diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 90e05c40d..35467f421 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,5 @@ updates: directory: "/" # Location of package manifests schedule: interval: "weekly" + cooldown: + default-days: 7 diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index 186768441..49cc1fdbb 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -1,11 +1,15 @@ name: Lint GitHub Actions workflows on: [push, pull_request] +permissions: {} + jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Check workflow files run: | echo "::add-matcher::.github/actionlint-matcher.json" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e7e9f3899..0142db7b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,8 @@ on: branches: - 'master' +permissions: {} + concurrency: group: build-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -18,9 +20,10 @@ jobs: checkinstall: runs-on: ubuntu-slim steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 + persist-credentials: false - name: Install APT Dependencies run: | sudo apt-get update && sudo apt-get install -y --no-install-recommends ninja-build @@ -33,9 +36,10 @@ jobs: formatting: runs-on: ubuntu-slim steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 + persist-credentials: false - name: Install pcre2grep run: sudo apt-get update && sudo apt-get install -y --no-install-recommends pcre2-utils # Check for trailing whitespace @@ -126,9 +130,10 @@ jobs: CXXFLAGS: -Wall -Wextra -Werror ${{ matrix.isax }} INTEL_TARGET: ${{ matrix.target }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - name: CPU Information run: cat /proc/cpuinfo - name: Install APT Dependencies @@ -143,7 +148,7 @@ jobs: sudo ln -s /usr/bin/g++-15 /usr/bin/g++ pipx install meson==1.3.2 - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }}-${{ matrix.isax }} verbose: 2 @@ -171,9 +176,10 @@ jobs: CFLAGS: -Wall -Wextra -Werror -march=bdver2 CXXFLAGS: -Wall -Wextra -Werror -march=bdver2 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - name: CPU Information run: cat /proc/cpuinfo - name: Install APT Dependencies @@ -188,7 +194,7 @@ jobs: sudo ln -s /usr/bin/g++-15 /usr/bin/g++ pipx install meson==1.3.2 - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }} verbose: 2 @@ -213,16 +219,17 @@ jobs: - "32-relaxed" - "64-relaxed" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - name: Install APT Dependencies run: | sudo add-apt-repository ppa:stephanosio/ccache sudo apt-get install -y --no-install-recommends ninja-build pipx ccache pipx install meson==1.3.2 - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }} verbose: 2 @@ -254,9 +261,10 @@ jobs: CFLAGS: -DSIMDE_ENABLE_NATIVE_ALIASES -DSIMDE_NATIVE_ALIASES_TESTING -Wall -Wextra -Werror -pedantic CXXFLAGS: -DSIMDE_ENABLE_NATIVE_ALIASES -DSIMDE_NATIVE_ALIASES_TESTING -Wall -Wextra -Werror -pedantic steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - id: cpu name: CPU Information run: cat /proc/cpuinfo @@ -272,7 +280,7 @@ jobs: sudo ln -s /usr/bin/g++-15 /usr/bin/g++ pipx install meson==1.3.2 - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }} verbose: 2 @@ -294,9 +302,10 @@ jobs: CFLAGS: -march=native -Wall -Wextra -Werror CXXFLAGS: -march=native -Wall -Wextra -Werror steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - id: cpu name: CPU Information run: | @@ -313,7 +322,7 @@ jobs: sudo ln -s /usr/bin/g++-15 /usr/bin/g++ pipx install meson==1.3.2 - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }} verbose: 2 @@ -415,9 +424,10 @@ jobs: format('{0}-g++-{1}', matrix.gcc, matrix.version) ) }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - id: cpu name: CPU Information run: | @@ -440,7 +450,7 @@ jobs: - if: ${{ matrix.version == '15' }} run: sudo apt-get satisfy -y 'binutils (>= 2.45)' - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }}-${{ matrix.version }}-${{ matrix.distro }}-${{ matrix.arch_flags }} verbose: 2 @@ -503,9 +513,10 @@ jobs: # distro: ubuntu-24.04 runs-on: ${{ matrix.distro }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - name: CPU Information run: cat /proc/cpuinfo - if: ${{ matrix.distro == 'ubuntu-24.04' && ( matrix.version == '15' )}} @@ -521,7 +532,7 @@ jobs: qemu-user-static pipx libc6-${{ matrix.arch_deb }}-cross libstdc++-${{ matrix.version }}-dev-${{ matrix.arch_deb }}-cross pipx install meson==1.3.2 - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }}-${{ matrix.version}}${{ matrix.extra }}-${{ matrix.distro }}-${{ matrix.cross }} verbose: 2 @@ -559,9 +570,10 @@ jobs: distro: ubuntu-24.04 runs-on: ${{ matrix.distro }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - name: CPU Information run: cat /proc/cpuinfo - name: Install APT Dependencies @@ -575,7 +587,7 @@ jobs: libstdc++-12-dev-${{ matrix.arch_deb }}-cross \ binutils-${{ matrix.arch_gnu }}-linux-gnu - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }}-${{ matrix.distro }}-${{ matrix.cross }} verbose: 2 @@ -615,9 +627,10 @@ jobs: distro: ubuntu-24.04 runs-on: ${{ matrix.distro }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - name: CPU Information run: cat /proc/cpuinfo - name: Install APT Dependencies @@ -629,7 +642,7 @@ jobs: libstdc++-12-dev-${{ matrix.arch_deb }}-cross \ binutils-${{ matrix.arch_gnu }}-linux-gnu ccache - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }}-${{ matrix.distro }}-${{ matrix.cross }} verbose: 2 @@ -686,9 +699,10 @@ jobs: distro: ubuntu-24.04 runs-on: ${{ matrix.distro }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - name: CPU Information run: cat /proc/cpuinfo - name: Install APT Dependencies @@ -703,7 +717,7 @@ jobs: binutils-${{ matrix.arch_gnu }}-linux-gnu${{ matrix.arch_gnu_abi }} pipx install meson - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }}-${{ matrix.version }}-${{ matrix.cross }} verbose: 2 @@ -901,9 +915,10 @@ jobs: matrix.plain == true, '-Wall -Weverything -Werror', '-march=native -Wall -Weverything -Werror') }} -fno-lax-vector-conversions steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - id: cpu name: CPU Information run: | @@ -937,7 +952,7 @@ jobs: sudo ln -s "$(command -v clang-${{ matrix.version }})" /usr/bin/cc sudo ln -s "$(command -v clang-${{ matrix.version }})" /usr/bin/c++ - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }}-${{ matrix.version }}-${{ matrix.distro }}-${{ matrix.arch_flags }}${{ matrix.plain }} verbose: 2 @@ -992,15 +1007,16 @@ jobs: CFLAGS: ${{ matrix.arch_flags }} -Wall -Weverything -Werror -Wno-complex-component-init CXXFLAGS: ${{ matrix.arch_flags }} -Wall -Weverything -Werror -Wno-complex-component-init steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false # - name: System Information # run: system_profiler - name: Compiler version run: cc --version - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639 # v1.2 with: key: ${{ github.job }}-${{ matrix.os }}-${{ matrix.xcode }} verbose: 2 @@ -1027,7 +1043,9 @@ jobs: CFLAGS: -Wall -Werror -march=native -fp-model precise CXXFLAGS: -Wall -Werror -march=native -fp-model precise steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: CPU Information run: cat /proc/cpuinfo - name: Install APT Dependencies diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 24604bc6e..a6b577689 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -10,6 +10,8 @@ on: branches: - 'master' +permissions: {} + concurrency: group: cmake-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -24,9 +26,11 @@ jobs: os: [macos-latest, ubuntu-latest, ubuntu-24.04-arm, windows-latest, windows-11-arm] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - - uses: ilammy/msvc-dev-cmd@v1 + - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1 - name: Configure SIMDe run: cmake -G Ninja -S . -B build diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 87e08a67c..b695905d3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,6 +14,9 @@ jobs: name: Analyze runs-on: ubuntu-latest + permissions: + security-events: write + strategy: fail-fast: false matrix: @@ -25,11 +28,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: languages: ${{ matrix.language }} trap-caching: false @@ -40,4 +45,4 @@ jobs: "$HOME/.local/bin/meson" setup build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 3e2d73b60..b04c00625 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -4,15 +4,17 @@ on: push: branches: [ master ] +permissions: {} + jobs: no-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false fetch-depth: 0 - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 - name: Filter Repository run: | pip install git-filter-repo @@ -20,7 +22,7 @@ jobs: git-filter-repo --path-rename '.no-test/':'simde/' && \ git-filter-repo --subdirectory-filter simde - name: GitHub Push - uses: ad-m/github-push-action@v1.1.0 + uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # v1.1.0 with: github_token: ${{ secrets.PUSH_TO_NO_TESTS_TOKEN }} repository: simd-everywhere/simde-no-tests @@ -28,21 +30,22 @@ jobs: status: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false fetch-depth: 0 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 repository: simd-everywhere/implementation-status token: ${{ secrets.PUSH_IMPLEMENTATION_STATUS_TOKEN }} path: implementation-status + persist-credentials: false - name: Install APT Dependencies run: sudo apt-get update && sudo apt-get install -y python3-lxml - name: Update run: ./implementation-status/scripts/update.sh . - - uses: EndBug/add-and-commit@v10 + - uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10 with: cwd: implementation-status message: Sync with latest SIMDe. diff --git a/.github/workflows/gcc-snapshot.yml b/.github/workflows/gcc-snapshot.yml index baf4d0a01..ac76b2746 100644 --- a/.github/workflows/gcc-snapshot.yml +++ b/.github/workflows/gcc-snapshot.yml @@ -12,6 +12,8 @@ concurrency: group: gcc-snapshot-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: {} + jobs: x86: runs-on: ubuntu-24.04 @@ -37,16 +39,18 @@ jobs: CXXFLAGS: -Wall -Wextra -Werror ${{ matrix.isax }} INTEL_TARGET: ${{ matrix.target }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: ${{ github.event_name != 'repository_dispatch' }} with: submodules: recursive - - uses: actions/checkout@v6 + persist-credentials: false + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: ${{ github.event_name == 'repository_dispatch' }} with: submodules: recursive repository: ${{ github.event.client_payload.repository }} ref: ${{ github.event.client_payload.ref }} + persist-credentials: false - name: CPU Information run: cat /proc/cpuinfo - name: Install APT Dependencies @@ -54,11 +58,13 @@ jobs: sudo add-apt-repository ppa:misterc/gcc-snapshot-latest-lts # sudo add-apt-repository ppa:stephanosio/ccache sudo apt-get install -y --no-install-recommends ninja-build pipx - sudo apt-get install -y ${{ github.event.client_payload.extra }} gcc-16 g++-16 # ccache + sudo apt-get install -y "${GITHUB_EVENT_CLIENT_PAYLOAD_EXTRA}" gcc-16 g++-16 # ccache sudo apt-get purge -y gcc g++ sudo ln -s /usr/bin/gcc-16 /usr/bin/gcc sudo ln -s /usr/bin/g++-16 /usr/bin/g++ pipx install meson==1.3.2 + env: + GITHUB_EVENT_CLIENT_PAYLOAD_EXTRA: ${{ github.event.client_payload.extra }} # - name: ccache # uses: hendrikmuhs/ccache-action@v1.2 # with: @@ -88,16 +94,18 @@ jobs: CFLAGS: -Wall -Wextra -Werror -march=bdver2 CXXFLAGS: -Wall -Wextra -Werror -march=bdver2 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: ${{ github.event_name != 'repository_dispatch' }} with: submodules: recursive - - uses: actions/checkout@v6 + persist-credentials: false + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: ${{ github.event_name == 'repository_dispatch' }} with: submodules: recursive repository: ${{ github.event.client_payload.repository }} ref: ${{ github.event.client_payload.ref }} + persist-credentials: false - name: CPU Information run: cat /proc/cpuinfo - name: Install APT Dependencies @@ -106,11 +114,13 @@ jobs: # sudo add-apt-repository ppa:stephanosio/ccache sudo apt-get install -y --no-install-recommends ninja-build pipx \ qemu-user-static # ccache - sudo apt-get install -y ${{ github.event.client_payload.extra }} gcc-16 g++-16 + sudo apt-get install -y "${GITHUB_EVENT_CLIENT_PAYLOAD_EXTRA}" gcc-16 g++-16 sudo apt-get purge -y gcc g++ sudo ln -s /usr/bin/gcc-16 /usr/bin/gcc sudo ln -s /usr/bin/g++-16 /usr/bin/g++ pipx install meson==1.3.2 + env: + GITHUB_EVENT_CLIENT_PAYLOAD_EXTRA: ${{ github.event.client_payload.extra }} # - name: ccache # uses: hendrikmuhs/ccache-action@v1.2 # with: @@ -133,16 +143,18 @@ jobs: CFLAGS: -march=native -Wall -Wextra -Werror CXXFLAGS: -march=native -Wall -Wextra -Werror steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: ${{ github.event_name != 'repository_dispatch' }} with: submodules: recursive - - uses: actions/checkout@v6 + persist-credentials: false + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: ${{ github.event_name == 'repository_dispatch' }} with: submodules: recursive repository: ${{ github.event.client_payload.repository }} ref: ${{ github.event.client_payload.ref }} + persist-credentials: false - id: cpu name: CPU Information run: | @@ -153,11 +165,13 @@ jobs: # sudo add-apt-repository ppa:stephanosio/ccache sudo apt-get install -y --no-install-recommends ninja-build pipx \ libsleef-dev # ccache - sudo apt-get install -y ${{ github.event.client_payload.extra }} gcc-16 g++-16 + sudo apt-get install -y "${GITHUB_EVENT_CLIENT_PAYLOAD_EXTRA}" gcc-16 g++-16 sudo apt-get purge -y gcc g++ sudo ln -s /usr/bin/gcc-16 /usr/bin/gcc sudo ln -s /usr/bin/g++-16 /usr/bin/g++ pipx install meson==1.3.2 + env: + GITHUB_EVENT_CLIENT_PAYLOAD_EXTRA: ${{ github.event.client_payload.extra }} # - name: ccache # uses: hendrikmuhs/ccache-action@v1.2 # with: @@ -217,16 +231,18 @@ jobs: ) }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: ${{ github.event_name != 'repository_dispatch' }} with: submodules: recursive - - uses: actions/checkout@v6 + persist-credentials: false + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: ${{ github.event_name == 'repository_dispatch' }} with: submodules: recursive repository: ${{ github.event.client_payload.repository }} ref: ${{ github.event.client_payload.ref }} + persist-credentials: false - id: cpu name: CPU Information run: | @@ -235,12 +251,14 @@ jobs: if: ${{ matrix.gcc == 'arm-linux-gnueabihf' }} run: sudo dpkg --add-architecture armhf && sudo apt-get update && sudo apt-get install -y libstdc++6:armhf - name: Install APT Dependencies + env: + EXTRA: ${{ github.event.client_payload.extra }} run: | sudo add-apt-repository ppa:misterc/gcc-snapshot-latest-lts # sudo add-apt-repository ppa:stephanosio/ccache sudo apt-get -y install --no-install-recommends pipx ninja-build \ # ccache - sudo apt-get install -y ${{ github.event.client_payload.extra }} \ + sudo apt-get install -y "${EXTRA}" \ gcc-${{ case(matrix.gcc == '', '16', format('16-{0}', matrix.gcc)) }} \ g++-${{ case(matrix.gcc == '', '16', format('16-{0}', matrix.gcc)) }} sudo apt-get -y purge g++ gcc @@ -301,24 +319,28 @@ jobs: distro: ubuntu-24.04 runs-on: ${{ matrix.distro }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: ${{ github.event_name != 'repository_dispatch' }} with: submodules: recursive - - uses: actions/checkout@v6 + persist-credentials: false + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: ${{ github.event_name == 'repository_dispatch' }} with: submodules: recursive repository: ${{ github.event.client_payload.repository }} ref: ${{ github.event.client_payload.ref }} + persist-credentials: false - name: CPU Information run: cat /proc/cpuinfo - name: Install APT Dependencies + env: + EXTRA: ${{ github.event.client_payload.extra }} run: | sudo add-apt-repository ppa:misterc/gcc-snapshot-latest-lts sudo apt-get -y --no-install-recommends install ccache ninja-build \ binfmt-support qemu-user-static pipx libc6-${{ matrix.arch_deb }}-cross - sudo apt-get install -y ${{ github.event.client_payload.extra }} \ + sudo apt-get install -y "${EXTRA}" \ gcc-${{ matrix.version }}-${{ matrix.arch_gnu }}-linux-gnu \ g++-${{ matrix.version }}-${{ matrix.arch_gnu }}-linux-gnu \ libstdc++-${{ matrix.version }}-dev-${{ matrix.arch_deb }}-cross diff --git a/.github/workflows/ossar-analysis.yml b/.github/workflows/ossar-analysis.yml index 17b5e20b8..ebb1ba039 100644 --- a/.github/workflows/ossar-analysis.yml +++ b/.github/workflows/ossar-analysis.yml @@ -3,6 +3,9 @@ # https://github.com/github/ossar-action name: OSSAR +permissions: + security-events: write + on: push: branches: [master] @@ -16,11 +19,12 @@ jobs: steps: # Checkout your code repository to scan - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. fetch-depth: 2 + persist-credentials: false # If this run was triggered by a pull request event, then checkout # the head of the pull request instead of the merge commit. @@ -29,17 +33,17 @@ jobs: # Install dotnet, used by OSSAR - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5 with: dotnet-version: '6.0.x' # Run open source static analysis tools - name: Run OSSAR - uses: github/ossar-action@v1 + uses: github/ossar-action@786a16a90ba92b4ae6228fe7382fb16ef5c51000 # v1 id: ossar # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..aa8259dca --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3