metadata/builder/${builderDigest#sha256:}"
187189
188-
runnerDigest=$(jq -r '."runner-${{ matrix.variant }}"."containerimage.digest"' <<< "${METADATA}")
190+
runnerDigest=$(jq -r ".\"runner-${VARIANT}\".\"containerimage.digest\"" <<< "${METADATA}")
189191
touch "/tmp/metadata/runner/${runnerDigest#sha256:}"
190192
env:
191193
METADATA: ${{ steps.build.outputs.metadata }}
194+
VARIANT: ${{ matrix.variant }}
192195
- name: Upload builder metadata
193196
if: fromJson(needs.prepare.outputs.push)
194197
uses: actions/upload-artifact@v4
@@ -208,11 +211,15 @@ jobs:
208211
- name: Run tests
209212
if: ${{ !fromJson(needs.prepare.outputs.push) }}
210213
run: |
211-
docker run --platform=${{ matrix.platform }} --rm \
212-
"$(jq -r '."builder-${{ matrix.variant }}"."containerimage.config.digest"' <<< "${METADATA}")" \
213-
sh -c './go.sh test -tags ${{ matrix.race }} -v $(./go.sh list ./... | grep -v github.com/dunglas/frankenphp/internal/testext | grep -v github.com/dunglas/frankenphp/internal/extgen) && cd caddy && ../go.sh test ${{ matrix.race }} -v ./...'
214+
docker run --platform="${PLATFORM}" --rm \
215+
"$(jq -r ".\"builder-${VARIANT}\".\"containerimage.config.digest\"" <<< "${METADATA}")" \
216+
sh -c "./go.sh test ${RACE} -v $(./go.sh list ./... | grep -v github.com/dunglas/frankenphp/internal/testext | grep -v github.com/dunglas/frankenphp/internal/extgen | tr '\n' ' ') && cd caddy && ../go.sh test ${RACE} -v ./..."
214217
env:
215218
METADATA: ${{ steps.build.outputs.metadata }}
219+
PLATFORM: ${{ matrix.platform }}
220+
VARIANT: ${{ matrix.variant }}
221+
RACE: ${{ matrix.race }}
222+
216223
# Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/
217224
push:
218225
runs-on: ubuntu-24.04
@@ -245,13 +252,17 @@ jobs:
245252
run: |
246253
set -x
247254
# shellcheck disable=SC2046,SC2086
248-
docker buildx imagetools create $(jq -cr '.target."${{ matrix.target }}-${{ matrix.variant }}".tags | map("-t " + .) | join(" ")' <<< ${METADATA}) \
255+
docker buildx imagetools create $(jq -cr ".target.\"${TARGET}-${VARIANT}\".tags | map(\"-t \" + .) | join(\" \")" <<< ${METADATA}) \
249256
$(printf "${IMAGE_NAME}@sha256:%s " *)
250257
env:
251258
METADATA: ${{ needs.prepare.outputs.metadata }}
259+
TARGET: ${{ matrix.target }}
260+
VARIANT: ${{ matrix.variant }}
252261
- name: Inspect image
253262
run: |
254263
# shellcheck disable=SC2046,SC2086
255-
docker buildx imagetools inspect $(jq -cr '.target."${{ matrix.target }}-${{ matrix.variant }}".tags | first' <<< ${METADATA})
264+
docker buildx imagetools inspect $(jq -cr ".target.\"${TARGET}-${VARIANT}\".tags | first" <<< ${METADATA})
256265
env:
257266
METADATA: ${{ needs.prepare.outputs.metadata }}
267+
TARGET: ${{ matrix.target }}
268+
VARIANT: ${{ matrix.variant }}

.github/workflows/lint.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,9 @@ jobs:
2323
uses: actions/checkout@v5
2424
with:
2525
fetch-depth: 0
26+
persist-credentials: false
2627
- name: Lint Code Base
27-
uses: super-linter/super-linter/slim@v8.0.0
28+
uses: super-linter/super-linter/slim@v8
2829
env:
2930
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3031
LINTER_RULES_PATH: /
@@ -38,6 +39,7 @@ jobs:
3839
VALIDATE_PHP_PSALM: false
3940
VALIDATE_TERRAGRUNT: false
4041
VALIDATE_DOCKERFILE_HADOLINT: false
42+
VALIDATE_TRIVY: false
4143
# Prettier and StandardJS are incompatible
4244
VALIDATE_JAVASCRIPT_PRETTIER: false
4345
VALIDATE_TYPESCRIPT_PRETTIER: false

.github/workflows/sanitizers.yaml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ jobs:
4141
- name: Remove local PHP
4242
run: sudo apt-get remove --purge --autoremove 'php*' 'libmemcached*'
4343
- uses: actions/checkout@v5
44+
with:
45+
persist-credentials: false
4446
- uses: actions/setup-go@v5
4547
with:
4648
go-version: "1.25"
@@ -63,7 +65,7 @@ jobs:
6365
name: Compile PHP
6466
run: |
6567
mkdir php/
66-
curl -fsSL "${{ steps.determine-php-version.outputs.archive }}" | tar -Jx -C php --strip-components=1
68+
curl -fsSL "${URL}" | tar -Jx -C php --strip-components=1
6769
cd php/
6870
./configure \
6971
CFLAGS="$CFLAGS" \
@@ -93,6 +95,8 @@ jobs:
9395
--prefix="$(pwd)/target/"
9496
make -j"$(getconf _NPROCESSORS_ONLN)"
9597
make install
98+
env:
99+
URL: ${{ steps.determine-php-version.outputs.archive }}
96100
- name: Add PHP to the PATH
97101
run: echo "$(pwd)/php/target/bin" >> "$GITHUB_PATH"
98102
- name: Install e-dant/watcher
@@ -104,6 +108,6 @@ jobs:
104108
echo "CGO_LDFLAGS=$LDFLAGS $(php-config --ldflags) $(php-config --libs)"
105109
} >> "$GITHUB_ENV"
106110
- name: Compile tests
107-
run: go test ${{ matrix.sanitizer == 'msan' && '-tags=nowatcher' || '' }} -${{ matrix.sanitizer }} -v -x -c
111+
run: go test ${{ matrix.sanitizer == 'msan' && '-tags=nowatcher' || '' }} -${{ matrix.sanitizer }} -v -x -c
108112
- name: Run tests
109113
run: ./frankenphp.test -test.v

.github/workflows/static.yaml

Lines changed: 42 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ name: Build binary releases
33
concurrency:
44
cancel-in-progress: true
55
group: ${{ github.workflow }}-${{ github.ref }}
6+
67
on:
78
pull_request:
89
branches:
@@ -30,13 +31,14 @@ on:
3031
type: string
3132
schedule:
3233
- cron: "0 0 * * *"
34+
3335
permissions:
34-
contents: write
35-
id-token: write
36-
attestations: write
36+
contents: read
37+
3738
env:
3839
IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }}
3940
GOTOOLCHAIN: local
41+
4042
jobs:
4143
prepare:
4244
runs-on: ubuntu-24.04
@@ -51,17 +53,19 @@ jobs:
5153
id: check
5254
if: github.event_name == 'schedule'
5355
run: |
54-
ref="${{ (github.ref_type == 'tag' && github.ref_name) || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }}"
56+
ref="${REF}"
5557
if [[ -z "${ref}" ]]; then
5658
ref="$(gh release view --repo dunglas/frankenphp --json tagName --jq '.tagName')"
5759
fi
5860
5961
echo "ref=${ref}" >> "${GITHUB_OUTPUT}"
6062
env:
6163
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
64+
REF: ${{ (github.ref_type == 'tag' && github.ref_name) || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }}
6265
- uses: actions/checkout@v5
6366
with:
6467
ref: ${{ steps.check.outputs.ref }}
68+
persist-credentials: false
6569
- name: Set up Docker Buildx
6670
uses: docker/setup-buildx-action@v3
6771
- name: Create platforms matrix
@@ -77,7 +81,12 @@ jobs:
7781
env:
7882
SHA: ${{ github.sha }}
7983
VERSION: ${{ steps.check.outputs.ref || 'dev' }}
84+
8085
build-linux-musl:
86+
permissions:
87+
contents: write
88+
id-token: write
89+
attestations: write
8190
strategy:
8291
fail-fast: false
8392
matrix:
@@ -96,12 +105,13 @@ jobs:
96105
steps:
97106
- name: Prepare
98107
id: prepare
99-
run: |
100-
platform=${{ matrix.platform }}
101-
echo "sanitized_platform=${platform//\//-}" >> "${GITHUB_OUTPUT}"
108+
run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}"
109+
env:
110+
PLATFORM: ${{ matrix.platform }}
102111
- uses: actions/checkout@v5
103112
with:
104113
ref: ${{ needs.prepare.outputs.ref }}
114+
persist-credentials: false
105115
- name: Set up Docker Buildx
106116
uses: docker/setup-buildx-action@v3
107117
with:
@@ -156,11 +166,12 @@ jobs:
156166
run: |
157167
# shellcheck disable=SC2034
158168
digest=$(jq -r '."static-builder-musl"."${{ (fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc) && 'containerimage.digest' || 'containerimage.config.digest' }}"' <<< "${METADATA}")
159-
docker create --platform=${{ matrix.platform }} --name static-builder-musl "${{ (fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc) && '${IMAGE_NAME}@${digest}' || '${digest}' }}"
169+
docker create --platform="${PLATFORM}" --name static-builder-musl "${{ (fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc) && '${IMAGE_NAME}@${digest}' || '${digest}' }}"
160170
docker cp "static-builder-musl:/go/src/app/dist/${BINARY}" "${BINARY}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }}"
161171
env:
162172
METADATA: ${{ steps.build.outputs.metadata }}
163173
BINARY: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}
174+
PLATFORM: ${{ matrix.platform }}
164175
- name: Upload artifact
165176
if: ${{ !fromJson(needs.prepare.outputs.push) }}
166177
uses: actions/upload-artifact@v4
@@ -169,9 +180,10 @@ jobs:
169180
path: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }}
170181
- name: Upload assets
171182
if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag')
172-
run: gh release upload "${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}" frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} --repo dunglas/frankenphp --clobber
183+
run: gh release upload "${REF}" frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} --repo dunglas/frankenphp --clobber
173184
env:
174185
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
186+
REF: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}
175187
- if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag')
176188
uses: actions/attest-build-provenance@v2
177189
with:
@@ -190,6 +202,10 @@ jobs:
190202
BINARY: ./frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }}
191203

192204
build-linux-gnu:
205+
permissions:
206+
contents: write
207+
id-token: write
208+
attestations: write
193209
strategy:
194210
fail-fast: false
195211
matrix:
@@ -200,12 +216,13 @@ jobs:
200216
steps:
201217
- name: Prepare
202218
id: prepare
203-
run: |
204-
platform=${{ matrix.platform }}
205-
echo "sanitized_platform=${platform//\//-}" >> "${GITHUB_OUTPUT}"
219+
run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}"
220+
env:
221+
PLATFORM: ${{ matrix.platform }}
206222
- uses: actions/checkout@v5
207223
with:
208224
ref: ${{ needs.prepare.outputs.ref }}
225+
persist-credentials: false
209226
- name: Set up Docker Buildx
210227
uses: docker/setup-buildx-action@v3
211228
with:
@@ -259,7 +276,7 @@ jobs:
259276
run: |
260277
# shellcheck disable=SC2034
261278
digest=$(jq -r '."static-builder-gnu"."${{ fromJson(needs.prepare.outputs.push) && 'containerimage.digest' || 'containerimage.config.digest' }}"' <<< "${METADATA}")
262-
container_id=$(docker create --platform=${{ matrix.platform }} "${{ fromJson(needs.prepare.outputs.push) && '${IMAGE_NAME}@${digest}' || '${digest}' }}")
279+
container_id=$(docker create --platform="${PLATFORM}" "${{ fromJson(needs.prepare.outputs.push) && '${IMAGE_NAME}@${digest}' || '${digest}' }}")
263280
mkdir -p gh-output
264281
cd gh-output
265282
for file in $(docker run --rm "${{ fromJson(needs.prepare.outputs.push) && '${IMAGE_NAME}@${digest}' || '${digest}' }}" sh -c "ls /go/src/app/dist | grep '^frankenphp'"); do
@@ -270,6 +287,7 @@ jobs:
270287
env:
271288
METADATA: ${{ steps.build.outputs.metadata }}
272289
BINARY: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}
290+
PLATFORM: ${{ matrix.platform }}
273291
- name: Upload artifact
274292
if: ${{ !fromJson(needs.prepare.outputs.push) }}
275293
uses: actions/upload-artifact@v4
@@ -278,9 +296,10 @@ jobs:
278296
path: gh-output/*
279297
- name: Upload assets
280298
if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag')
281-
run: gh release upload "${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}" gh-output/* --repo dunglas/frankenphp --clobber
299+
run: gh release upload "${REF}" gh-output/* --repo dunglas/frankenphp --clobber
282300
env:
283301
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
302+
REF: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}
284303
- if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag')
285304
uses: actions/attest-build-provenance@v2
286305
with:
@@ -356,6 +375,10 @@ jobs:
356375
GNU_METADATA: ${{ needs.prepare.outputs.gnu_metadata }}
357376

358377
build-mac:
378+
permissions:
379+
contents: write
380+
id-token: write
381+
attestations: write
359382
strategy:
360383
fail-fast: false
361384
matrix:
@@ -369,23 +392,27 @@ jobs:
369392
- uses: actions/checkout@v5
370393
with:
371394
ref: ${{ needs.prepare.outputs.ref }}
395+
persist-credentials: false
372396
- uses: actions/setup-go@v5
373397
with:
374398
go-version: "1.25"
375399
cache-dependency-path: |
376400
go.sum
377401
caddy/go.sum
402+
cache: false
378403
- name: Set FRANKENPHP_VERSION
379404
run: |
380405
if [ "${GITHUB_REF_TYPE}" == "tag" ]; then
381406
export FRANKENPHP_VERSION=${GITHUB_REF_NAME:1}
382407
elif [ "${GITHUB_EVENT_NAME}" == "schedule" ]; then
383-
export FRANKENPHP_VERSION="${{ needs.prepare.outputs.ref }}"
408+
export FRANKENPHP_VERSION="${REF}"
384409
else
385410
export FRANKENPHP_VERSION=${GITHUB_SHA}
386411
fi
387412
388413
echo "FRANKENPHP_VERSION=${FRANKENPHP_VERSION}" >> "${GITHUB_ENV}"
414+
env:
415+
REF: ${{ needs.prepare.outputs.ref }}
389416
- name: Build FrankenPHP
390417
run: ./build-static.sh
391418
env:

.github/workflows/tests.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,8 @@ jobs:
3838
LIBRARY_PATH: ${{ github.workspace }}/watcher/target/lib
3939
steps:
4040
- uses: actions/checkout@v5
41+
with:
42+
persist-credentials: false
4143
- uses: actions/setup-go@v5
4244
with:
4345
go-version: "1.25"
@@ -92,6 +94,8 @@ jobs:
9294
HOMEBREW_NO_AUTO_UPDATE: 1
9395
steps:
9496
- uses: actions/checkout@v5
97+
with:
98+
persist-credentials: false
9599
- uses: actions/setup-go@v5
96100
with:
97101
go-version: "1.25"

zizmor.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
---
2+
rules:
3+
unpinned-uses:
4+
config:
5+
policies:
6+
"*": ref-pin

0 commit comments

Comments
 (0)