admin/topgrade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(ci): Dependabot, workflow security (#1257)

Browse Source 
Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: niStee <52573120+niStee@users.noreply.github.comclear>
Co-authored-by: GideonBear <87426140+GideonBear@users.noreply.github.com>
This commit is contained in:
Nils
2025-08-11 10:24:18 +02:00
committed by GitHub
parent 9048cd8f47
commit 91fc5e3902
28 changed files with 257 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/check_config_creation_if_not_exists.yml vendored
View File

@@ -7,15 +7,18 @@ env:
CARGO_TERM_COLOR: always
permissions:
contents: read
jobs:
TestConfig:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4.2.2
- run: |
CONFIG_PATH=~/.config/topgrade.toml;
if [ -f "$CONFIG_PATH" ]; then rm $CONFIG_PATH; fi
cargo build;
cargo build;
TOPGRADE_SKIP_BRKC_NOTIFY=true ./target/debug/topgrade --dry-run --only system;
stat $CONFIG_PATH;

5
.github/workflows/check_i18n.yml vendored
View File

@@ -6,12 +6,15 @@ on:
name: Check i18n
permissions:
contents: read
jobs:
check_locale:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v4.2.2
- name: Install checker
# Build it with the dev profile as this is faster and the checker still works

9
.github/workflows/check_security_vulnerability.yml vendored
View File

@@ -11,6 +11,9 @@ on:
branches:
- main
permissions:
contents: read
jobs:
lint:
name: DevSkim
@@ -21,12 +24,12 @@ jobs:
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v4.2.2
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@v1
uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1.0.16
- name: Upload DevSkim scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@v3.29.5
with:
sarif_file: devskim-results.sarif

9
.github/workflows/check_semver.yml vendored
View File

@@ -4,12 +4,15 @@ on:
name: Check SemVer compliance
permissions:
contents: read
jobs:
prepare:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions-rs/toolchain@v1
- uses: actions/checkout@v4.2.2
- uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
with:
toolchain: nightly-2022-08-03
override: true
@@ -18,7 +21,7 @@ jobs:
semver:
runs-on: ubuntu-latest
steps:
- uses: actions-rs/cargo@v1
- uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
with:
command: install
args: --git https://github.com/rust-lang/rust-semverver

15
.github/workflows/ci.yml vendored
View File

@@ -10,13 +10,16 @@ env:
CROSS_VER: '0.2.5'
CARGO_NET_RETRY: 3
permissions:
contents: read
jobs:
fmt:
name: Rustfmt
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v4.2.2
- name: Run cargo fmt
env:
@@ -30,7 +33,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v4.2.2
- name: Check if `Step` enum is sorted
run: |
@@ -47,7 +50,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v4.2.2
- name: Check if `Step::run()`'s match is sorted
run: |
@@ -55,7 +58,7 @@ jobs:
awk '/[[:alpha:]] =>/{print $1}' $FILE > original.txt
sort original.txt > sorted.txt
diff original.txt sorted.txt
main:
needs: [ fmt, step-enum-sorted, step-match-sorted ]
name: ${{ matrix.target_name }} (check, clippy)
@@ -96,10 +99,10 @@ jobs:
os: windows-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v4.2.2
- name: Setup Rust Cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
with:
prefix-key: ${{ matrix.target }}

27
.github/workflows/create_release_assets.yml vendored
View File

@@ -3,22 +3,25 @@ name: Publish release files for CD native and non-cd-native environments
on:
release:
types: [ created ]
# When a release failed, and there is something you need to fix in this
# When a release failed, and there is something you need to fix in this
# YML file, you can manually re-run the job via this event to re-do the
# release. (Simply re-run the job through GitHub UI won't work as it would use
# the old YML file, which needs a fix.)
workflow_dispatch:
inputs:
# The GitHub Action (softprops/action-gh-release) used in this pipeline
# The GitHub Action (softprops/action-gh-release) used in this pipeline
# needs a tag, you specify it through this parameter.
#
# In the case described above, it should be an existing tag. E.g., the
#
# In the case described above, it should be an existing tag. E.g., the
# release of v16.0.4 failed, you should specify "v16.0.4" here.
existing_tag:
existing_tag:
description: "The tag of the failed release that you wanna re-run and fix"
required: true
type: string
permissions:
contents: read
jobs:
# Publish release files for CD native environments
native_build:
@@ -38,7 +41,7 @@ jobs:
platform: [ ubuntu-22.04, macos-latest, macos-13, windows-latest ]
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4.2.2
- name: Install needed components
run: |
@@ -121,13 +124,13 @@ jobs:
- name: Release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
with:
tag_name: ${{ steps.determine_tag_name.outputs.tag_name }}
files: assets/*
- name: Generate artifact attestations
uses: actions/attest-build-provenance@v2
uses: actions/attest-build-provenance@v2.4.0
with:
subject-path: assets/*
@@ -153,7 +156,7 @@ jobs:
]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4.2.2
- name: Install needed components
run: |
@@ -179,7 +182,7 @@ jobs:
run: rustup target add ${{ matrix.target }}
- name: install cross
uses: taiki-e/install-action@v2
uses: taiki-e/install-action@aa2649f25ee7099207734772f5393fd30167cb73 # v2.58.0
with:
tool: cross@0.2.5
@@ -238,12 +241,12 @@ jobs:
- name: Release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
with:
tag_name: ${{ steps.determine_tag_name.outputs.tag_name }}
files: assets/*
- name: Generate artifact attestations
uses: actions/attest-build-provenance@v2
uses: actions/attest-build-provenance@v2.4.0
with:
subject-path: assets/*

22
.github/workflows/dependency-review.yml vendored Normal file
View File

@@ -0,0 +1,22 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4.2.2
- name: 'Dependency Review'
uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1

5
.github/workflows/release_to_aur.yml vendored
View File

@@ -1,7 +1,7 @@
name: Publish to AUR
on:
# Step "Publish binary AUR package" needs the binaries built by the following
# Step "Publish binary AUR package" needs the binaries built by the following
# workflow, so we wait for it to complete.
workflow_run:
workflows: ["Publish release files for CD native and non-cd-native environments"]
@@ -15,6 +15,9 @@ on:
required: false
type: string
permissions:
contents: read
jobs:
aur-publish:
runs-on: ubuntu-latest

9
.github/workflows/release_to_homebrew.yml vendored
View File

@@ -10,16 +10,19 @@ on:
tags:
- "v*"
permissions:
contents: read
jobs:
homebrew-publish:
runs-on: ubuntu-latest
steps:
- name: Set up Homebrew
id: set-up-homebrew
uses: Homebrew/actions/setup-homebrew@master
uses: Homebrew/actions/setup-homebrew@24a0b15df658487e137fcd20fba32757d41a9411 # master
- name: Cache Homebrew Bundler RubyGems
id: cache
uses: actions/cache@v4
uses: actions/cache@v4.2.3
with:
path: ${{ steps.set-up-homebrew.outputs.gems-path }}
key: ${{ runner.os }}-rubygems-${{ steps.set-up-homebrew.outputs.gems-hash }}
@@ -29,7 +32,7 @@ jobs:
if: steps.cache.outputs.cache-hit != 'true'
run: brew install-bundler-gems
- name: Bump formulae
uses: Homebrew/actions/bump-packages@master
uses: Homebrew/actions/bump-packages@24a0b15df658487e137fcd20fba32757d41a9411 # master
continue-on-error: true
with:
# Custom GitHub access token with only the 'public_repo' scope enabled

30
.github/workflows/release_to_pypi.yml vendored
View File

@@ -15,16 +15,16 @@ jobs:
matrix:
target: [x86_64, x86, aarch64]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4.2.2
- name: Build wheels
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3
with:
target: ${{ matrix.target }}
args: --release --out dist
sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}
manylinux: auto
- name: Upload wheels
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v4.6.2
with:
name: wheels-linux-${{ matrix.target }}
path: dist
@@ -35,15 +35,15 @@ jobs:
matrix:
target: [x64, x86]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4.2.2
- name: Build wheels
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3
with:
target: ${{ matrix.target }}
args: --release --out dist
sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}
- name: Upload wheels
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v4.6.2
with:
name: wheels-windows-${{ matrix.target }}
path: dist
@@ -54,15 +54,15 @@ jobs:
matrix:
target: [x86_64, aarch64]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4.2.2
- name: Build wheels
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3
with:
target: ${{ matrix.target }}
args: --release --out dist
sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}
- name: Upload wheels
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v4.6.2
with:
name: wheels-macos-${{ matrix.target }}
path: dist
@@ -70,14 +70,14 @@ jobs:
sdist:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4.2.2
- name: Build sdist
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3
with:
command: sdist
args: --out dist
- name: Upload sdist
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v4.6.2
with:
name: wheels-sdist
path: dist
@@ -94,15 +94,15 @@ jobs:
# Used to generate artifact attestation
attestations: write
steps:
- uses: actions/download-artifact@v4
- uses: actions/download-artifact@v4.3.0
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v2
uses: actions/attest-build-provenance@v2.4.0
with:
subject-path: 'wheels-*/*'
- name: Publish to PyPI
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3
env:
MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
with:

7
.github/workflows/release_to_winget.yml vendored
View File

@@ -4,12 +4,15 @@ on:
types: [released]
workflow_dispatch:
permissions:
contents: read
jobs:
publish:
runs-on: windows-latest
steps:
- uses: vedantmgoyal2009/winget-releaser@main
- uses: vedantmgoyal2009/winget-releaser@19e706d4c9121098010096f9c495a70a7518b30f # main
with:
identifier: topgrade-rs.topgrade
max-versions-to-keep: 5 # keep only latest 5 versions
token: ${{ secrets.WINGET_TOKEN }}
token: ${{ secrets.WINGET_TOKEN }}

76
.github/workflows/scorecards.yml vendored Normal file
View File

@@ -0,0 +1,76 @@
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '20 7 * * 2'
push:
branches: ["main"]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
contents: read
actions: read
# To allow GraphQL ListCommits to work
issues: read
pull-requests: read
# To detect SAST tools
checks: read
steps:
- name: "Checkout code"
uses: actions/checkout@v4.2.2
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecards on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@v4.6.2
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3.29.5
with:
sarif_file: results.sarif