diff options
| author | StepSecurity Bot <[email protected]> | 2022-11-25 10:26:10 +0000 |
|---|---|---|
| committer | Hiroshi SHIBATA <[email protected]> | 2022-11-25 20:12:23 +0900 |
| commit | e15cd01149afe4924460f81cb6e27dd96de06657 () | |
| tree | d95d0bc97f0ec1300a85892b5a01d29a66b2673f | |
| parent | 8a50db7dfa9383326854ddfa47c7003722567d61 (diff) | |
[StepSecurity] ci: Harden Actions
Signed-off-by: StepSecurity Bot <[email protected]>
Notes: Merged: https://.com/ruby/ruby/pull/6810
| -rw-r--r-- | ./workflows/baseruby.yml | 8 | ||||
| -rw-r--r-- | ./workflows/bundled_gems.yml | 4 | ||||
| -rw-r--r-- | ./workflows/check_dependencies.yml | 6 | ||||
| -rw-r--r-- | ./workflows/check_misc.yml | 6 | ||||
| -rw-r--r-- | ./workflows/cirrus-notify.yml | 4 | ||||
| -rw-r--r-- | ./workflows/codeql-analysis.yml | 10 | ||||
| -rw-r--r-- | ./workflows/compilers.yml | 6 | ||||
| -rw-r--r-- | ./workflows/macos.yml | 6 | ||||
| -rw-r--r-- | ./workflows/mingw.yml | 8 | ||||
| -rw-r--r-- | ./workflows/mjit-bindgen.yml | 8 | ||||
| -rw-r--r-- | ./workflows/mjit.yml | 6 | ||||
| -rw-r--r-- | ./workflows/spec_guards.yml | 6 | ||||
| -rw-r--r-- | ./workflows/ubuntu.yml | 6 | ||||
| -rw-r--r-- | ./workflows/wasm.yml | 2 | ||||
| -rw-r--r-- | ./workflows/windows.yml | 14 | ||||
| -rw-r--r-- | ./workflows/yjit-ubuntu.yml | 8 |
16 files changed, 54 insertions, 54 deletions
@@ -40,12 +40,12 @@ jobs: - ruby-3.1 steps: - - uses: actions/checkout@v3 - - uses: actions/cache@v3 with: path: .downloaded-cache key: downloaded-cache - - uses: ruby/setup-ruby@v1 with: ruby-version: ${{ matrix.ruby }} bundler: none @@ -57,7 +57,7 @@ jobs: - run: make incs - run: make all - run: make test - - uses: ruby/[email protected] with: payload: | { @@ -29,9 +29,9 @@ jobs: echo "GNUMAKEFLAGS=-j$((1 + $(nproc --all)))" >> $_ENV echo "TODAY=$(date +%F)" >> $_ENV - - uses: actions/checkout@v3 - - uses: actions/cache@v3 with: path: .downloaded-cache key: downloaded-cache-${{ .sha }} @@ -45,8 +45,8 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 - - uses: actions/cache@v3 with: path: .downloaded-cache key: downloaded-cache @@ -56,7 +56,7 @@ jobs: - run: make all golf - run: ruby tool/update-deps --fix - run: git diff --no-ext-diff --ignore-submodules --exit-code - - uses: ruby/[email protected] with: payload: | { @@ -9,7 +9,7 @@ jobs: checks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - name: Check if C-sources are US-ASCII run: | ! grep -r -n '[^ -~]' *.[chy] include internal win32/*.[ch] @@ -23,7 +23,7 @@ jobs: done | grep -F . working-directory: include - - uses: actions/cache@v3 with: path: .downloaded-cache key: downloaded-cache-${{ .sha }} @@ -98,7 +98,7 @@ jobs: GIT_COMMITTER_NAME: git if: ${{ .repository == 'ruby/ruby' && !startsWith(.event_name, 'pull') && steps.diff.outcome == 'failure' }} - - uses: ruby/[email protected] with: payload: | { @@ -13,7 +13,7 @@ jobs: && .event.check_suite.head_branch == 'master' runs-on: ubuntu-latest steps: - - uses: octokit/[email protected] id: get_failed_check_run with: route: GET /repos/${{ .repository }}/check-suites/${{ .event.check_suite.id }}/check-runs?status=completed @@ -28,7 +28,7 @@ jobs: env: CHECK_RUNS: ${{ steps.get_failed_check_run.outputs.data }} run: echo "$CHECK_RUNS" - - uses: ruby/[email protected] with: payload: | { @@ -43,9 +43,9 @@ jobs: sudo apt-get install --no-install-recommends -q -y build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev bison autoconf ruby - name: Checkout repository - uses: actions/checkout@v3 - - uses: actions/cache@v3 with: path: .downloaded-cache key: downloaded-cache @@ -54,7 +54,7 @@ jobs: run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb - name: Initialize CodeQL - uses: /codeql-action/init@v2 with: config-file: ././codeql/codeql-config.yml @@ -62,7 +62,7 @@ jobs: run: echo "GNUMAKEFLAGS=-j$((1 + $(nproc --all)))" >> $_ENV - name: Autobuild - uses: /codeql-action/autobuild@v2 - name: Perform CodeQL Analysis - uses: /codeql-action/analyze@v2 @@ -231,10 +231,10 @@ jobs: - name: setenv run: | echo "GNUMAKEFLAGS=-sj$((1 + $(nproc --all)))" >> $_ENV - - uses: actions/checkout@v3 with: path: src - - uses: actions/cache@v3 with: path: src/.downloaded-cache key: downloaded-cache @@ -268,7 +268,7 @@ jobs: - run: make test-annocheck if: ${{ matrix.entry.check && endsWith(matrix.entry.name, 'annocheck') }} - - uses: ruby/[email protected] with: payload: | { @@ -41,10 +41,10 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 with: path: src - - uses: actions/cache@v3 with: path: src/.downloaded-cache key: downloaded-cache @@ -86,7 +86,7 @@ jobs: PRECHECK_BUNDLED_GEMS: "no" if: ${{ matrix.test_task == 'check' && matrix.skipped_tests != '' }} continue-on-error: ${{ matrix.continue-on-skipped_tests || false }} - - uses: ruby/[email protected] with: payload: | { @@ -57,15 +57,15 @@ jobs: git config --global core.eol lf git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 with: path: src - - uses: actions/cache@v3 with: path: src/.downloaded-cache key: downloaded-cache - name: Set up Ruby & MSYS2 - uses: ruby/setup-ruby@v1 with: ruby-version: ${{ matrix.base_ruby }} - name: set env @@ -151,7 +151,7 @@ jobs: make ${{ StartsWith(matrix.test_task, 'spec/') && matrix.test_task || 'test-spec' }} if: ${{matrix.test_task == 'check' || matrix.test_task == 'test-spec' || StartsWith(matrix.test_task, 'spec/')}} - - uses: ruby/[email protected] with: payload: | { @@ -48,17 +48,17 @@ jobs: bison autoconf sudo apt-get install -q -y pkg-config || : - name: Set up Ruby - uses: ruby/setup-ruby@v1 with: ruby-version: '3.1' - name: git config run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 with: path: src - - uses: actions/cache@v3 with: path: src/.downloaded-cache key: downloaded-cache @@ -77,7 +77,7 @@ jobs: - run: make ${{ matrix.task }} - run: git diff --exit-code working-directory: src - - uses: ruby/[email protected] with: payload: | { @@ -46,10 +46,10 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 with: path: src - - uses: actions/cache@v3 with: path: src/.downloaded-cache key: downloaded-cache @@ -84,7 +84,7 @@ jobs: ulimit -c unlimited make -s test-spec RUN_OPTS="$RUN_OPTS" timeout-minutes: 60 - - uses: ruby/[email protected] with: payload: | { @@ -28,8 +28,8 @@ jobs: - ruby-3.1 steps: - - uses: actions/checkout@v3 - - uses: ruby/setup-ruby@v1 with: ruby-version: ${{ matrix.ruby }} bundler: none @@ -38,7 +38,7 @@ jobs: working-directory: spec/ruby env: CHECK_S: true - - uses: ruby/[email protected] with: payload: | { @@ -72,10 +72,10 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 with: path: src - - uses: actions/cache@v3 with: path: src/.downloaded-cache key: downloaded-cache @@ -120,7 +120,7 @@ jobs: TESTS: ${{ matrix.skipped_tests }} if: ${{ matrix.test_task == 'check' && matrix.skipped_tests != '' }} continue-on-error: ${{ matrix.continue-on-skipped_tests || false }} - - uses: ruby/[email protected] with: payload: | { @@ -51,7 +51,7 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 with: path: src - name: Install libraries @@ -39,7 +39,7 @@ jobs: steps: - run: md build working-directory: - - uses: msys2/setup-msys2@v2 id: setup-msys2 with: update: true @@ -50,14 +50,14 @@ jobs: shell: msys2 {0} run: echo =$(cygpath -wa $(command -v )) >> $_ENV if: ${{ steps.setup-msys2.outcome == 'success' }} - - uses: actions/cache@v3 with: path: C:\vcpkg\downloads key: ${{ runner.os }}-vcpkg-download-${{ env.OS_VER }}-${{ .sha }} restore-keys: | ${{ runner.os }}-vcpkg-download-${{ env.OS_VER }}- ${{ runner.os }}-vcpkg-download- - - uses: actions/cache@v3 with: path: C:\vcpkg\installed key: ${{ runner.os }}-vcpkg-installed-${{ matrix.os }}-${{ .sha }} @@ -67,7 +67,7 @@ jobs: - name: Install libraries with vcpkg run: | vcpkg --triplet x64-windows install libffi libyaml openssl readline zlib - - uses: actions/cache@v3 with: path: C:\Users\runneradmin\AppData\Local\Temp\chocolatey key: ${{ runner.os }}-chocolatey-${{ env.OS_VER }}-${{ .sha }} @@ -86,10 +86,10 @@ jobs: git config --global core.eol lf git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 with: path: src - - uses: actions/cache@v3 with: path: src/.downloaded-cache key: downloaded-cache @@ -138,7 +138,7 @@ jobs: env: RUBY_TESTOPTS: -j${{env.TEST_JOBS}} --job-status=normal timeout-minutes: 60 - - uses: ruby/[email protected] with: payload: | { @@ -27,7 +27,7 @@ jobs: # Action's image seems to already contain a Rust 1.58.0. runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 # For now we can't run cargo test --offline because it complains about the # capstone dependency, even though the dependency is optional #- run: cargo test --offline @@ -90,10 +90,10 @@ jobs: run: | git config --global advice.detachedHead 0 git config --global init.defaultBranch garbage - - uses: actions/checkout@v3 with: path: src - - uses: actions/cache@v3 with: path: src/.downloaded-cache key: downloaded-cache @@ -135,7 +135,7 @@ jobs: BASE_REPO: ${{ .event.pull_request.base.repo.full_name }} BASE_SHA: ${{ .event.pull_request.base.sha }} if: ${{ matrix.test_task == 'yjit-bench' && startsWith(.event_name, 'pull') }} - - uses: ruby/[email protected] with: payload: | { |