From 02798491b6eb6af238c4fe67b86fa662a6a351b1 Mon Sep 17 00:00:00 2001 From: Andrei Avram <6795248+andreiavrammsd@users.noreply.github.com> Date: Wed, 28 May 2025 19:39:48 +0300 Subject: [PATCH 1/6] Audit workflows --- .github/workflows/ci.yml | 48 ++++++++++++++++++++++++++++++++------ .github/workflows/doc.yml | 10 ++++++-- .github/workflows/fuzz.yml | 31 +++++++++++++++++------- 3 files changed, 71 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 444bc11..2aabe70 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,10 @@ on: env: CARGO_TERM_COLOR: always +permissions: + contents: read + actions: read + jobs: test: @@ -29,6 +33,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/cache@v4 with: @@ -38,22 +44,28 @@ jobs: target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}-${{ matrix.profile }} - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable - run: cargo test --profile ${{ matrix.profile }} format: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@nightly + with: + persist-credentials: false + + - uses: dtolnay/rust-toolchain@b95584d8105b9ab200e15821fa671848cf2b7017 # nightly with: components: rustfmt + - run: cargo +nightly fmt --all -- --check clippy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/cache@v4 with: @@ -63,15 +75,18 @@ jobs: target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }} - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable with: components: clippy + - run: cargo clippy --all-targets --all-features coverage: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/cache@v4 with: @@ -81,21 +96,24 @@ jobs: target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }} - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable - - uses: taiki-e/install-action@cargo-llvm-cov + - uses: taiki-e/install-action@13fe1882c51d253ef22193d24823029c0acab68b # cargo-llvm-cov - run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 with: token: ${{ secrets.CODECOV_TOKEN }} files: lcov.info + persist-credentials: false examples: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/cache@v4 with: @@ -105,6 +123,22 @@ jobs: target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }} - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable - run: make examples + + actions-audit: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Run Zizmor audit + run: | + docker run --rm -v ${{ github.workspace }}:/workspace/ -w /workspace/ ghcr.io/zizmorcore/zizmor@sha256:4d3128ae1370da9507bdd42a62d72b8304d4d0f290147aaac3eb0ebf51d70890 \ + --gh-token ${GITHUB_TOKEN} .github/workflows/ + + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml index 18787d9..0f76b88 100644 --- a/.github/workflows/doc.yml +++ b/.github/workflows/doc.yml @@ -11,22 +11,28 @@ on: env: CARGO_TERM_COLOR: always +permissions: + contents: read + actions: read + jobs: publish: runs-on: ubuntu-latest permissions: contents: write + env: BRANCH_NAME: ${{ github.event_name == 'pull_request' && github.head_ref || (github.ref_name == '' && 'master' || github.ref_name) }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: dtolnay/rust-toolchain@stable + persist-credentials: false + - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable - run: | .github/doc/doc.py ${BRANCH_NAME} ls -l ./target/docs - - uses: peaceiris/actions-gh-pages@v4 + - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./target/docs diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 488e463..438c4ca 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -16,11 +16,17 @@ on: env: CARGO_TERM_COLOR: always +permissions: + contents: read + actions: read + jobs: fuzz: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/cache@v4 with: @@ -30,24 +36,31 @@ jobs: target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }} - - uses: dtolnay/rust-toolchain@nightly + - uses: dtolnay/rust-toolchain@b95584d8105b9ab200e15821fa671848cf2b7017 # nightly - name: Set seconds to run tests id: fuzz_config run: | - if [ "${{ github.event_name }}" = "schedule" ]; then + seconds="${SECONDS}" + if ! [[ "$seconds" =~ ^[0-9]+$ ]]; then + echo "Invalid fuzzseconds input; using default 30" + seconds=30 + fi + + if [ "${EVENT}" = "schedule" ]; then echo "fuzzseconds=600" >> "$GITHUB_OUTPUT" - elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - val="${{ inputs.fuzzseconds }}" - if [ -z "$val" ]; then - val=30 - fi - echo "fuzzseconds=$val" >> "$GITHUB_OUTPUT" + elif [ "${EVENT}" = "workflow_dispatch" ]; then + echo "fuzzseconds=$seconds" >> "$GITHUB_OUTPUT" else echo "fuzzseconds=30" >> "$GITHUB_OUTPUT" fi + env: + SECONDS: ${{ inputs.fuzzseconds }} + EVENT: ${{ github.event_name }} - name: Run tests run: | cargo install cargo-fuzz - cargo +nightly fuzz run static_vector -- -max_total_time=${{ steps.fuzz_config.outputs.fuzzseconds }} + cargo +nightly fuzz run static_vector -- -max_total_time=${SECONDS} + env: + SECONDS: ${{ steps.fuzz_config.outputs.fuzzseconds }} From d26cb842cd47ceb52a2ae7452251c966604c6a7a Mon Sep 17 00:00:00 2001 From: Andrei Avram <6795248+andreiavrammsd@users.noreply.github.com> Date: Wed, 28 May 2025 20:03:20 +0300 Subject: [PATCH 2/6] Extract new workflow for audit --- .github/workflows/ci.yml | 16 -------------- .github/workflows/workflows-audit.yml | 32 +++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 16 deletions(-) create mode 100644 .github/workflows/workflows-audit.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2aabe70..c6873c1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -126,19 +126,3 @@ jobs: - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable - run: make examples - - actions-audit: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - with: - persist-credentials: false - - - name: Run Zizmor audit - run: | - docker run --rm -v ${{ github.workspace }}:/workspace/ -w /workspace/ ghcr.io/zizmorcore/zizmor@sha256:4d3128ae1370da9507bdd42a62d72b8304d4d0f290147aaac3eb0ebf51d70890 \ - --gh-token ${GITHUB_TOKEN} .github/workflows/ - - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/workflows-audit.yml b/.github/workflows/workflows-audit.yml new file mode 100644 index 0000000..0071a10 --- /dev/null +++ b/.github/workflows/workflows-audit.yml @@ -0,0 +1,32 @@ +name: CI + +on: + push: + branches: + - master + paths: + - '.github/**' + pull_request: + paths: + - '.github/**' + +permissions: + contents: read + actions: read + +jobs: + workflows-audit: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Run Zizmor audit + run: | + docker run --rm -v ${{ github.workspace }}:/workspace/ -w /workspace/ ghcr.io/zizmorcore/zizmor@sha256:4d3128ae1370da9507bdd42a62d72b8304d4d0f290147aaac3eb0ebf51d70890 \ + --gh-token ${GITHUB_TOKEN} .github/workflows/ + + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 56face4524fa10efacdf7a0651f5f32ab3cb2c8c Mon Sep 17 00:00:00 2001 From: Andrei Avram <6795248+andreiavrammsd@users.noreply.github.com> Date: Thu, 29 May 2025 16:57:50 +0300 Subject: [PATCH 3/6] Use tagged version --- .github/workflows/ci.yml | 20 ++++++++++++++------ .github/workflows/doc.yml | 8 +++++++- .github/workflows/fuzz.yml | 4 +++- .github/workflows/workflows-audit.yml | 2 +- 4 files changed, 25 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c6873c1..04c7950 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,10 @@ jobs: target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}-${{ matrix.profile }} - - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable + - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1 + with: + toolchain: stable + - run: cargo test --profile ${{ matrix.profile }} format: @@ -54,8 +57,9 @@ jobs: with: persist-credentials: false - - uses: dtolnay/rust-toolchain@b95584d8105b9ab200e15821fa671848cf2b7017 # nightly + - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1 with: + toolchain: nightly components: rustfmt - run: cargo +nightly fmt --all -- --check @@ -75,8 +79,9 @@ jobs: target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }} - - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable + - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1 with: + toolchain: stable components: clippy - run: cargo clippy --all-targets --all-features @@ -96,7 +101,9 @@ jobs: target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }} - - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable + - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1 + with: + toolchain: stable - uses: taiki-e/install-action@13fe1882c51d253ef22193d24823029c0acab68b # cargo-llvm-cov @@ -106,7 +113,6 @@ jobs: with: token: ${{ secrets.CODECOV_TOKEN }} files: lcov.info - persist-credentials: false examples: runs-on: ubuntu-latest @@ -123,6 +129,8 @@ jobs: target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }} - - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable + - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1 + with: + toolchain: stable - run: make examples diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml index 0f76b88..4928bdf 100644 --- a/.github/workflows/doc.yml +++ b/.github/workflows/doc.yml @@ -23,15 +23,21 @@ jobs: env: BRANCH_NAME: ${{ github.event_name == 'pull_request' && github.head_ref || (github.ref_name == '' && 'master' || github.ref_name) }} + steps: - uses: actions/checkout@v4 with: fetch-depth: 0 persist-credentials: false - - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable + + - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1 + with: + toolchain: stable + - run: | .github/doc/doc.py ${BRANCH_NAME} ls -l ./target/docs + - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 438c4ca..b174e44 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -36,7 +36,9 @@ jobs: target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }} - - uses: dtolnay/rust-toolchain@b95584d8105b9ab200e15821fa671848cf2b7017 # nightly + - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1 + with: + toolchain: nightly - name: Set seconds to run tests id: fuzz_config diff --git a/.github/workflows/workflows-audit.yml b/.github/workflows/workflows-audit.yml index 0071a10..c76ad17 100644 --- a/.github/workflows/workflows-audit.yml +++ b/.github/workflows/workflows-audit.yml @@ -26,7 +26,7 @@ jobs: - name: Run Zizmor audit run: | docker run --rm -v ${{ github.workspace }}:/workspace/ -w /workspace/ ghcr.io/zizmorcore/zizmor@sha256:4d3128ae1370da9507bdd42a62d72b8304d4d0f290147aaac3eb0ebf51d70890 \ - --gh-token ${GITHUB_TOKEN} .github/workflows/ + -p --gh-token ${GITHUB_TOKEN} .github/workflows/ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From fc97e51ed399f0956b622bd2cd1a4b6899de75d9 Mon Sep 17 00:00:00 2001 From: Andrei Avram <6795248+andreiavrammsd@users.noreply.github.com> Date: Thu, 29 May 2025 17:06:00 +0300 Subject: [PATCH 4/6] More specific --- .github/workflows/doc.yml | 5 +---- .github/workflows/fuzz.yml | 12 ++++++------ .github/workflows/workflows-audit.yml | 5 ++--- 3 files changed, 9 insertions(+), 13 deletions(-) diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml index 4928bdf..8d57514 100644 --- a/.github/workflows/doc.yml +++ b/.github/workflows/doc.yml @@ -11,15 +11,12 @@ on: env: CARGO_TERM_COLOR: always -permissions: - contents: read - actions: read - jobs: publish: runs-on: ubuntu-latest permissions: contents: write + actions: read env: BRANCH_NAME: ${{ github.event_name == 'pull_request' && github.head_ref || (github.ref_name == '' && 'master' || github.ref_name) }} diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index b174e44..630fdfc 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -42,9 +42,12 @@ jobs: - name: Set seconds to run tests id: fuzz_config + env: + SECONDS: ${{ inputs.fuzzseconds }} + EVENT: ${{ github.event_name }} run: | seconds="${SECONDS}" - if ! [[ "$seconds" =~ ^[0-9]+$ ]]; then + if ! [[ "$seconds" =~ ^[0-9]+$ ]] || (( seconds < 0 || seconds > 600 )); then echo "Invalid fuzzseconds input; using default 30" seconds=30 fi @@ -56,13 +59,10 @@ jobs: else echo "fuzzseconds=30" >> "$GITHUB_OUTPUT" fi - env: - SECONDS: ${{ inputs.fuzzseconds }} - EVENT: ${{ github.event_name }} - name: Run tests + env: + SECONDS: ${{ steps.fuzz_config.outputs.fuzzseconds }} run: | cargo install cargo-fuzz cargo +nightly fuzz run static_vector -- -max_total_time=${SECONDS} - env: - SECONDS: ${{ steps.fuzz_config.outputs.fuzzseconds }} diff --git a/.github/workflows/workflows-audit.yml b/.github/workflows/workflows-audit.yml index c76ad17..35bd1b2 100644 --- a/.github/workflows/workflows-audit.yml +++ b/.github/workflows/workflows-audit.yml @@ -24,9 +24,8 @@ jobs: persist-credentials: false - name: Run Zizmor audit + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | docker run --rm -v ${{ github.workspace }}:/workspace/ -w /workspace/ ghcr.io/zizmorcore/zizmor@sha256:4d3128ae1370da9507bdd42a62d72b8304d4d0f290147aaac3eb0ebf51d70890 \ -p --gh-token ${GITHUB_TOKEN} .github/workflows/ - - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From a8ebc5dad9406b3ef63ce2831424ba9ff33e3ad6 Mon Sep 17 00:00:00 2001 From: Andrei Avram <6795248+andreiavrammsd@users.noreply.github.com> Date: Thu, 29 May 2025 17:09:15 +0300 Subject: [PATCH 5/6] Add rustowl --- .vscode/extensions.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.vscode/extensions.json b/.vscode/extensions.json index 137b74e..de7e8a1 100644 --- a/.vscode/extensions.json +++ b/.vscode/extensions.json @@ -2,5 +2,6 @@ "recommendations": [ "rust-lang.rust-analyzer", "ryanluker.vscode-coverage-gutters", + "cordx56.rustowl-vscode" ] } From 935cd26d6db9c5c6358320c8951e6b45a6c42dff Mon Sep 17 00:00:00 2001 From: Andrei Avram <6795248+andreiavrammsd@users.noreply.github.com> Date: Thu, 29 May 2025 17:11:28 +0300 Subject: [PATCH 6/6] Set default permissions --- .github/workflows/doc.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml index 8d57514..37b5b4e 100644 --- a/.github/workflows/doc.yml +++ b/.github/workflows/doc.yml @@ -11,6 +11,10 @@ on: env: CARGO_TERM_COLOR: always +permissions: + contents: read + actions: read + jobs: publish: runs-on: ubuntu-latest