Mirrors/curl
0
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-01-18 17:21:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

GHA/checksrc: check GHA rules with zizmor

Browse Source 
The pedantic level is experimental. If it causes issues, we may just
disable it alongside the ignore comments.

Also:
- silence error:
  ```
   INFO audit: zizmor: completed label.yml
  error[dangerous-triggers]: use of fundamentally insecure workflow trigger
    --> label.yml:13:1
     |
  13 | 'on': [pull_request_target]
     | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely
     |
     = note: audit confidence -> Medium
  ```
- fix pedantic warning:
  ```
   INFO audit: zizmor: completed label.yml
  warning[excessive-permissions]: overly broad permissions
    --> label.yml:1:1
  ...  |
  24 | |         with:
  25 | |           repo-token: '${{ secrets.GITHUB_TOKEN }}'
     | |____________________________________________________- default permissions used due to no permissions: block
     |
     = note: audit confidence -> Medium
  ```
- silence `template-injection` false positives like:
  ```
  - note: ${{ matrix.build.torture && 'test-torture' || 'test-ci' }} may expand into attacker-controllable code
  - note: ${{ contains(matrix.build.install_steps, 'pytest') && 'caddy httpd vsftpd' || '' }} may expand into attacker-controllable code
  ```
  It doesn't seem like these could be controlled by an attacker.
  Let me know if I'm missing something.

Closes #17278
This commit is contained in:
Viktor Szakats
2025-05-07 18:56:27 +02:00
parent 283ad5c432
commit e522f47986
5 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.github/workflows/checksrc.yml vendored
View File

@@ -117,3 +117,18 @@ jobs:
run: |
grep -Ev '(\\bwill| url | dir )' .github/scripts/badwords.txt | \
.github/scripts/badwords.pl $(git ls-files -- src lib include)
ghacheck:
name: GHA analysis
runs-on: macos-latest
timeout-minutes: 1
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
name: checkout
- name: zizmor
run: |
brew install zizmor
zizmor --pedantic .github/workflows/*.yml

5
.github/workflows/label.yml vendored
View File

@@ -10,11 +10,12 @@
# https://github.com/actions/labeler
name: Labeler
'on': [pull_request_target]
'on': [pull_request_target] # zizmor: ignore[dangerous-triggers]
permissions: {}
jobs:
label:
runs-on: ubuntu-latest
permissions:
contents: read

2
.github/workflows/linux.yml vendored
View File

@@ -298,6 +298,7 @@ jobs:
steps:
- name: 'install prereqs'
if: matrix.build.container == null && !contains(matrix.build.name, 'i686')
# zizmor: ignore[template-injection]
run: |
sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
sudo apt-get -o Dpkg::Use-Pty=0 update
@@ -661,6 +662,7 @@ jobs:
- name: 'run tests'
if: ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') }}
timeout-minutes: ${{ contains(matrix.build.install_packages, 'valgrind') && 30 || 15 }}
# zizmor: ignore[template-injection]
run: |
export TFLAGS='${{ matrix.build.tflags }}'
if [ -z '${{ matrix.build.torture }}' ]; then

2
.github/workflows/macos.yml vendored
View File

@@ -183,6 +183,7 @@ jobs:
# Run this command with retries because of spurious failures seen
# while running the tests, for example
# https://github.com/curl/curl/runs/4095721123?check_suite_focus=true
# zizmor: ignore[template-injection]
run: |
echo ${{ matrix.build.generate && 'ninja' || 'automake libtool' }} \
pkgconf libpsl libssh2 \
@@ -311,6 +312,7 @@ jobs:
- name: 'run tests'
if: ${{ !matrix.build.clang-tidy }}
timeout-minutes: ${{ matrix.build.torture && 20 || 10 }}
# zizmor: ignore[template-injection]
run: |
export TFLAGS='-j20 ${{ matrix.build.tflags }}'
if [ -z '${{ matrix.build.torture }}' ]; then

1
.github/workflows/windows.yml vendored
View File

@@ -572,6 +572,7 @@ jobs:
steps:
- name: 'install packages'
timeout-minutes: 5
# zizmor: ignore[template-injection]
run: |
sudo rm -f /var/lib/man-db/auto-update
sudo apt-get -o Dpkg::Use-Pty=0 install mingw-w64 \