1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[StepSecurity] ci: Harden GitHub Actions

Browse Source 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
This commit is contained in:
StepSecurity Bot 2022-11-25 10:26:10 +00:00 committed by Hiroshi SHIBATA
parent 8a50db7dfa
commit e15cd01149
Notes: git 2022-11-25 11:12:44 +00:00 
Merged: https://github.com/ruby/ruby/pull/6810
16 changed files with 54 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/baseruby.yml vendored
View File

@ -40,12 +40,12 @@ jobs:
- ruby-3.1
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: .downloaded-cache
key: downloaded-cache
- uses: ruby/setup-ruby@v1
- uses: ruby/setup-ruby@de6f5b9c340068d049670c6b6ae8dc94cff4667a # v1.125.0
with:
ruby-version: ${{ matrix.ruby }}
bundler: none
@ -57,7 +57,7 @@ jobs:
- run: make incs
- run: make all
- run: make test
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

4
.github/workflows/bundled_gems.yml vendored
View File

@ -29,9 +29,9 @@ jobs:
echo "GNUMAKEFLAGS=-j$((1 + $(nproc --all)))" >> $GITHUB_ENV
echo "TODAY=$(date +%F)" >> $GITHUB_ENV
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: .downloaded-cache
key: downloaded-cache-${{ github.sha }}

6
.github/workflows/check_dependencies.yml vendored
View File

@ -45,8 +45,8 @@ jobs:
run: |
git config --global advice.detachedHead 0
git config --global init.defaultBranch garbage
- uses: actions/checkout@v3
- uses: actions/cache@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: .downloaded-cache
key: downloaded-cache
@ -56,7 +56,7 @@ jobs:
- run: make all golf
- run: ruby tool/update-deps --fix
- run: git diff --no-ext-diff --ignore-submodules --exit-code
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

6
.github/workflows/check_misc.yml vendored
View File

@ -9,7 +9,7 @@ jobs:
checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
- name: Check if C-sources are US-ASCII
run: |
! grep -r -n '[^ -~]' *.[chy] include internal win32/*.[ch]
@ -23,7 +23,7 @@ jobs:
done | grep -F .
working-directory: include
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: .downloaded-cache
key: downloaded-cache-${{ github.sha }}
@ -98,7 +98,7 @@ jobs:
GIT_COMMITTER_NAME: git
if: ${{ github.repository == 'ruby/ruby' && !startsWith(github.event_name, 'pull') && steps.diff.outcome == 'failure' }}
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

4
.github/workflows/cirrus-notify.yml vendored
View File

@ -13,7 +13,7 @@ jobs:
&& github.event.check_suite.head_branch == 'master'
runs-on: ubuntu-latest
steps:
- uses: octokit/request-action@v2.x
- uses: octokit/request-action@4579f9e1e690974421f9f6928a30fb448e967c60 # v2.x
id: get_failed_check_run
with:
route: GET /repos/${{ github.repository }}/check-suites/${{ github.event.check_suite.id }}/check-runs?status=completed
@ -28,7 +28,7 @@ jobs:
env:
CHECK_RUNS: ${{ steps.get_failed_check_run.outputs.data }}
run: echo "$CHECK_RUNS"
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

10
.github/workflows/codeql-analysis.yml vendored
View File

@ -43,9 +43,9 @@ jobs:
sudo apt-get install --no-install-recommends -q -y build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev bison autoconf ruby
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: .downloaded-cache
key: downloaded-cache
@ -54,7 +54,7 @@ jobs:
run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2.1.33
with:
config-file: ./.github/codeql/codeql-config.yml
@ -62,7 +62,7 @@ jobs:
run: echo "GNUMAKEFLAGS=-j$((1 + $(nproc --all)))" >> $GITHUB_ENV
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2.1.33
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2.1.33

6
.github/workflows/compilers.yml vendored
View File

@ -231,10 +231,10 @@ jobs:
- name: setenv
run: |
echo "GNUMAKEFLAGS=-sj$((1 + $(nproc --all)))" >> $GITHUB_ENV
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
path: src
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: src/.downloaded-cache
key: downloaded-cache
@ -268,7 +268,7 @@ jobs:
- run: make test-annocheck
if: ${{ matrix.entry.check && endsWith(matrix.entry.name, 'annocheck') }}
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

6
.github/workflows/macos.yml vendored
View File

@ -41,10 +41,10 @@ jobs:
run: |
git config --global advice.detachedHead 0
git config --global init.defaultBranch garbage
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
path: src
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: src/.downloaded-cache
key: downloaded-cache
@ -86,7 +86,7 @@ jobs:
PRECHECK_BUNDLED_GEMS: "no"
if: ${{ matrix.test_task == 'check' && matrix.skipped_tests != '' }}
continue-on-error: ${{ matrix.continue-on-skipped_tests || false }}
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

8
.github/workflows/mingw.yml vendored
View File

@ -57,15 +57,15 @@ jobs:
git config --global core.eol lf
git config --global advice.detachedHead 0
git config --global init.defaultBranch garbage
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
path: src
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: src/.downloaded-cache
key: downloaded-cache
- name: Set up Ruby & MSYS2
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@de6f5b9c340068d049670c6b6ae8dc94cff4667a # v1.125.0
with:
ruby-version: ${{ matrix.base_ruby }}
- name: set env
@ -151,7 +151,7 @@ jobs:
make ${{ StartsWith(matrix.test_task, 'spec/') && matrix.test_task || 'test-spec' }}
if: ${{matrix.test_task == 'check' || matrix.test_task == 'test-spec' || StartsWith(matrix.test_task, 'spec/')}}
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

8
.github/workflows/mjit-bindgen.yml vendored
View File

@ -48,17 +48,17 @@ jobs:
bison autoconf
sudo apt-get install -q -y pkg-config || :
- name: Set up Ruby
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@de6f5b9c340068d049670c6b6ae8dc94cff4667a # v1.125.0
with:
ruby-version: '3.1'
- name: git config
run: |
git config --global advice.detachedHead 0
git config --global init.defaultBranch garbage
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
path: src
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: src/.downloaded-cache
key: downloaded-cache
@ -77,7 +77,7 @@ jobs:
- run: make ${{ matrix.task }}
- run: git diff --exit-code
working-directory: src
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

6
.github/workflows/mjit.yml vendored
View File

@ -46,10 +46,10 @@ jobs:
run: |
git config --global advice.detachedHead 0
git config --global init.defaultBranch garbage
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
path: src
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: src/.downloaded-cache
key: downloaded-cache
@ -84,7 +84,7 @@ jobs:
ulimit -c unlimited
make -s test-spec RUN_OPTS="$RUN_OPTS"
timeout-minutes: 60
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

6
.github/workflows/spec_guards.yml vendored
View File

@ -28,8 +28,8 @@ jobs:
- ruby-3.1
steps:
- uses: actions/checkout@v3
- uses: ruby/setup-ruby@v1
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
- uses: ruby/setup-ruby@de6f5b9c340068d049670c6b6ae8dc94cff4667a # v1.125.0
with:
ruby-version: ${{ matrix.ruby }}
bundler: none
@ -38,7 +38,7 @@ jobs:
working-directory: spec/ruby
env:
CHECK_LEAKS: true
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

6
.github/workflows/ubuntu.yml vendored
View File

@ -72,10 +72,10 @@ jobs:
run: |
git config --global advice.detachedHead 0
git config --global init.defaultBranch garbage
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
path: src
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: src/.downloaded-cache
key: downloaded-cache
@ -120,7 +120,7 @@ jobs:
TESTS: ${{ matrix.skipped_tests }}
if: ${{ matrix.test_task == 'check' && matrix.skipped_tests != '' }}
continue-on-error: ${{ matrix.continue-on-skipped_tests || false }}
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

2
.github/workflows/wasm.yml vendored
View File

@ -51,7 +51,7 @@ jobs:
run: |
git config --global advice.detachedHead 0
git config --global init.defaultBranch garbage
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
path: src
- name: Install libraries

14
.github/workflows/windows.yml vendored
View File

@ -39,7 +39,7 @@ jobs:
steps:
- run: md build
working-directory:
- uses: msys2/setup-msys2@v2
- uses: msys2/setup-msys2@d40200dc2db4c351366b048a9565ad82919e1c24 # v2
id: setup-msys2
with:
update: true
@ -50,14 +50,14 @@ jobs:
shell: msys2 {0}
run: echo PATCH=$(cygpath -wa $(command -v patch)) >> $GITHUB_ENV
if: ${{ steps.setup-msys2.outcome == 'success' }}
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: C:\vcpkg\downloads
key: ${{ runner.os }}-vcpkg-download-${{ env.OS_VER }}-${{ github.sha }}
restore-keys: |
${{ runner.os }}-vcpkg-download-${{ env.OS_VER }}-
${{ runner.os }}-vcpkg-download-
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: C:\vcpkg\installed
key: ${{ runner.os }}-vcpkg-installed-${{ matrix.os }}-${{ github.sha }}
@ -67,7 +67,7 @@ jobs:
- name: Install libraries with vcpkg
run: |
vcpkg --triplet x64-windows install libffi libyaml openssl readline zlib
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: C:\Users\runneradmin\AppData\Local\Temp\chocolatey
key: ${{ runner.os }}-chocolatey-${{ env.OS_VER }}-${{ github.sha }}
@ -86,10 +86,10 @@ jobs:
git config --global core.eol lf
git config --global advice.detachedHead 0
git config --global init.defaultBranch garbage
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
path: src
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: src/.downloaded-cache
key: downloaded-cache
@ -138,7 +138,7 @@ jobs:
env:
RUBY_TESTOPTS: -j${{env.TEST_JOBS}} --job-status=normal
timeout-minutes: 60
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{

8
.github/workflows/yjit-ubuntu.yml vendored
View File

@ -27,7 +27,7 @@ jobs:
# GitHub Action's image seems to already contain a Rust 1.58.0.
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
# For now we can't run cargo test --offline because it complains about the
# capstone dependency, even though the dependency is optional
#- run: cargo test --offline
@ -90,10 +90,10 @@ jobs:
run: |
git config --global advice.detachedHead 0
git config --global init.defaultBranch garbage
- uses: actions/checkout@v3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
path: src
- uses: actions/cache@v3
- uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
with:
path: src/.downloaded-cache
key: downloaded-cache
@ -135,7 +135,7 @@ jobs:
BASE_REPO: ${{ github.event.pull_request.base.repo.full_name }}
BASE_SHA: ${{ github.event.pull_request.base.sha }}
if: ${{ matrix.test_task == 'yjit-bench' && startsWith(github.event_name, 'pull') }}
- uses: ruby/action-slack@v3.0.0
- uses: ruby/action-slack@b6882ea6ef8f556f9f9af9ec1220d3f1ced74acf # v3.0.0
with:
payload: |
{