diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index be338003..b4d861c8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,8 @@ jobs: contents: write # for creating branch for pr pull-requests: write # unused (used in `codegen-automerge: true` case) security-events: write # for github/codeql-action/* - secrets: inherit + secrets: + PR_TOKEN_APP_PRIVATE_KEY: ${{ secrets.PR_TOKEN_APP_PRIVATE_KEY }} test: strategy: @@ -99,7 +100,11 @@ jobs: - run: rm -- Cargo.toml - name: Generate tool list id: tool-list - run: tools/ci/tool-list.sh "${{ matrix.tool }}" "${{ matrix.os }}" "${{ matrix.bash }}" >>"${GITHUB_OUTPUT}" + run: tools/ci/tool-list.sh "${TOOL}" "${OS}" "${BASH}" >>"${GITHUB_OUTPUT}" + env: + TOOL: ${{ matrix.tool }} + OS: ${{ matrix.os }} + BASH: ${{ matrix.bash }} - run: | printf '%s\n' 'C:\msys64\mingw32\bin' >>"${GITHUB_PATH}" printf '%s\n' 'C:\msys64\usr\bin' >>"${GITHUB_PATH}" @@ -264,7 +269,7 @@ jobs: sed -i /etc/yum.repos.d/*.repo -e 's!^mirrorlist!#mirrorlist!' \ -e 's!^#baseurl=http://mirror.centos.org/!baseurl=https://vault.centos.org/!' sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf - if [[ "${{ matrix.container }}" == "centos:6" ]]; then + if [[ "${CONTAINER}" == "centos:6" ]]; then # CentOS 6's curl (7.19.7) has no curl has no --proto/--tlsv1.2. yum install -y gcc openssl-devel curl -fsSL --retry 10 https://curl.se/download/curl-7.34.0.tar.gz | tar xzf - @@ -278,13 +283,17 @@ jobs: https://vault.ius.io/el6/x86_64/packages/p/perl-Git18-1.8.5.5-4.ius.el6.noarch.rpm \ https://vault.ius.io/el6/x86_64/packages/g/git18-1.8.5.5-4.ius.el6.x86_64.rpm fi + env: + CONTAINER: ${{ matrix.container }} if: startsWith(matrix.container, 'centos') - uses: taiki-e/checkout-action@v1 # cross attempts to install rust-src when Cargo.toml is available even if `cross --version` - run: rm -- Cargo.toml - name: Generate tool list id: tool-list - run: tools/ci/tool-list.sh "" "${{ matrix.container }}" >>"${GITHUB_OUTPUT}" + run: tools/ci/tool-list.sh "" "${CONTAINER}" >>"${GITHUB_OUTPUT}" + env: + CONTAINER: ${{ matrix.container }} # remove bash installed by checkout-action - run: apk --no-cache del bash shell: sh diff --git a/.github/workflows/manifest.yml b/.github/workflows/manifest.yml index d76768e2..7767bbed 100644 --- a/.github/workflows/manifest.yml +++ b/.github/workflows/manifest.yml @@ -37,7 +37,8 @@ jobs: permissions: contents: write # for creating branch for pr pull-requests: write # for gh pr review --approve - secrets: inherit + secrets: + PR_TOKEN_APP_PRIVATE_KEY: ${{ secrets.PR_TOKEN_APP_PRIVATE_KEY }} with: script: tools/manifest.sh commit-script: tools/ci/manifest.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cf958670..9c294501 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,6 +26,10 @@ defaults: run: shell: bash --noprofile --norc -CeEuxo pipefail {0} +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + jobs: prepare: if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action' @@ -435,7 +439,8 @@ jobs: contents: write # for taiki-e/create-gh-release-action id-token: write # for rust-lang/crates-io-auth-action attestations: write # unused (used when options for uploading binaries are set) - secrets: inherit + secrets: + PUSH_TOKEN: ${{ secrets.PUSH_TOKEN }} with: version: ${{ inputs.version }} tag-prefix: install-action-manifest-schema- diff --git a/.github/zizmor.yml b/.github/zizmor.yml index b5be7c9c..2af76c73 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -2,7 +2,7 @@ # https://docs.zizmor.sh/configuration/ rules: - secrets-inherit: { disable: true } + anonymous-definition: { disable: true } unpinned-uses: config: policies: diff --git a/tools/tidy.sh b/tools/tidy.sh index a6a50884..a04c120f 100755 --- a/tools/tidy.sh +++ b/tools/tidy.sh @@ -86,11 +86,6 @@ check_config() { check_install() { for tool in "$@"; do if ! type -P "${tool}" >/dev/null; then - if [[ "${tool}" == 'python3' ]]; then - if type -P python >/dev/null; then - continue - fi - fi error "'${tool}' is required to run this check" return 1 fi @@ -132,10 +127,6 @@ EOF exit 1 fi -py_suffix='' -if type -P python3 >/dev/null; then - py_suffix=3 -fi yq() { uvx yq "$@"; } tomlq() { uvx --from yq tomlq "$@"; } case "$(uname -s)" in @@ -700,7 +691,7 @@ elif check_install shellcheck; then # Exclude SC2096 due to the way the temporary script is created. shellcheck_exclude=SC2096 info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in \`\$(git ls-files '*Dockerfile*')\`" - if check_install jq python3 parse-dockerfile; then + if check_install jq parse-dockerfile; then shellcheck_for_dockerfile() { local text=$1 local shell=$2 @@ -833,7 +824,7 @@ elif check_install shellcheck; then # Exclude SC2096 due to the way the temporary script is created. shellcheck_exclude=SC2086,SC2096,SC2129 info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in .github/workflows/*.yml and **/action.yml" - if check_install jq python3 uv; then + if check_install jq uv; then shellcheck_for_gha() { local text=$1 local shell=$2 @@ -846,16 +837,8 @@ elif check_install shellcheck; then *) return ;; esac text="#!/usr/bin/env ${shell%' {0}'}"$'\n'"${text}" - # Use python because sed doesn't support .*?. - text=$( - "python${py_suffix}" - <