From df63be06f8e8cce99b25171632e80c507c018d97 Mon Sep 17 00:00:00 2001 From: Dominic Hamon Date: Thu, 25 Jun 2026 09:33:41 +0100 Subject: [PATCH] Run an autofix pass on github workflows using zizmor Zizmor is going to be automatically installed in this repo shortly. To avoid any churn, this is a pre-run to fix up any potential vulnerabilities identified by the tool. --- .github/workflows/bazel.yml | 2 ++ .github/workflows/build-and-test-min-cmake.yml | 2 ++ .../workflows/build-and-test-perfcounters.yml | 2 ++ .github/workflows/build-and-test.yml | 18 +++++++++++++++--- .github/workflows/clang-format-lint.yml | 2 ++ .github/workflows/clang-tidy-lint.yml | 2 ++ .github/workflows/doxygen.yml | 2 ++ .github/workflows/ossf.yml | 4 +++- .github/workflows/sanitizer.yml | 14 +++++++++----- .github/workflows/test_bindings.yml | 2 ++ .github/workflows/wheels.yml | 4 ++++ 11 files changed, 45 insertions(+), 9 deletions(-) diff --git a/.github/workflows/bazel.yml b/.github/workflows/bazel.yml index d6a142942..d7846039c 100644 --- a/.github/workflows/bazel.yml +++ b/.github/workflows/bazel.yml @@ -20,6 +20,8 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: mount bazel cache uses: actions/cache@2c8a9bd7457de244a408f35966fab2fb45fda9c8 # v6.0.0 diff --git a/.github/workflows/build-and-test-min-cmake.yml b/.github/workflows/build-and-test-min-cmake.yml index 35bd3245e..bd829eb5f 100644 --- a/.github/workflows/build-and-test-min-cmake.yml +++ b/.github/workflows/build-and-test-min-cmake.yml @@ -20,6 +20,8 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: lukka/get-cmake@f5b8fbb4d77cec1acc5a5f9f0df4beffaf5d98d9 # latest with: diff --git a/.github/workflows/build-and-test-perfcounters.yml b/.github/workflows/build-and-test-perfcounters.yml index a270aca76..3a9a5cdb3 100644 --- a/.github/workflows/build-and-test-perfcounters.yml +++ b/.github/workflows/build-and-test-perfcounters.yml @@ -24,6 +24,8 @@ jobs: build_type: ['Release', 'Debug'] steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: install libpfm run: | diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 38d8e1f79..32b0060b9 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -31,6 +31,8 @@ jobs: run: brew install ninja - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: build uses: threeal/cmake-action@725d1314ccf9ea922805d7e3f9d9bcbca892b406 # v2.1.0 @@ -78,21 +80,29 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: lukka/get-cmake@f5b8fbb4d77cec1acc5a5f9f0df4beffaf5d98d9 # latest - name: configure cmake run: > - cmake -S . -B ${{ runner.workspace }}/_build/ + cmake -S . -B $env:RUNNER_WORKSPACE/_build/ -G "${{ matrix.generator }}" -DBENCHMARK_DOWNLOAD_DEPENDENCIES=ON -DBUILD_SHARED_LIBS=${{ matrix.lib == 'shared' }} + env: + RUNNER_WORKSPACE: ${{ runner.workspace }} - name: build - run: cmake --build ${{ runner.workspace }}/_build/ --config ${{ matrix.build_type }} + run: cmake --build $env:RUNNER_WORKSPACE/_build/ --config ${{ matrix.build_type }} + env: + RUNNER_WORKSPACE: ${{ runner.workspace }} - name: test - run: ctest --test-dir ${{ runner.workspace }}/_build/ -C ${{ matrix.build_type }} -VV + run: ctest --test-dir $env:RUNNER_WORKSPACE/_build/ -C ${{ matrix.build_type }} -VV + env: + RUNNER_WORKSPACE: ${{ runner.workspace }} msys2: name: ${{ matrix.os }}.${{ matrix.build_type }}.${{ matrix.lib }}.${{ matrix.msys2.msystem }} @@ -132,6 +142,8 @@ jobs: ninja:p - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false # NOTE: we can't use cmake actions here as we need to do everything in msys2 shell. - name: configure cmake diff --git a/.github/workflows/clang-format-lint.yml b/.github/workflows/clang-format-lint.yml index acd1a574a..afc6a0e01 100644 --- a/.github/workflows/clang-format-lint.yml +++ b/.github/workflows/clang-format-lint.yml @@ -16,6 +16,8 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: DoozyX/clang-format-lint-action@bcb4eb2cb0d707ee4f3e5cc3b456eb075f12cf73 # v0.20 with: source: './include/benchmark ./src ./test ./bindings' diff --git a/.github/workflows/clang-tidy-lint.yml b/.github/workflows/clang-tidy-lint.yml index a2540813a..b2ea505ff 100644 --- a/.github/workflows/clang-tidy-lint.yml +++ b/.github/workflows/clang-tidy-lint.yml @@ -18,6 +18,8 @@ jobs: fail-fast: false steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: install clang-tidy run: sudo apt update && sudo apt -y install clang-tidy diff --git a/.github/workflows/doxygen.yml b/.github/workflows/doxygen.yml index c28d8750d..843ecc69d 100644 --- a/.github/workflows/doxygen.yml +++ b/.github/workflows/doxygen.yml @@ -19,6 +19,8 @@ jobs: steps: - name: Fetching sources uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Installing build dependencies run: | diff --git a/.github/workflows/ossf.yml b/.github/workflows/ossf.yml index a68b21b14..325ac9143 100644 --- a/.github/workflows/ossf.yml +++ b/.github/workflows/ossf.yml @@ -13,11 +13,13 @@ jobs: # To write a badge permissions: id-token: write - + runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Run analysis uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 diff --git a/.github/workflows/sanitizer.yml b/.github/workflows/sanitizer.yml index 5b78eab17..ab9358160 100644 --- a/.github/workflows/sanitizer.yml +++ b/.github/workflows/sanitizer.yml @@ -20,6 +20,8 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: configure msan env if: matrix.sanitizer == 'msan' @@ -69,7 +71,9 @@ jobs: echo "EXTRA_CXX_FLAGS=-stdlib=libc++ -L${GITHUB_WORKSPACE}/llvm-build/lib -lc++abi -I${GITHUB_WORKSPACE}/llvm-build/include/c++/v1 -Isystem${GITHUB_WORKSPACE}/llvm-build/include/c++/v1 -Wl,-rpath,${GITHUB_WORKSPACE}/llvm-build/lib" >> $GITHUB_ENV - name: create build environment - run: cmake -E make_directory ${{ runner.workspace }}/_build + run: cmake -E make_directory ${RUNNER_WORKSPACE}/_build + env: + RUNNER_WORKSPACE: ${{ runner.workspace }} - name: configure cmake shell: bash @@ -80,10 +84,10 @@ jobs: -DBENCHMARK_ENABLE_ASSEMBLY_TESTS=OFF -DBENCHMARK_ENABLE_LIBPFM=OFF -DBENCHMARK_DOWNLOAD_DEPENDENCIES=ON - -DCMAKE_C_COMPILER=${{ env.CC }} - -DCMAKE_CXX_COMPILER=${{ env.CXX }} - -DCMAKE_C_FLAGS="${{ env.EXTRA_FLAGS }}" - -DCMAKE_CXX_FLAGS="${{ env.EXTRA_FLAGS }} ${{ env.EXTRA_CXX_FLAGS }}" + -DCMAKE_C_COMPILER=${CC} + -DCMAKE_CXX_COMPILER=${CXX} + -DCMAKE_C_FLAGS="${EXTRA_FLAGS}" + -DCMAKE_CXX_FLAGS="${EXTRA_FLAGS} ${EXTRA_CXX_FLAGS}" -DCMAKE_BUILD_TYPE=${{ matrix.build_type }} - name: build diff --git a/.github/workflows/test_bindings.yml b/.github/workflows/test_bindings.yml index 36a8169f5..8459f9d0a 100644 --- a/.github/workflows/test_bindings.yml +++ b/.github/workflows/test_bindings.yml @@ -26,6 +26,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: @@ -46,6 +47,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 + persist-credentials: false - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable - name: Install Ninja (macOS) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index df3a8fe4f..0eabd73d4 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -18,6 +18,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 + persist-credentials: false - name: Install Python 3.12 uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: @@ -41,6 +42,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 name: Install Python 3.12 @@ -48,6 +50,8 @@ jobs: python-version: "3.12" - name: Install the latest version of uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: false - name: Build wheels on ${{ matrix.os }} using cibuildwheel uses: pypa/cibuildwheel@294735312765b09d24a2fbec22660ce817587d55 # v4.1.0