From 1184949f42d77acf1129cbce8f83e2ce951d883e Mon Sep 17 00:00:00 2001 From: Taiki Endo Date: Mon, 1 Dec 2025 00:24:40 +0900 Subject: [PATCH] Apply zizmor and update scripts --- .github/.cspell/project-dictionary.txt | 1 + .github/zizmor.yml | 16 ++++++++++++++++ .shellcheckrc | 3 +++ tools/tidy.sh | 25 ++++++++++++++++++++++++- 4 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 .github/zizmor.yml diff --git a/.github/.cspell/project-dictionary.txt b/.github/.cspell/project-dictionary.txt index 554cca21..b03b573a 100644 --- a/.github/.cspell/project-dictionary.txt +++ b/.github/.cspell/project-dictionary.txt @@ -24,6 +24,7 @@ pluginconf ppcle quickinstall rclone +rdme rootfs sccache syft diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..789f8c87 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,16 @@ +# zizmor configuration +# https://docs.zizmor.sh/configuration/ + +rules: + dependabot-cooldown: { disable: true } # Useless unless unpinned-uses is enabled. + ref-confusion: { disable: true } # TODO: Old GHA didn't work without this pattern in some cases, but does it seem to be fixed? + secrets-inherit: { disable: true } + unpinned-uses: + config: + policies: + taiki-e/*: any + '*': ref-pin + obfuscation: + ignore: + # We use `shell: cmd` to test compatibility + - ci.yml diff --git a/.shellcheckrc b/.shellcheckrc index 339847ea..54bdb7bf 100644 --- a/.shellcheckrc +++ b/.shellcheckrc @@ -5,6 +5,9 @@ # https://github.com/koalaman/shellcheck/wiki/Optional # https://google.github.io/styleguide/shellguide.html +# https://github.com/koalaman/shellcheck/wiki/Directive#external-sources +external-sources=true + # https://github.com/koalaman/shellcheck/wiki/SC2249 # enable=add-default-case diff --git a/tools/tidy.sh b/tools/tidy.sh index 0b54a699..a877974e 100755 --- a/tools/tidy.sh +++ b/tools/tidy.sh @@ -8,7 +8,7 @@ trap -- 'printf >&2 "%s\n" "${0##*/}: trapped SIGINT"; exit 1' SIGINT cd -- "$(dirname -- "$0")"/.. # USAGE: -# ./tools/tidy.sh +# GH_TOKEN=$(gh auth token) ./tools/tidy.sh # # Note: This script requires the following tools: # - git 1.8+ @@ -17,6 +17,7 @@ cd -- "$(dirname -- "$0")"/.. # - python 3.6+ and pipx # - shfmt # - shellcheck +# - zizmor # - cargo, rustfmt (if Rust code exists) # - clang-format (if C/C++/Protobuf code exists) # - parse-dockerfile (if Dockerfile exists) @@ -905,6 +906,18 @@ EOF fi fi fi +zizmor_targets=(${workflows[@]+"${workflows[@]}"} ${actions[@]+"${actions[@]}"}) +if [[ -e .github/dependabot.yml ]]; then + zizmor_targets+=(.github/dependabot.yml) +fi +if [[ ${#zizmor_targets[@]} -gt 0 ]]; then + if check_install zizmor; then + IFS=' ' + info "running \`zizmor ${zizmor_targets[*]}\`" + IFS=$'\n\t' + zizmor "${zizmor_targets[@]}" + fi +fi printf '\n' check_alt '.sh extension' '*.bash extension' "$(ls_files '*.bash')" @@ -981,6 +994,7 @@ if [[ -f .cspell.json ]]; then dependencies_words=$(npx -y cspell stdin --no-progress --no-summary --words-only --unique <<<"${dependencies}" || true) fi all_words=$(ls_files | { grep -Fv "${project_dictionary}" || true; } | npx -y cspell --file-list stdin --no-progress --no-summary --words-only --unique || true) + all_words+=$'\n'$(ls_files | npx -y cspell stdin --no-progress --no-summary --words-only --unique || true) printf '%s\n' "${config_old}" >|.cspell.json trap -- 'printf >&2 "%s\n" "${0##*/}: trapped SIGINT"; exit 1' SIGINT cat >|.github/.cspell/rust-dependencies.txt <