diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d67f7cead..f0227f389 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,3 +8,5 @@ updates: schedule: # Check for updates to GitHub Actions every day interval: "daily" + cooldown: + default-days: 7 diff --git a/.github/workflows/code_checks.yaml b/.github/workflows/code_checks.yaml index db062c737..37f0c243a 100644 --- a/.github/workflows/code_checks.yaml +++ b/.github/workflows/code_checks.yaml @@ -8,12 +8,17 @@ on: env: PY_COLORS: "1" +permissions: + contents: read + jobs: tests: runs-on: ubuntu-latest steps: - name: Check out repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up python id: setup-python uses: actions/setup-python@v6 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 600c645e0..c61b8b5d2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v6 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 85d1e9367..ecaa419f1 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -5,6 +5,9 @@ on: - cron: '15 23 * * *' workflow_dispatch: +permissions: + contents: read + jobs: nightly_job: if: github.repository_owner == 'IntersectMBO' || github.event_name != 'schedule' @@ -13,7 +16,6 @@ jobs: with: env-path: runner/env_nightly secrets: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} CI_FAIL_MAILS: ${{ secrets.NIGHTLY_FAIL_MAILS }} GMAIL_USERNAME: ${{ secrets.GMAIL_USERNAME }} GMAIL_PASSWORD: ${{ secrets.GMAIL_PASSWORD }} diff --git a/.github/workflows/nightly_cli.yaml b/.github/workflows/nightly_cli.yaml index 652a7cbf6..6cd42e75c 100644 --- a/.github/workflows/nightly_cli.yaml +++ b/.github/workflows/nightly_cli.yaml @@ -5,6 +5,9 @@ on: - cron: '15 03 * * *' workflow_dispatch: +permissions: + contents: read + jobs: nightly_job: if: github.repository_owner == 'IntersectMBO' || github.event_name != 'schedule' @@ -13,7 +16,6 @@ jobs: with: env-path: runner/env_nightly_cli secrets: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} CI_FAIL_MAILS: ${{ secrets.NIGHTLY_FAIL_MAILS }} GMAIL_USERNAME: ${{ secrets.GMAIL_USERNAME }} GMAIL_PASSWORD: ${{ secrets.GMAIL_PASSWORD }} diff --git a/.github/workflows/nightly_dbsync.yaml b/.github/workflows/nightly_dbsync.yaml index 6a589064c..c3ceb0484 100644 --- a/.github/workflows/nightly_dbsync.yaml +++ b/.github/workflows/nightly_dbsync.yaml @@ -5,6 +5,9 @@ on: - cron: '15 01 * * *' workflow_dispatch: +permissions: + contents: read + jobs: nightly_job: if: github.repository_owner == 'IntersectMBO' || github.event_name != 'schedule' @@ -13,7 +16,6 @@ jobs: with: env-path: runner/env_nightly_dbsync secrets: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} CI_FAIL_MAILS: ${{ secrets.NIGHTLY_FAIL_MAILS }} GMAIL_USERNAME: ${{ secrets.GMAIL_USERNAME }} GMAIL_PASSWORD: ${{ secrets.GMAIL_PASSWORD }} diff --git a/.github/workflows/nightly_pv11.yaml b/.github/workflows/nightly_pv11.yaml index 0b4aaec37..b0440275c 100644 --- a/.github/workflows/nightly_pv11.yaml +++ b/.github/workflows/nightly_pv11.yaml @@ -5,6 +5,9 @@ on: - cron: '15 02 * * *' workflow_dispatch: +permissions: + contents: read + jobs: nightly_job: if: github.repository_owner == 'IntersectMBO' || github.event_name != 'schedule' @@ -13,7 +16,6 @@ jobs: with: env-path: runner/env_nightly_pv11 secrets: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} CI_FAIL_MAILS: ${{ secrets.NIGHTLY_FAIL_MAILS }} GMAIL_USERNAME: ${{ secrets.GMAIL_USERNAME }} GMAIL_PASSWORD: ${{ secrets.GMAIL_PASSWORD }} diff --git a/.github/workflows/nightly_upgrade.yaml b/.github/workflows/nightly_upgrade.yaml index 285241dc2..2b0a4fff7 100644 --- a/.github/workflows/nightly_upgrade.yaml +++ b/.github/workflows/nightly_upgrade.yaml @@ -5,6 +5,9 @@ on: - cron: '15 04 * * *' workflow_dispatch: +permissions: + contents: read + jobs: nightly_job: if: github.repository_owner == 'IntersectMBO' || github.event_name != 'schedule' @@ -13,7 +16,6 @@ jobs: with: env-path: runner/env_nightly_upgrade secrets: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} CI_FAIL_MAILS: ${{ secrets.NIGHTLY_FAIL_MAILS }} GMAIL_USERNAME: ${{ secrets.GMAIL_USERNAME }} GMAIL_PASSWORD: ${{ secrets.GMAIL_PASSWORD }} diff --git a/.github/workflows/nix_smoke.yaml b/.github/workflows/nix_smoke.yaml index bc1c016e2..f4f93c237 100644 --- a/.github/workflows/nix_smoke.yaml +++ b/.github/workflows/nix_smoke.yaml @@ -10,12 +10,17 @@ on: - '.github/workflows/nix_smoke.yaml' workflow_dispatch: +permissions: + contents: read + jobs: nix_smoke: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install Nix uses: cachix/install-nix-action@v31 with: diff --git a/.github/workflows/regression-dbsync.yaml b/.github/workflows/regression-dbsync.yaml index 3e10a330d..a9f9a205f 100644 --- a/.github/workflows/regression-dbsync.yaml +++ b/.github/workflows/regression-dbsync.yaml @@ -70,6 +70,9 @@ on: run-name: ${{ inputs.testrun_name && 'Run:' || ''}} ${{ inputs.testrun_name }} ${{ (inputs.testrun_name && inputs.skip_passed) && ':repeat:' || '' }} +permissions: + contents: read + jobs: regression_tests: # reusable workflow from local repo and same branch as this config @@ -88,7 +91,6 @@ jobs: skip_passed: ${{ inputs.skip_passed }} env-path: runner/env_regression_dbsync secrets: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} TCACHE_BASIC_AUTH: ${{ secrets.TCACHE_BASIC_AUTH }} TCACHE_URL: ${{ secrets.TCACHE_URL }} CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} diff --git a/.github/workflows/regression.yaml b/.github/workflows/regression.yaml index 1d50da6a3..120eedebb 100644 --- a/.github/workflows/regression.yaml +++ b/.github/workflows/regression.yaml @@ -62,6 +62,9 @@ on: run-name: ${{ inputs.testrun_name && 'Run:' || ''}} ${{ inputs.testrun_name }} ${{ (inputs.testrun_name && inputs.skip_passed) && ':repeat:' || '' }} +permissions: + contents: read + jobs: regression_tests: # reusable workflow from local repo and same branch as this config @@ -79,7 +82,6 @@ jobs: skip_passed: ${{ inputs.skip_passed }} env-path: runner/env_regression secrets: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} TCACHE_BASIC_AUTH: ${{ secrets.TCACHE_BASIC_AUTH }} TCACHE_URL: ${{ secrets.TCACHE_URL }} CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} diff --git a/.github/workflows/regression_reusable.yaml b/.github/workflows/regression_reusable.yaml index 96212852f..149d06382 100644 --- a/.github/workflows/regression_reusable.yaml +++ b/.github/workflows/regression_reusable.yaml @@ -52,8 +52,6 @@ on: type: boolean default: false secrets: - GH_TOKEN: - required: true TCACHE_BASIC_AUTH: required: false TCACHE_URL: @@ -68,56 +66,64 @@ on: required: false env: - CI_FAIL_MAILS: ${{ secrets.CI_FAIL_MAILS }} - CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} + PY_COLORS: "1" + NODE_REV: ${{ inputs.node_rev }} + CARDANO_CLI_REV: ${{ inputs.cli_rev }} + DBSYNC_REV: ${{ inputs.dbsync_rev }} + MARKEXPR: ${{ inputs.markexpr }} + UTXO_BACKEND: ${{ inputs.utxo_backend }} + ALLOW_UNSTABLE_ERROR_MESSAGES: ${{ inputs.allow_unstable_error_msgs }} + CI_CLUSTER_ERA: ${{ inputs.cluster_era }} + CI_CONSENSUS_MODE: ${{ inputs.consensus_mode }} + CI_BYRON_CLUSTER: ${{ inputs.byron_cluster }} + CI_TESTRUN_NAME: ${{ inputs.testrun_name }} + CI_SKIP_PASSED: ${{ inputs.skip_passed }} jobs: reusable_run: runs-on: ubuntu-latest + # The `secrets` context is not available in step-level `if:` expressions, + # so promote secret-presence checks to job-level booleans (allowed here) + # and gate the steps on `env.HAS_*` instead. + env: + HAS_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN != '' }} + HAS_CI_FAIL_MAILS: ${{ secrets.CI_FAIL_MAILS != '' }} steps: - name: Maximize build space uses: ublue-os/remove-unwanted-software@v9 - name: Checkout code uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install Nix uses: cachix/install-nix-action@v31 with: extra_nix_config: | - access-tokens = github.com=${{ secrets.GH_TOKEN }} + access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= iohk.cachix.org-1:DpRUyj7h7V830dp/i6Nti+NEO2/nhblbov/8MW7Rqoo= substituters = https://cache.nixos.org https://cache.iog.io https://iohk.cachix.org allow-import-from-derivation = true - - name: Collect env variables - run: | - : > .github_ci_env - echo "PY_COLORS=1" >> .github_ci_env - echo "NODE_REV=${{ inputs.node_rev }}" >> .github_ci_env - echo "CARDANO_CLI_REV=${{ inputs.cli_rev }}" >> .github_ci_env - echo "DBSYNC_REV=${{ inputs.dbsync_rev }}" >> .github_ci_env - echo "MARKEXPR=${{ inputs.markexpr }}" >> .github_ci_env - echo "UTXO_BACKEND=${{ inputs.utxo_backend }}" >> .github_ci_env - echo "ALLOW_UNSTABLE_ERROR_MESSAGES=${{ inputs.allow_unstable_error_msgs }}" >> .github_ci_env - echo "CI_CLUSTER_ERA=${{ inputs.cluster_era }}" >> .github_ci_env - echo "CI_CONSENSUS_MODE=${{ inputs.consensus_mode }}" >> .github_ci_env - echo "CI_BYRON_CLUSTER=${{ inputs.byron_cluster }}" >> .github_ci_env - echo "CI_TESTRUN_NAME=${{ inputs.testrun_name }}" >> .github_ci_env - echo "CI_SKIP_PASSED=${{ inputs.skip_passed }}" >> .github_ci_env - if [ -e "${{ inputs.env-path }}" ]; then cat "${{ inputs.env-path }}" >> .github_ci_env; fi - - name: Export env variables + - name: Load extra env from file + if: inputs.env-path + env: + ENV_PATH: ${{ inputs.env-path }} run: | - cat .github_ci_env - cat .github_ci_env >> $GITHUB_ENV - echo "GITHUB_TOKEN=${{ secrets.GH_TOKEN }}" >> $GITHUB_ENV + if [ -e "$ENV_PATH" ]; then cat "$ENV_PATH" >> "$GITHUB_ENV"; fi - name: Get previous test results if: inputs.testrun_name && inputs.skip_passed + env: + TCACHE_BASIC_AUTH: ${{ secrets.TCACHE_BASIC_AUTH }} + TCACHE_URL: ${{ secrets.TCACHE_URL }} run: | - if [ -n "${{ secrets.TCACHE_BASIC_AUTH }}" ] && [ -n "${{ secrets.TCACHE_URL }}" ]; then - testrun_name_strip="$(echo "${{ inputs.testrun_name }}" | sed 's/[^a-zA-Z0-9_-]//g')" - curl -s -u ${{ secrets.TCACHE_BASIC_AUTH }} "${{ secrets.TCACHE_URL }}/${testrun_name_strip}/pypassed" > deselected_tests.txt - echo "DESELECT_FROM_FILE=deselected_tests.txt" >> $GITHUB_ENV + if [ -n "$TCACHE_BASIC_AUTH" ] && [ -n "$TCACHE_URL" ]; then + testrun_name_strip="${CI_TESTRUN_NAME//[!a-zA-Z0-9_-]/}" + curl -s -u "$TCACHE_BASIC_AUTH" "$TCACHE_URL/${testrun_name_strip}/pypassed" > deselected_tests.txt + echo "DESELECT_FROM_FILE=deselected_tests.txt" >> "$GITHUB_ENV" fi - name: ▶️ Run Regression Tests id: testing-step + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | # env echo "::group::Script setup" @@ -125,7 +131,7 @@ jobs: echo "::endgroup::" - name: Load failure-analysis prompt id: load-analysis-prompt - if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.CLAUDE_CODE_OAUTH_TOKEN + if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.HAS_OAUTH_TOKEN == 'true' run: | { echo 'ANALYSIS_PROMPT<<__EOF_PROMPT42__' @@ -134,7 +140,7 @@ jobs: } >> "$GITHUB_ENV" - name: 🤖 Analyze test failures with Claude id: analyze-failures - if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.CLAUDE_CODE_OAUTH_TOKEN + if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.HAS_OAUTH_TOKEN == 'true' continue-on-error: true uses: anthropics/claude-code-base-action@beta with: @@ -145,7 +151,7 @@ jobs: prompt: ${{ env.ANALYSIS_PROMPT }} - name: Read failure analysis into env id: read-analysis - if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.CLAUDE_CODE_OAUTH_TOKEN + if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.HAS_OAUTH_TOKEN == 'true' run: | if [ -s run_workdir/failure_analysis.md ]; then { @@ -169,10 +175,13 @@ jobs: fi - name: Report test results if: (success() || failure()) && inputs.testrun_name + env: + TCACHE_BASIC_AUTH: ${{ secrets.TCACHE_BASIC_AUTH }} + TCACHE_URL: ${{ secrets.TCACHE_URL }} run: | - if [ -n "${{ secrets.TCACHE_BASIC_AUTH }}" ] && [ -n "${{ secrets.TCACHE_URL }}" ] && [ -e run_workdir/testrun-report.xml ]; then - testrun_name_strip="$(echo "${{ inputs.testrun_name }}" | sed 's/[^a-zA-Z0-9_-]//g')" - curl -s -X PUT --fail-with-body -u ${{ secrets.TCACHE_BASIC_AUTH }} "${{ secrets.TCACHE_URL }}/${testrun_name_strip}/${{ github.run_number }}/import" -F "junitxml=@run_workdir/testrun-report.xml" + if [ -n "$TCACHE_BASIC_AUTH" ] && [ -n "$TCACHE_URL" ] && [ -e run_workdir/testrun-report.xml ]; then + testrun_name_strip="${CI_TESTRUN_NAME//[!a-zA-Z0-9_-]/}" + curl -s -X PUT --fail-with-body -u "$TCACHE_BASIC_AUTH" "$TCACHE_URL/${testrun_name_strip}/${{ github.run_number }}/import" -F "junitxml=@run_workdir/testrun-report.xml" fi - name: ↟ Upload testing artifacts on failure uses: actions/upload-artifact@v7 @@ -215,7 +224,7 @@ jobs: path: run_workdir/cli_coverage.json - name: ✉ Mail failure report uses: dawidd6/action-send-mail@v17 - if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.CI_FAIL_MAILS && github.event_name == 'schedule' + if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.HAS_CI_FAIL_MAILS == 'true' && github.event_name == 'schedule' with: server_address: smtp.gmail.com server_port: 465 diff --git a/.github/workflows/upgrade.yaml b/.github/workflows/upgrade.yaml index 42d057036..062831dfa 100644 --- a/.github/workflows/upgrade.yaml +++ b/.github/workflows/upgrade.yaml @@ -20,6 +20,9 @@ on: default: false description: "Start cluster in Byron era" +permissions: + contents: read + jobs: upgrade_tests: # reusable workflow from local repo and same branch as this config @@ -31,5 +34,3 @@ jobs: upgrade_cli_rev: ${{ inputs.upgrade_cli_rev }} byron_cluster: ${{ inputs.byron_cluster }} env-path: runner/env_upgrade - secrets: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/upgrade_reusable.yaml b/.github/workflows/upgrade_reusable.yaml index 178d7d4f7..e9fa3a307 100644 --- a/.github/workflows/upgrade_reusable.yaml +++ b/.github/workflows/upgrade_reusable.yaml @@ -27,8 +27,6 @@ on: type: boolean default: false secrets: - GH_TOKEN: - required: true CI_FAIL_MAILS: required: false GMAIL_USERNAME: @@ -39,42 +37,47 @@ on: required: false env: - CI_FAIL_MAILS: ${{ secrets.CI_FAIL_MAILS }} - CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} + PY_COLORS: "1" + BASE_REVISION: ${{ inputs.base_rev }} + BASE_TAR_URL: ${{ inputs.base_tar_url }} + UPGRADE_REVISION: ${{ inputs.upgrade_rev }} + UPGRADE_CLI_REVISION: ${{ inputs.upgrade_cli_rev }} + CI_BYRON_CLUSTER: ${{ inputs.byron_cluster }} jobs: reusable_run: runs-on: ubuntu-latest + # The `secrets` context is not available in step-level `if:` expressions, + # so promote secret-presence checks to job-level booleans (allowed here) + # and gate the steps on `env.HAS_*` instead. + env: + HAS_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN != '' }} + HAS_CI_FAIL_MAILS: ${{ secrets.CI_FAIL_MAILS != '' }} steps: - name: Maximize build space uses: ublue-os/remove-unwanted-software@v9 - name: Checkout code uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install Nix uses: cachix/install-nix-action@v31 with: extra_nix_config: | - access-tokens = github.com=${{ secrets.GH_TOKEN }} + access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= iohk.cachix.org-1:DpRUyj7h7V830dp/i6Nti+NEO2/nhblbov/8MW7Rqoo= substituters = https://cache.nixos.org https://cache.iog.io https://iohk.cachix.org allow-import-from-derivation = true - - name: Collect env variables - run: | - : > .github_ci_env - echo "PY_COLORS=1" >> .github_ci_env - echo "BASE_REVISION=${{ inputs.base_rev }}" >> .github_ci_env - echo "BASE_TAR_URL=${{ inputs.base_tar_url }}" >> .github_ci_env - echo "UPGRADE_REVISION=${{ inputs.upgrade_rev }}" >> .github_ci_env - echo "UPGRADE_CLI_REVISION=${{ inputs.upgrade_cli_rev }}" >> .github_ci_env - echo "CI_BYRON_CLUSTER=${{ inputs.byron_cluster }}" >> .github_ci_env - if [ -e "${{ inputs.env-path }}" ]; then cat "${{ inputs.env-path }}" >> .github_ci_env; fi - - name: Export env variables + - name: Load extra env from file + if: inputs.env-path + env: + ENV_PATH: ${{ inputs.env-path }} run: | - cat .github_ci_env - cat .github_ci_env >> $GITHUB_ENV - echo "GITHUB_TOKEN=${{ secrets.GH_TOKEN }}" >> $GITHUB_ENV + if [ -e "$ENV_PATH" ]; then cat "$ENV_PATH" >> "$GITHUB_ENV"; fi - name: ▶️ Run Upgrade Tests id: testing-step + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | # env echo "::group::Script setup" @@ -82,7 +85,7 @@ jobs: echo "::endgroup::" - name: Load failure-analysis prompt id: load-analysis-prompt - if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.CLAUDE_CODE_OAUTH_TOKEN + if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.HAS_OAUTH_TOKEN == 'true' run: | { echo 'ANALYSIS_PROMPT<<__EOF_PROMPT42__' @@ -91,7 +94,7 @@ jobs: } >> "$GITHUB_ENV" - name: 🤖 Analyze test failures with Claude id: analyze-failures - if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.CLAUDE_CODE_OAUTH_TOKEN + if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.HAS_OAUTH_TOKEN == 'true' continue-on-error: true uses: anthropics/claude-code-base-action@beta with: @@ -102,7 +105,7 @@ jobs: prompt: ${{ env.ANALYSIS_PROMPT }} - name: Read failure analysis into env id: read-analysis - if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.CLAUDE_CODE_OAUTH_TOKEN + if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.HAS_OAUTH_TOKEN == 'true' run: | if [ -s run_workdir/failure_analysis.md ]; then { @@ -176,7 +179,7 @@ jobs: path: run_workdir/cli_coverage.json - name: ✉ Mail failure report uses: dawidd6/action-send-mail@v17 - if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.CI_FAIL_MAILS && github.event_name == 'schedule' + if: (success() || failure()) && steps.testing-step.outcome != 'success' && env.HAS_CI_FAIL_MAILS == 'true' && github.event_name == 'schedule' with: server_address: smtp.gmail.com server_port: 465 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 038d95283..a381e5c18 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -32,6 +32,17 @@ repos: hooks: - id: rstcheck additional_dependencies: [sphinx, toml] +- repo: https://github.com/rhysd/actionlint + rev: v1.7.12 + hooks: + - id: actionlint + # Allow empty-string options in workflow_dispatch `type: choice` lists: + # we use "" to mean "leave the backend/era at its default". + args: ['-ignore', 'string should not be empty'] +- repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.25.2 + hooks: + - id: zizmor - repo: local hooks: - id: mypy diff --git a/cardano_node_tests/utils/blockers.py b/cardano_node_tests/utils/blockers.py index f7f14764f..fb823d691 100644 --- a/cardano_node_tests/utils/blockers.py +++ b/cardano_node_tests/utils/blockers.py @@ -13,8 +13,7 @@ LOGGER = logging.getLogger(__name__) -if os.environ.get("GITHUB_TOKEN"): - gh_issue.GHIssue.TOKEN = os.environ.get("GITHUB_TOKEN") +gh_issue.GHIssue.TOKEN = os.environ.get("GITHUB_TOKEN") class GH: diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 000000000..4bb9d0126 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,8 @@ +# Deliberate: workflows pin third-party actions by major tag (e.g. @v6) and +# rely on Dependabot (.github/dependabot.yml) to bump them, with a 7-day +# cooldown to avoid churn from fresh point releases. SHA-pinning every +# action would force manual SHA bumps on every Dependabot PR with no +# additional protection over the Dependabot review flow. +rules: + unpinned-uses: + disable: true