diff --git a/.github/actions/build-base-image/action.yaml b/.github/actions/build-base-image/action.yaml index 1204ebf89e08..96bbcadeb1e3 100644 --- a/.github/actions/build-base-image/action.yaml +++ b/.github/actions/build-base-image/action.yaml @@ -62,7 +62,10 @@ runs: - name: Build BASE image shell: bash - run: .github/scripts/build-base-image.sh "${{ inputs.BASE_BRANCH }}" "${{ inputs.TYPE }}" + env: + INPUTS_BASE_BRANCH: ${{ inputs.BASE_BRANCH }} + INPUTS_TYPE: ${{ inputs.TYPE }} + run: .github/scripts/build-base-image.sh "${INPUTS_BASE_BRANCH}" "${INPUTS_TYPE}" - name: Cache pre-built src id: cache-src @@ -95,10 +98,12 @@ runs: - name: Build image if: inputs.BUILD_IMAGE == 'true' shell: bash -eo pipefail {0} + env: + INPUTS_TYPE: ${{ inputs.TYPE }} run: | .github/scripts/restore-from-prebuilt.sh `pwd` .github/otp.tar.gz rm -f otp_{src,cache}.tar.gz docker build --tag otp \ --build-arg MAKEFLAGS=-j$(($(nproc) + 2)) \ - --file ".github/dockerfiles/Dockerfile.${{ inputs.TYPE }}" \ + --file ".github/dockerfiles/Dockerfile.${INPUTS_TYPE}" \ .github/ diff --git a/.github/actions/ossf-compiler-flags-scanner/action.yaml b/.github/actions/ossf-compiler-flags-scanner/action.yaml index fe1a8d435398..4b3cac324a0b 100644 --- a/.github/actions/ossf-compiler-flags-scanner/action.yaml +++ b/.github/actions/ossf-compiler-flags-scanner/action.yaml @@ -33,6 +33,7 @@ runs: repository: ossf/wg-best-practices-os-developers sparse-checkout: docs/Compiler-Hardening-Guides/compiler-options-scraper path: ossf + persist-credentials: false - name: Setup compiler options scraper shell: bash -eo pipefail {0} diff --git a/.github/workflows/github-actions-checker.yaml b/.github/workflows/github-actions-checker.yaml index 22955c37dd97..c8dc06aebf1e 100644 --- a/.github/workflows/github-actions-checker.yaml +++ b/.github/workflows/github-actions-checker.yaml @@ -38,6 +38,8 @@ jobs: name: 'ratchet' steps: - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2 + with: + persist-credentials: false - id: files run: | FILES=$(find .github/ -name "*.yml" -o -name "*.yaml" -printf "%p ") diff --git a/.github/workflows/license-scanner.yaml b/.github/workflows/license-scanner.yaml index 9c1a5aa058a0..55d1ad92f42f 100644 --- a/.github/workflows/license-scanner.yaml +++ b/.github/workflows/license-scanner.yaml @@ -38,6 +38,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: '0' + persist-credentials: false - uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1.20.4 with: otp-version: '27' diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 9ffee5e26dfa..8b6b0b7523cf 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -67,6 +67,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Detect whitespace errors run: | @@ -114,6 +115,8 @@ jobs: all: ${{ steps.apps.outputs.all }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -140,7 +143,7 @@ jobs: ALL_APPS: ${{ steps.apps.outputs.all }} CHANGED_APPS: ${{ steps.app-changes.outputs.changes }} run: | - if ${{ env.FULL_BUILD_AND_CHECK }}; then + if [ "${FULL_BUILD_AND_CHECK}" = "true" ]; then echo "changes=${ALL_APPS}" >> "$GITHUB_OUTPUT" else echo "changes=${CHANGED_APPS}" >> "$GITHUB_OUTPUT" @@ -243,6 +246,8 @@ jobs: MACOS_VERSION: 15 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download source archive uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -292,6 +297,8 @@ jobs: if: needs.pack.outputs.build-c-code == 'true' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download source archive uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -437,6 +444,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -518,10 +527,11 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Get modified vendor files id: vendor-files run: | - echo "MODIFIED_FILES=$(git diff --name-only origin/${{ github.base_ref }} HEAD | grep 'vendor\.info$' | wc -l || 1)" >> $GITHUB_OUTPUT + echo "MODIFIED_FILES=$(git diff --name-only "origin/${GITHUB_BASE_REF}" HEAD | grep 'vendor\.info$' | wc -l || 1)" >> $GITHUB_OUTPUT # this is a call to a workflow_call pr-vendor-vulnerability-analysis: @@ -531,7 +541,8 @@ jobs: actions: read contents: read name: Vendor Vulnerability Scanning - uses: ./.github/workflows/reusable-vendor-vulnerability-scanner.yml + # This is an internal and trusted workflow. + uses: ./.github/workflows/reusable-vendor-vulnerability-scanner.yml # zizmor: ignore[secrets-inherit] with: fail_if_cve: false checkout: true @@ -556,6 +567,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -572,7 +585,7 @@ jobs: with: name: otp_prebuilt - name: Build on FreeBSD - uses: vmactions/freebsd-vm@c9f815bc7aa0d34c9fdd0619b034a32d6ca7b57e # v1 + uses: vmactions/freebsd-vm@c9f815bc7aa0d34c9fdd0619b034a32d6ca7b57e # v1.4.2 with: usesh: true copyback: false @@ -652,6 +665,8 @@ jobs: needs: pack steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -709,6 +724,8 @@ jobs: security-events: write # needed for SARIF upload steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -736,21 +753,25 @@ jobs: fail-fast: false steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} - name: Run tests id: run-tests + env: + MATRIX_TYPE: ${{ matrix.type }} run: | set -x mkdir $PWD/make_test_dir - APP="${{ matrix.type }}" + APP="${MATRIX_TYPE}" ## Need to specialize for epmd, emulator and debug case "${APP}" in emulator) DIR=erts/emulator/ ;; epmd) DIR=erts/epmd ;; debug) DIR=lib/os_mon; APP=os_mon; TYPE=debug ;; - *) DIR=lib/${{ matrix.type }} ;; + *) DIR=lib/${MATRIX_TYPE} ;; esac ## Remove systemd-coredump ! sudo apt remove systemd-coredump @@ -761,20 +782,22 @@ jobs: docker run --ulimit core=-1 --ulimit nofile=5000:5000 --pids-limit 1024 \ -e CTRUN_TIMEOUT=90 -e SPEC_POSTFIX=gh \ -e TEST_NEEDS_RELEASE=true -e "RELEASE_ROOT=/buildroot/otp/Erlang ∅⊤℞" \ - -e EXTRA_ARGS="-ct_hooks cth_surefire [{path,\"/buildroot/otp/$DIR/make_test_dir/${{ matrix.type }}_junit.xml\"}]" \ + -e EXTRA_ARGS="-ct_hooks cth_surefire [{path,\"/buildroot/otp/$DIR/make_test_dir/${MATRIX_TYPE}_junit.xml\"}]" \ -v "$PWD/make_test_dir:/buildroot/otp/$DIR/make_test_dir" \ -v "$PWD/scripts:/buildroot/otp/scripts" \ otp "./otp_build download_gdb_tools && make emulator && make TYPE=${TYPE} && make ${APP}_test TYPE=${TYPE}" ## Rename os_mon to debug for debug build - if [ "$APP" != "${{ matrix.type }}" ]; then - mv make_test_dir/${APP}_test "make_test_dir/${{ matrix.type }}_test" + if [ "$APP" != "${MATRIX_TYPE}" ]; then + mv make_test_dir/${APP}_test "make_test_dir/${MATRIX_TYPE}_test" fi - name: Cleanup tests if: ${{ !cancelled() }} + env: + MATRIX_TYPE: ${{ matrix.type }} run: | rm -rf make_test_dir/otp || true sudo bash -c "chown -R `whoami` make_test_dir && chmod -R +r make_test_dir" - tar czf ${{ matrix.type }}_test_results.tar.gz make_test_dir + tar czf ${MATRIX_TYPE}_test_results.tar.gz make_test_dir - name: Upload test results uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ !cancelled() }} @@ -789,6 +812,8 @@ jobs: needs: test steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -866,6 +891,8 @@ jobs: run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -876,6 +903,7 @@ jobs: repository: oss-review-toolkit/ort-config ref: "d2978deb230beae095bb6cfec074b94f1a74fd34" path: ".ort-config" + persist-credentials: false - name: Setup ORT Config id: setup-ort-config @@ -1039,6 +1067,8 @@ jobs: id-token: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/build-base-image with: BASE_BRANCH: ${{ env.BASE_BRANCH }} @@ -1091,6 +1121,9 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + ## Publish the pre-built archive and docs - name: Download source archive uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1108,7 +1141,9 @@ jobs: ## We add the correct version name into the file names ## and create the hash files for all assets - name: Create pre-build and doc archives - run: .github/scripts/create-artifacts.sh artifacts ${{ steps.tag.outputs.tag }} + env: + STEPS_TAG_OUTPUTS_TAG: ${{ steps.tag.outputs.tag }} + run: .github/scripts/create-artifacts.sh artifacts "${STEPS_TAG_OUTPUTS_TAG}" ## Create hash files - name: Create pre-build and doc archives @@ -1159,17 +1194,17 @@ jobs: path: "attestations/*.sigstore" - name: Upload pre-built and doc tar archives - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 - with: - name: OTP ${{ steps.tag.outputs.vsn }} - files: | - artifacts/*.tar.gz - artifacts/*.txt - attestations/*.sigstore - scan-report-web-app.html - bom.* env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TAG: ${{ steps.tag.outputs.tag }} + VSN: ${{ steps.tag.outputs.vsn }} + run: | + gh release create "${TAG}" --title "OTP ${VSN}" \ + artifacts/*.tar.gz \ + artifacts/*.txt \ + attestations/*.sigstore \ + scan-report-web-app.html \ + bom.* - name: Deploy on erlang.org env: GITHUB_TOKEN: ${{ secrets.TRIGGER_ERLANG_ORG_BUILD }} @@ -1185,3 +1220,18 @@ jobs: with: name: Event File path: ${{ github.event_path }} + + # Zizmor is a GitHub Actions security linter. + # See: https://docs.zizmor.sh/ + zizmor: + name: Zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 diff --git a/.github/workflows/openvex-sync.yml b/.github/workflows/openvex-sync.yml index 0cecfea969f7..75bb822a55a4 100644 --- a/.github/workflows/openvex-sync.yml +++ b/.github/workflows/openvex-sync.yml @@ -43,8 +43,9 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: 'master' # '' = default branch + persist-credentials: false - - uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1 + - uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1.20.4 with: otp-version: '28' @@ -60,18 +61,24 @@ jobs: private-key: ${{ secrets.ERLANG_BOT_PRIVATE_KEY }} - name: Authenticate gh + env: + STEPS_APP_TOKEN_OUTPUTS_TOKEN: ${{ steps.app-token.outputs.token }} run: | - echo "${{ steps.app-token.outputs.token }}" | gh auth login --with-token + echo "${STEPS_APP_TOKEN_OUTPUTS_TOKEN}" | gh auth login --with-token - name: Get GitHub App User ID id: get-user-id - run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" env: GH_TOKEN: ${{ steps.app-token.outputs.token }} + STEPS_APP_TOKEN_OUTPUTS_APP_SLUG: ${{ steps.app-token.outputs.app-slug }} + run: echo "user-id=$(gh api "/users/${STEPS_APP_TOKEN_OUTPUTS_APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" - - run: | - git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]' - git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com' + - env: + STEPS_APP_TOKEN_OUTPUTS_APP_SLUG: ${{ steps.app-token.outputs.app-slug }} + STEPS_GET_USER_ID_OUTPUTS_USER_ID: ${{ steps.get-user-id.outputs.user-id }} + run: | + git config --global user.name "${STEPS_APP_TOKEN_OUTPUTS_APP_SLUG}[bot]" + git config --global user.email "${STEPS_GET_USER_ID_OUTPUTS_USER_ID}+${STEPS_APP_TOKEN_OUTPUTS_APP_SLUG}[bot]@users.noreply.github.com" - name: 'Open OpenVEX Pull Requests for newly released vulnerabilities' run: | diff --git a/.github/workflows/ossf-compiler-flags-scanner.yaml b/.github/workflows/ossf-compiler-flags-scanner.yaml index 59df712e464d..dcd728875e07 100644 --- a/.github/workflows/ossf-compiler-flags-scanner.yaml +++ b/.github/workflows/ossf-compiler-flags-scanner.yaml @@ -45,6 +45,8 @@ jobs: contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Create initial pre-release tar run: .github/scripts/init-pre-release.sh otp_src.tar.gz - uses: ./.github/actions/build-base-image diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index d1c5e3942167..3b5d9881acdc 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -42,6 +42,8 @@ jobs: versions: ${{ steps.get-versions.outputs.versions }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - id: get-versions name: Fetch latest 3 OTP versions run: | @@ -74,10 +76,11 @@ jobs: env: GH_TOKEN: ${{ github.token }} REPO: ${{ github.repository }} # in testing cases, this is your fork, e.g., kikofernandez/otp + MATRIX_TYPE: ${{ matrix.type }} run: | gh api \ --method POST \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/${{ github.repository }}/actions/workflows/reusable-vendor-vulnerability-scanner.yml/dispatches \ - -f 'ref=master' -f "inputs[checkout]=true" -f "inputs[version]=${{ matrix.type }}" -f "inputs[fail_if_cve]=true" + -f 'ref=master' -f "inputs[checkout]=true" -f "inputs[version]=${MATRIX_TYPE}" -f "inputs[fail_if_cve]=true" diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml index 5bb0d8ef0dc7..651c68e66c19 100644 --- a/.github/workflows/pr-comment.yaml +++ b/.github/workflows/pr-comment.yaml @@ -22,7 +22,12 @@ name: Update PR details # read-write repo token # access to secrets -on: + +# workflow_run is required to comment on PRs from forks with write permissions. +# This is safe because we only checkout the base repo (not fork code) and don't +# execute any code from the PR. Be careful when adapting this workflow to not +# introduce code execution from untrusted sources. +on: # zizmor: ignore[dangerous-triggers] workflow_run: workflows: ["Build and check Erlang/OTP"] types: @@ -45,6 +50,8 @@ jobs: result: ${{ steps.pr-number.outputs.result }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1.20.4 with: otp-version: '27' @@ -52,9 +59,10 @@ jobs: id: pr-number env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + GITHUB_EVENT_WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_sha }} run: | .github/scripts/get-pr-number.es erlang/otp \ - "${{ github.event.workflow_run.head_sha }}" + "${GITHUB_EVENT_WORKFLOW_RUN_HEAD_SHA}" starting-tests: runs-on: ubuntu-latest @@ -65,13 +73,17 @@ jobs: if: github.event.action == 'requested' && needs.pr-number.outputs.result != '' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false ## We create an initial comment with some useful help to the user - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + PR_NUMBER: ${{ needs.pr-number.outputs.result }} with: script: | const script = require('./.github/scripts/pr-comment.js'); return await script({github, context, state: 'starting', - pr_number: ${{ needs.pr-number.outputs.result }} }); + pr_number: parseInt(process.env.PR_NUMBER) }); finished-tests: runs-on: ubuntu-latest @@ -88,14 +100,17 @@ jobs: github.event.workflow_run.conclusion != 'skipped' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download and Extract Artifacts id: extract env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + GITHUB_EVENT_WORKFLOW_RUN_ARTIFACTS_URL: ${{ github.event.workflow_run.artifacts_url }} run: | mkdir -p artifacts && cd artifacts - artifacts_url=${{ github.event.workflow_run.artifacts_url }} + artifacts_url="${GITHUB_EVENT_WORKFLOW_RUN_ARTIFACTS_URL}" gh api "$artifacts_url" --paginate -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact do @@ -126,8 +141,10 @@ jobs: ## Publish CT Test Results - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 if: always() + env: + PR_NUMBER: ${{ needs.pr-number.outputs.result }} with: script: | const script = require('./.github/scripts/pr-comment.js'); return await script({github, context, state: 'finished', - pr_number: ${{ needs.pr-number.outputs.result }} }); + pr_number: parseInt(process.env.PR_NUMBER) }); diff --git a/.github/workflows/renovate-vendored-deps.yaml b/.github/workflows/renovate-vendored-deps.yaml index b891648b7cdb..37135aa2becb 100644 --- a/.github/workflows/renovate-vendored-deps.yaml +++ b/.github/workflows/renovate-vendored-deps.yaml @@ -40,6 +40,8 @@ jobs: github.actor == 'renovate-bot' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + # zizmor: ignore[artipacked] + # git push in renovate-vendored-deps.sh needs credentials with: repository: ${{ github.event.pull_request.head.repo.full_name }} ref: ${{ github.event.pull_request.head.ref }} diff --git a/.github/workflows/reusable-vendor-vulnerability-scanner.yml b/.github/workflows/reusable-vendor-vulnerability-scanner.yml index 7a0b3165f4c3..5c603aa91762 100644 --- a/.github/workflows/reusable-vendor-vulnerability-scanner.yml +++ b/.github/workflows/reusable-vendor-vulnerability-scanner.yml @@ -109,6 +109,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.checkout && inputs.version || ''}} # '' = default branch + persist-credentials: false - uses: erlef/setup-beam@566deebc640988a494af16ecdf6f820fe0d3fea4 # racket:actions/checkout@v1 with: @@ -133,16 +134,21 @@ jobs: # this is for security reasons that forked PRs cannot work with Github App tokens # generated by Erlang/OTP, as that could leak secrets. - name: "Set GH_TOKEN for steps" + env: + STEPS_APP_TOKEN_OUTPUTS_TOKEN: ${{ steps.app-token.outputs.token }} run: | - if [ -n "${{ steps.app-token.outputs.token }}" ]; then + if [ -n "${STEPS_APP_TOKEN_OUTPUTS_TOKEN}" ]; then echo "Using GitHub App Token" - echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> $GITHUB_ENV + echo "GH_TOKEN=${STEPS_APP_TOKEN_OUTPUTS_TOKEN}" >> $GITHUB_ENV else echo "Using default GITHUB_TOKEN" echo "GH_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV fi - name: 'Analysis of dependencies from OpenVEX in ${{ inputs.version }}' + env: + STEPS_APP_TOKEN_OUTPUTS_TOKEN: ${{ steps.app-token.outputs.token }} + INPUTS_VERSION: ${{ inputs.version }} run: | curl -L \ -H "Accept: application/vnd.github+json" \ @@ -153,6 +159,6 @@ jobs: chmod +x otp-compliance.es cp otp-compliance.es /home/runner/work/otp/otp/.github/scripts/otp-compliance.es cd /home/runner/work/otp/otp && \ - GH_TOKEN="${{ steps.app-token.outputs.token }}" .github/scripts/otp-compliance.es sbom osv-scan \ - --version ${{ inputs.version }} \ + GH_TOKEN="${STEPS_APP_TOKEN_OUTPUTS_TOKEN}" .github/scripts/otp-compliance.es sbom osv-scan \ + --version "${INPUTS_VERSION}" \ --fail_if_cve ${{ inputs.fail_if_cve }} diff --git a/.github/workflows/sync-github-releases.yaml b/.github/workflows/sync-github-releases.yaml index 5318d32d48bf..e31dc7d9302a 100644 --- a/.github/workflows/sync-github-releases.yaml +++ b/.github/workflows/sync-github-releases.yaml @@ -44,14 +44,19 @@ jobs: actions: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false ## We need to login to the package registry in order to pull ## the base debian image. - name: Docker login - run: docker login https://ghcr.io -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: docker login https://ghcr.io -u "${GITHUB_ACTOR}" -p "${GITHUB_TOKEN}" - name: Sync releases env: ERLANG_ORG_TOKEN: ${{ secrets.TRIGGER_ERLANG_ORG_BUILD }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | pip install --require-hashes -r .github/requirements/mdformat.txt .github/scripts/sync-github-releases.sh ${{ github.repository }} \ - "Bearer ${{ secrets.GITHUB_TOKEN }}" "^[2-9][1-9]\\..*" 25m + "Bearer ${GITHUB_TOKEN}" "^[2-9][1-9]\\..*" 25m diff --git a/.github/workflows/update-base.yaml b/.github/workflows/update-base.yaml index f9e19a12b905..22e68a3f2d77 100644 --- a/.github/workflows/update-base.yaml +++ b/.github/workflows/update-base.yaml @@ -52,6 +52,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ matrix.branch }} + persist-credentials: false - name: Cleanup GH Runner shell: bash run: .github/scripts/cleanup_gh_runner.sh @@ -69,9 +70,13 @@ jobs: .github/scripts/build-base-image.sh "${{ matrix.branch }}" - name: Push master image if: matrix.branch == 'master' - run: docker push ${{ steps.base.outputs.BASE_TAG }}:latest + env: + STEPS_BASE_OUTPUTS_BASE_TAG: ${{ steps.base.outputs.BASE_TAG }} + run: docker push ${STEPS_BASE_OUTPUTS_BASE_TAG}:latest - name: Tag and push base image + env: + STEPS_BASE_OUTPUTS_BASE_TAG: ${{ steps.base.outputs.BASE_TAG }} run: | - docker tag ${{ steps.base.outputs.BASE_TAG }}:latest \ - ${{ steps.base.outputs.BASE_TAG }}:${{ matrix.branch }} - docker push ${{ steps.base.outputs.BASE_TAG }}:${{ matrix.branch }} + docker tag "${STEPS_BASE_OUTPUTS_BASE_TAG}:latest" \ + "${STEPS_BASE_OUTPUTS_BASE_TAG}:${{ matrix.branch }}" + docker push "${STEPS_BASE_OUTPUTS_BASE_TAG}:${{ matrix.branch }}" diff --git a/.github/workflows/upload-windows-zip.yaml b/.github/workflows/upload-windows-zip.yaml index 6065175fc154..0bc6e9bda948 100644 --- a/.github/workflows/upload-windows-zip.yaml +++ b/.github/workflows/upload-windows-zip.yaml @@ -41,20 +41,26 @@ jobs: permissions: contents: write env: - basename: otp_${{ inputs.target }}_${{ inputs.version }} + BASENAME: otp_${{ inputs.target }}_${{ inputs.version }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install OTP shell: cmd + env: + INPUTS_VERSION: ${{ inputs.version }} run: | - curl.exe --fail -Lo otp.exe https://github.com/erlang/otp/releases/download/OTP-${{ inputs.version }}/${{ env.basename }}.exe - otp.exe /S /D=%CD%\${{ env.basename }} + curl.exe --fail -Lo otp.exe https://github.com/erlang/otp/releases/download/OTP-%INPUTS_VERSION%/%BASENAME%.exe + otp.exe /S /D=%CD%\%BASENAME% - name: Download vc_redist.exe shell: bash + env: + INPUTS_TARGET: ${{ inputs.target }} run: | - case "${{ inputs.target }}" in + case "${INPUTS_TARGET}" in win32) vc_redist_target=x86 ;; @@ -73,22 +79,23 @@ jobs: run: | $root = Get-Location - cd ${{ env.basename }} + cd $env:BASENAME Get-ChildItem -Recurse -Filter erl.ini | Remove-Item rm Install.exe,Install.ini,Uninstall.exe $sha256 = Get-FileHash $root\otp.exe -Algorithm SHA256 $sha256.Hash.ToLower() | Out-File -FilePath installer.sha256 cp $root/vc_redist.exe . cp $root/erts/etc/win32/INSTALL.txt . - Compress-Archive -Path * -DestinationPath $root\${{ env.basename }}.zip + Compress-Archive -Path * -DestinationPath $root\$env:BASENAME.zip cd $root - Expand-Archive -Path ${{ env.basename }}.zip -DestinationPath .\otp_test + Expand-Archive -Path $env:BASENAME.zip -DestinationPath .\otp_test .\otp_test\bin\erl.exe +V - name: Upload shell: pwsh env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + INPUTS_VERSION: ${{ inputs.version }} run: | - gh release upload -R $env:GITHUB_REPOSITORY --clobber OTP-${{ inputs.version }} ${{ env.basename }}.zip + gh release upload -R $env:GITHUB_REPOSITORY --clobber OTP-$env:INPUTS_VERSION $env:BASENAME.zip diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000000..c46e991d666b --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,27 @@ +## %CopyrightBegin% +## +## SPDX-License-Identifier: Apache-2.0 +## +## Copyright Ericsson AB 2026. All Rights Reserved. +## +## Licensed under the Apache License, Version 2.0 (the "License"); +## you may not use this file except in compliance with the License. +## You may obtain a copy of the License at +## +## http://www.apache.org/licenses/LICENSE-2.0 +## +## Unless required by applicable law or agreed to in writing, software +## distributed under the License is distributed on an "AS IS" BASIS, +## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +## See the License for the specific language governing permissions and +## limitations under the License. +## +## %CopyrightEnd% + +rules: + # Windows CMD shell is needed to test Windows-specific behavior. + misfeature: + disable: true + # TODO: Add dedicated environments for secrets used in cross-repo triggers and bot authentication. + secrets-outside-env: + disable: true