Skip to content
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ runs:
if: false
- uses: manusa/actions-setup-minikube@96202dee4ae1c2f46a62fe197273aaf22b83f42d # v2.16.1
if: false
- uses: matlab-actions/run-tests@353aee49b0edf62278c118a51b484d90bf6da1b7 # v3.1.0
Comment thread
potiuk marked this conversation as resolved.
- uses: matlab-actions/run-tests@4be3345d41da8b1bf8cc5cb01a5e19c4611cb15d # v3.0.0
if: false
- uses: matlab-actions/setup-matlab@a0180c939fb1a28de13f44f7b778b912384ced1f # v3.0.1
if: false
Expand Down
8 changes: 6 additions & 2 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
Expand All @@ -14,9 +15,11 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#

version: 2
updates:
- package-ecosystem: "github-actions"
- package-ecosystem: "github-actions" # zizmor: ignore[dependabot-cooldown] see #683 and #712
commit-message:
prefix: "action-allowlist-review"
directories:
Expand All @@ -30,7 +33,8 @@ updates:
# we're not comfortable trusting fully yet. See also
# https://github.com/apache/infrastructure-actions/issues/324
- dependency-name: "cpp-linter/cpp-linter-action"
versions: ">=2.16"
versions:
- ">=2.16"
Comment thread
potiuk marked this conversation as resolved.
open-pull-requests-limit: 50
- package-ecosystem: "github-actions"
schedule:
Expand Down
56 changes: 56 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#

name: "CodeQL"

on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '16 4 * * 1'

permissions:
contents: read

jobs:
analyze:
name: Analyze Actions
runs-on: ubuntu-slim
permissions:
contents: read
security-events: write
packages: read

steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- name: Initialize CodeQL
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
languages: actions

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
category: "/language:actions"
2 changes: 1 addition & 1 deletion .github/workflows/verify_dependabot_action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ permissions:

jobs:
verify:
if: github.actor == 'dependabot[bot]'
if: github.event.pull_request.user.login == 'dependabot[bot]'
Comment thread
potiuk marked this conversation as resolved.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
46 changes: 46 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#
Comment thread
potiuk marked this conversation as resolved.
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#

name: GitHub Actions Security Analysis with zizmor 🌈

on:
push:
branches: ["main"]
pull_request:
branches: ["**"]

permissions: {}

jobs:
zizmor:
name: Run zizmor 🌈
runs-on: ubuntu-latest
permissions: {}
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run zizmor 🌈
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
with:
advanced-security: false
min-severity: medium
min-confidence: medium
56 changes: 35 additions & 21 deletions pelican/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,19 +71,19 @@ runs:
# Install needs to run in separate shell so stdout is restored
run: |
(
test "${{ inputs.debug }}" == 'true' || exec >/dev/null
test "${INPUTS_DEBUG}" == 'true' || exec >/dev/null
Comment thread
dave2wave marked this conversation as resolved.
# Bootstrap uv into the setup-python interpreter.
pip install uv
# Install Pelican as an isolated uv tool. The action's project is
# injected via --with so every Pelican plugin dependency declared in
# pyproject.toml lands in the same venv. Optional user requirements
# are layered in via --with-requirements.
UV_TOOL_ARGS=(--with "${{ github.action_path }}")
if [ -n "${{ inputs.requirements }}" ]; then
echo "Installing python requirements from ${{ inputs.requirements }}"
UV_TOOL_ARGS+=(--with-requirements "${{ inputs.requirements }}")
if [ -n "${INPUTS_REQUIREMENTS}" ]; then
echo "Installing python requirements from ${INPUTS_REQUIREMENTS}"
UV_TOOL_ARGS+=(--with-requirements "${INPUTS_REQUIREMENTS}")
fi
uv tool install "pelican[markdown]==${{ inputs.version }}" "${UV_TOOL_ARGS[@]}"
uv tool install "pelican[markdown]==${INPUTS_VERSION}" "${UV_TOOL_ARGS[@]}"
)
# Make the uv tool bin dir visible to later steps and the current
# shell. Publish the tool venv's Python so the "Generate website"
Expand All @@ -94,10 +94,14 @@ runs:
python3 -V
echo "Pelican version:"
pelican --version
if [ "${{ inputs.debug }}" == 'true' ]
if [ "${INPUTS_DEBUG}" == 'true' ]
then
uv tool list
fi
env:
INPUTS_DEBUG: ${{ inputs.debug }}
INPUTS_REQUIREMENTS: ${{ inputs.requirements }}
INPUTS_VERSION: ${{ inputs.version }}

# If the site uses GitHub Flavored Markdown, use this build branch
- name: fetch and build libcmark-gfm.so
Expand All @@ -106,6 +110,7 @@ runs:
env:
WORKDIR: /opt/pelican-asf # where to build GFM
GFM_VERSION: '0.28.3.gfm.12' # ensure we agree with build-cmark.sh script
INPUTS_DEBUG: ${{ inputs.debug }}
run: |
# Does the GFM build already exist?
if [[ -n $LIBCMARKDIR && -d $LIBCMARKDIR ]]
Expand All @@ -115,7 +120,7 @@ runs:
fi
{
# disable stdout unless debug is on
if [ "${{ inputs.debug }}" == 'true' ]
if [ "${INPUTS_DEBUG}" == 'true' ]
then
# This envvar is used within build-cmark.sh
DEBUG_STEPS=1; export DEBUG_STEPS
Expand All @@ -136,22 +141,26 @@ runs:
- name: Generate website from markdown
shell: bash
run: |
if [ "${{ inputs.debug }}" == 'true' ]
if [ "${INPUTS_DEBUG}" == 'true' ]
then
OPTS='-D'
else
OPTS=''
fi
if [ -n "${{ inputs.fatal }}" ]
if [ -n "${INPUTS_FATAL}" ]
then
OPTS="$OPTS --fatal ${{ inputs.fatal }}"
OPTS="$OPTS --fatal ${INPUTS_FATAL}"
fi
echo "Getting plugins from action location: ${{ github.action_path }}"
# Run plugin_paths from the tool venv's Python so pelicanconf.py can
# import any dependency that lives alongside Pelican in that venv.
PP=$("$PELICAN_TOOL_PY" -m plugin_paths '${{ github.action_path }}/plugins')
set -x # Show the expanded variables
pelican content -e "$PP" -o ${{ inputs.tempdir }} $OPTS
pelican content -e "$PP" -o ${INPUTS_TEMPDIR} $OPTS
env:
INPUTS_DEBUG: ${{ inputs.debug }}
INPUTS_FATAL: ${{ inputs.fatal }}
INPUTS_TEMPDIR: ${{ inputs.tempdir }}

- name: Check out previous branch
if: ${{ inputs.publish == 'true' }}
Expand All @@ -160,30 +169,32 @@ runs:
git config --global user.email "private@infra.apache.org"
git config --global user.name "Build Pelican (action)"
git remote update
if git checkout ${{ inputs.destination }}
if git checkout ${INPUTS_DESTINATION}
then
git pull origin ${{ inputs.destination }}
git pull origin ${INPUTS_DESTINATION}
else
# if none, create it.
echo "branch ${{ inputs.destination }} is new; create empty site"
git switch --orphan ${{ inputs.destination }}
git checkout origin/${{ github.ref_name }} -- .asf.yaml
echo "branch ${INPUTS_DESTINATION} is new; create empty site"
git switch --orphan ${INPUTS_DESTINATION}
git checkout origin/${GITHUB_REF_NAME} -- .asf.yaml
git add .asf.yaml -f
git commit -m "Initialise empty site"
git push -u origin ${{ inputs.destination }}
git push -u origin ${INPUTS_DESTINATION}
fi
env:
INPUTS_DESTINATION: ${{ inputs.destination }}

- name: Commit Directly to the branch
if: ${{ inputs.publish == 'true' }}
shell: bash
run: |
# Remove all existing output so deletions will be captured
rm -rf ${{ inputs.output }}
git rm --quiet -r --ignore-unmatch --cached ${{ inputs.output }}/*
rm -rf ${INPUTS_OUTPUT}
git rm --quiet -r --ignore-unmatch --cached ${INPUTS_OUTPUT}/*
# replace with generated output
mv ${{ inputs.tempdir }} ${{ inputs.output }}
mv ${INPUTS_TEMPDIR} ${INPUTS_OUTPUT}
git diff # Show changes
git add ${{ inputs.output }}
git add ${INPUTS_OUTPUT}
git status
if git commit -m "Commit build products"
then
Expand All @@ -192,3 +203,6 @@ runs:
echo "No change"
true # ensure step is successful
fi
env:
INPUTS_OUTPUT: ${{ inputs.output }}
INPUTS_TEMPDIR: ${{ inputs.tempdir }}
3 changes: 2 additions & 1 deletion stash/restore/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -148,10 +148,11 @@ runs:
STASH_RUN_ID: "${{ steps.check-stash.outputs.stash_run_id }}"
REPO: "${{ github.repository }}"
STASH_DIR: "${{ steps.mung.outputs.stash_path }}"
INPUTS_CLEAN: ${{ inputs.clean }}
run: |
# Catch errors in the download with || to avoid the whole workflow failing
# when the download times out
if [[ "${{ inputs.clean }}" == "true" ]]; then
if [[ "${INPUTS_CLEAN}" == "true" ]]; then
if [[ -d "$STASH_DIR" ]]; then
echo "Removing existing stash directory: $STASH_DIR"
rm -rf "$STASH_DIR"
Expand Down
2 changes: 1 addition & 1 deletion stash/save/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ runs:

- name: Upload Stash
id: upload
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
Comment thread
potiuk marked this conversation as resolved.
with:
name: ${{ steps.mung.outputs.stash_name }}
path: ${{ inputs.path }}
Expand Down
Loading