improve gh actions security using zizmor

https://github.com/woodruffw/zizmor Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-12-14 21:00:33 -05:00 · 2024-12-14 21:00:33 -05:00 · c6bf8f5ea1
commit c6bf8f5ea1
parent e4489a5d20
3 changed files with 176 additions and 152 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -14,93 +14,101 @@ on:
        required: true
        type: string

-permissions:
-  contents: writes
+permissions: {}

 jobs:
-  build:
+  publish:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    env:
+      GH_EVENT_NAME: ${{ github.event_name }}
+      GH_EVENT_INPUTS_ACTION_ID: ${{ github.event.inputs.action_id }}
+      GH_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }}
+      GH_REPOSITORY: ${{ github.repository }}
+      GH_SHA: ${{ github.sha }}
+      GH_TAG: ${{ github.event.release.tag_name }}

    steps:
-    - name: get latest ci id
-      id: get_ci_id
-      env:
-        GH_TOKEN: ${{ github.token }}
-      run: |
-        if [ "${{ github.event_name }}" == "workflow_dispatch" ]
-        then
-          id="${{ github.event.inputs.action_id }}"
-          tag="${{ github.event.inputs.tag }}"
-        else
-          # get all runs of the ci workflow
-          json=$(gh api "repos/${{ github.repository }}/actions/workflows/ci.yml/runs")
+      - name: get latest ci id
+        id: get_ci_id
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if [ "${GH_EVENT_NAME}" == "workflow_dispatch" ]; then
+            id="${GH_EVENT_INPUTS_ACTION_ID}"
+            tag="${GH_EVENT_INPUTS_TAG}"
+          else
+            # get all runs of the ci workflow
+            json=$(gh api "repos/${GH_REPOSITORY}/actions/workflows/ci.yml/runs")

-          # find first run that is github sha and status is completed
-          id=$(echo "$json" | jq ".workflow_runs[] | select(.head_sha == \"${{ github.sha }}\" and .status == \"completed\") | .id" | head -n 1)
-          if [ ! "$id" ]; then
-            echo "No completed runs found"
-            echo "ci_id=0" >> "$GITHUB_OUTPUT"
-            exit 0
+            # find first run that is github sha and status is completed
+            id=$(echo "$json" | jq ".workflow_runs[] | select(.head_sha == \"${GH_SHA}\" and .status == \"completed\") | .id" | head -n 1)
+
+            if [ ! "$id" ]; then
+              echo "No completed runs found"
+              echo "ci_id=0" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+
+            tag="${GH_TAG}}"
          fi

-          tag="${{ github.event.release.tag_name }}"
-        fi
+          echo "ci_id=$id" >> "$GITHUB_OUTPUT"
+          echo "tag=$tag" >> "$GITHUB_OUTPUT"

-        echo "ci_id=$id" >> "$GITHUB_OUTPUT"
-        echo "tag=$tag" >> "$GITHUB_OUTPUT"
+      - name: get latest ci artifacts
+        if: steps.get_ci_id.outputs.ci_id != 0
+        uses: actions/download-artifact@v4
+        env:
+          GH_TOKEN: ${{ github.token }}
+        with:
+          merge-multiple: true
+          run-id: ${{ steps.get_ci_id.outputs.ci_id }}
+          github-token: ${{ github.token }}

-    - name: get latest ci artifacts
-      if: steps.get_ci_id.outputs.ci_id != 0
-      uses: actions/download-artifact@v4
-      env:
-        GH_TOKEN: ${{ github.token }}
-      with:
-        merge-multiple: true
-        run-id: ${{ steps.get_ci_id.outputs.ci_id }}
-        github-token: ${{ github.token }}
+      - run: |
+          ls

-    - run: |
-        ls
+      - name: upload release assets
+        if: steps.get_ci_id.outputs.ci_id != 0
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ steps.get_ci_id.outputs.tag }}
+        run: |
+          for file in $(find . -type f); do
+            echo "Uploading $file..."
+            gh release upload $TAG "$file" --clobber --repo="${GH_REPOSITORY}" || echo "Something went wrong, skipping."
+          done

-    - name: upload release assets
-      if: steps.get_ci_id.outputs.ci_id != 0
-      env:
-        GH_TOKEN: ${{ github.token }}
-        TAG: ${{ steps.get_ci_id.outputs.tag }}
-      run: |
-        for file in $(find . -type f); do
-          echo "Uploading $file..."
-          gh release upload $TAG "$file" --clobber --repo="${{github.repository}}" || echo "Something went wrong, skipping."
-        done
+      - name: upload release assets to website
+        if: steps.get_ci_id.outputs.ci_id != 0
+        env:
+          TAG: ${{ steps.get_ci_id.outputs.tag }}
+        run: |
+          mkdir -p -v ~/.ssh

-    - name: upload release assets to website
-      if: steps.get_ci_id.outputs.ci_id != 0
-      env:
-        TAG: ${{ steps.get_ci_id.outputs.tag }}
-      run: |
-        mkdir -p -v ~/.ssh
+          echo "${{ secrets.WEB_UPLOAD_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
+          echo "${{ secrets.WEB_UPLOAD_SSH_PRIVATE_KEY }}" >> ~/.ssh/id_ed25519

-        echo "${{ secrets.WEB_UPLOAD_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
-        echo "${{ secrets.WEB_UPLOAD_SSH_PRIVATE_KEY }}" >> ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519

-        chmod 600 ~/.ssh/id_ed25519
+          cat >>~/.ssh/config <<END
+          Host website
+            HostName ${{ secrets.WEB_UPLOAD_SSH_HOSTNAME }}
+            User ${{ secrets.WEB_UPLOAD_SSH_USERNAME }}
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            AddKeysToAgent no
+            ForwardX11 no
+            BatchMode yes
+          END

-        cat >>~/.ssh/config <<END
-        Host website
-          HostName ${{ secrets.WEB_UPLOAD_SSH_HOSTNAME }}
-          User ${{ secrets.WEB_UPLOAD_SSH_USERNAME }}
-          IdentityFile ~/.ssh/id_ed25519
-          StrictHostKeyChecking yes
-          AddKeysToAgent no
-          ForwardX11 no
-          BatchMode yes
-        END
+          echo "Creating tag directory on web server"
+          ssh -q website "rm -rf /var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/"
+          ssh -q website "mkdir -v /var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/"

-        echo "Creating tag directory on web server"
-        ssh -q website "rm -rf /var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/"
-        ssh -q website "mkdir -v /var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/"
-
-        for file in $(find . -type f); do
-          echo "Uploading $file to website"
-          scp $file website:/var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/$file
-        done
+          for file in $(find . -type f); do
+            echo "Uploading $file to website"
+            scp $file website:/var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/$file
+          done