mirror of
https://github.com/pnpm/pnpm.git
synced 2026-07-02 20:05:14 -04:00
* ci(pacquet): fix all zizmor code-scanning findings Resolves the 90 alerts opened by zizmor against the imported pacquet-* workflows and shared composite actions: - unpinned-uses: pin every third-party action to a SHA + version comment (matching SHAs already used elsewhere in the repo where applicable; taiki-e/install-action collapsed onto v2.78.0 with explicit `tool:` input). - artipacked: add `persist-credentials: false` to every actions/checkout. - template-injection: pass `inputs.*` and `steps.*.outputs.*` through `env:` in binstall/rustup composite actions and pacquet-release-to-npm.yml. - excessive-permissions: add top-level `permissions: contents: read` to pacquet-release-to-npm.yml; move issues/pull-requests writes from the workflow level to the benchmark-compare job in pacquet-micro-benchmark.yml. - dangerous-triggers: keep workflow_run in pacquet-integrated-benchmark- comment.yml but suppress with a documented zizmor: ignore — the trigger is the recommended pattern for posting comments back to fork PRs. - superfluous-actions: keep softprops/action-gh-release with a zizmor: ignore (matches release.yml). Verified by running `zizmor .github` locally with no remaining findings. * ci(pacquet): point SHA pins at the patch-version tag Swatinem/rust-cache and montudor/action-zip were pinned to the SHA the major-version alias (`v2`, `v1`) resolves to, but the version comments claimed `v2.9.1` / `v1.0.0`. zizmor's online `ref-version-mismatch` audit flagged the inconsistency. Repoint at the SHAs the patch-version tags actually annotate so the pin and the comment agree.
91 lines
2.1 KiB
YAML
91 lines
2.1 KiB
YAML
name: Rustup
|
|
|
|
description: Install Rust with minimal profile and additional components
|
|
|
|
inputs:
|
|
# See https://rust-lang.github.io/rustup/concepts/components.html
|
|
clippy:
|
|
default: false
|
|
required: false
|
|
type: boolean
|
|
fmt:
|
|
default: false
|
|
required: false
|
|
type: boolean
|
|
docs:
|
|
default: false
|
|
required: false
|
|
type: boolean
|
|
restore-cache:
|
|
default: true
|
|
required: false
|
|
type: boolean
|
|
save-cache:
|
|
default: false
|
|
required: false
|
|
type: boolean
|
|
shared-key:
|
|
default: 'warm'
|
|
required: false
|
|
type: string
|
|
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
- name: Print Inputs
|
|
shell: bash
|
|
env:
|
|
CLIPPY: ${{ inputs.clippy }}
|
|
FMT: ${{ inputs.fmt }}
|
|
DOCS: ${{ inputs.docs }}
|
|
RESTORE_CACHE: ${{ inputs.restore-cache }}
|
|
SAVE_CACHE: ${{ inputs.save-cache }}
|
|
run: |
|
|
echo "clippy: $CLIPPY"
|
|
echo "fmt: $FMT"
|
|
echo "docs: $DOCS"
|
|
echo "restore-cache: $RESTORE_CACHE"
|
|
echo "save-cache: $SAVE_CACHE"
|
|
|
|
- name: Remove `profile` line on MacOS
|
|
shell: bash
|
|
if: runner.os == 'macOS'
|
|
run: sed -i '' '/profile/d' rust-toolchain.toml
|
|
|
|
- name: Remove `profile` line on non-MacOS
|
|
shell: bash
|
|
if: runner.os != 'macOS'
|
|
run: sed -i '/profile/d' rust-toolchain.toml
|
|
|
|
- name: Set minimal
|
|
shell: bash
|
|
run: rustup set profile minimal
|
|
|
|
- name: Add Clippy
|
|
shell: bash
|
|
if: ${{ inputs.clippy == 'true' }}
|
|
run: rustup component add clippy
|
|
|
|
- name: Add Rustfmt
|
|
shell: bash
|
|
if: ${{ inputs.fmt == 'true' }}
|
|
run: rustup component add rustfmt
|
|
|
|
- name: Add docs
|
|
shell: bash
|
|
if: ${{ inputs.docs == 'true' }}
|
|
run: rustup component add rust-docs
|
|
|
|
- name: Install
|
|
shell: bash
|
|
run: |
|
|
rustup show
|
|
git restore .
|
|
|
|
- name: Cache on ${{ github.ref_name }}
|
|
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
|
|
if: ${{ inputs.restore-cache == 'true' }}
|
|
with:
|
|
shared-key: ${{ inputs.shared-key }}
|
|
save-if: ${{ inputs.save-cache == 'true' }}
|