diff --git a/.github/workflows/pr_pre-commit.yml b/.github/workflows/pr_pre-commit.yml index 0877ecd..a63b29d 100644 --- a/.github/workflows/pr_pre-commit.yml +++ b/.github/workflows/pr_pre-commit.yml @@ -4,6 +4,7 @@ name: pre-commit on: pull_request: +permissions: {} jobs: pre-commit: @@ -15,3 +16,5 @@ jobs: submodules: recursive fetch-depth: 0 - uses: ./run-pre-commit + with: + rust-tools: zizmor@1.4.1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4ef31fd..3db3a1b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,3 +31,13 @@ repos: rev: 5db9d9cde2f3deb5035dea3e45f0a9fff2f29448 # 1.7.4 hooks: - id: actionlint + + - repo: local + hooks: + - id: zizmor + name: zizmor + language: system + files: ^\.github/workflows/ + entry: zizmor + stages: [pre-commit] + pass_filenames: true diff --git a/run-pre-commit/action.yml b/run-pre-commit/action.yml index 18184fd..caa85c4 100644 --- a/run-pre-commit/action.yml +++ b/run-pre-commit/action.yml @@ -15,6 +15,11 @@ inputs: Override which Rust components are installed. Only takes effect when Rust is installed. default: rustfmt,clippy + rust-tools: + description: | + Install Rust-based tools using `cargo install --locked`. Tools can be + specified using the following format: `CRATE[@]`. Individual tools + are separated by space hadolint: description: Whether to install hadolint (and which version to use) nix: @@ -38,6 +43,18 @@ runs: toolchain: ${{ inputs.rust }} components: ${{ inputs.rust-components }} + - name: Install Rust Tools + if: ${{ inputs.rust-tools }} + env: + RUST_TOOLS: ${{ inputs.rust-tools }} + shell: bash + run: | + set -euo pipefail + + # Make a list out of the space separated list off tools/crates + RUST_TOOLS=($RUST_TOOLS) + cargo install --locked "${RUST_TOOLS[@]}" + - name: Setup Hadolint if: ${{ inputs.hadolint }} shell: bash