riscv
/
yosys
mirror of https://github.com/YosysHQ/yosys.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

CI: Fixes from zizmor 

> A static analysis tool for Github Actions
https://github.com/woodruffw/zizmor

Mostly means adding `persist-credentials: false` to checkouts and replacing `{{ env.VARNAME }}` with shell substitution.
This commit is contained in:
Krystine Sherwin 2024-12-12 15:59:16 +13:00
parent e32e199ca8
commit e609a59325
No known key found for this signature in database
10 changed files with 31 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/codeql.yml vendored
View File

@ -16,7 +16,9 @@ jobs:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
submodules: true submodules: true
persist-credentials: false
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v3 uses: github/codeql-action/init@v3
with: with:

7
.github/workflows/extra-builds.yml vendored
View File

@ -25,7 +25,8 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
submodules: true submodules: true
persist-credentials: false
- name: Build - name: Build
run: make vcxsrc YOSYS_VER=latest run: make vcxsrc YOSYS_VER=latest
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v4
@ -59,7 +60,8 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
submodules: true submodules: true
persist-credentials: false
- name: Build - name: Build
run: | run: |
WASI_SDK=wasi-sdk-19.0 WASI_SDK=wasi-sdk-19.0
@ -95,6 +97,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
submodules: true submodules: true
persist-credentials: false
- uses: cachix/install-nix-action@v26 - uses: cachix/install-nix-action@v26
with: with:
install_url: https://releases.nixos.org/nix/nix-2.18.1/install install_url: https://releases.nixos.org/nix/nix-2.18.1/install

8
.github/workflows/prepare-docs.yml vendored
View File

@ -20,7 +20,7 @@ jobs:
# only run on push *or* pull_request, not both # only run on push *or* pull_request, not both
concurrent_skipping: ${{ env.docs_export && 'never' || 'same_content_newer'}} concurrent_skipping: ${{ env.docs_export && 'never' || 'same_content_newer'}}
- id: docs_var - id: docs_var
run: echo "docs_export=${{ env.docs_export }}" >> $GITHUB_OUTPUT run: echo "docs_export=${docs_export}" >> $GITHUB_OUTPUT
prepare-docs: prepare-docs:
# docs builds are needed for anything on main, any tagged versions, and any tag # docs builds are needed for anything on main, any tagged versions, and any tag
@ -47,12 +47,12 @@ jobs:
echo "ENABLE_VERIFIC_LIBERTY := 1" >> Makefile.conf echo "ENABLE_VERIFIC_LIBERTY := 1" >> Makefile.conf
echo "ENABLE_VERIFIC_YOSYSHQ_EXTENSIONS := 1" >> Makefile.conf echo "ENABLE_VERIFIC_YOSYSHQ_EXTENSIONS := 1" >> Makefile.conf
echo "ENABLE_CCACHE := 1" >> Makefile.conf echo "ENABLE_CCACHE := 1" >> Makefile.conf
make -j${{ env.procs }} ENABLE_LTO=1 make -j$procs ENABLE_LTO=1
- name: Prepare docs - name: Prepare docs
shell: bash shell: bash
run: run:
make docs/prep -j${{ env.procs }} TARGETS= EXTRA_TARGETS= make docs/prep -j$procs TARGETS= EXTRA_TARGETS=
- name: Upload artifact - name: Upload artifact
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4
@ -72,7 +72,7 @@ jobs:
- name: Test build docs - name: Test build docs
shell: bash shell: bash
run: | run: |
make -C docs html -j${{ env.procs }} TARGETS= EXTRA_TARGETS= make -C docs html -j$procs TARGETS= EXTRA_TARGETS=
- name: Trigger RTDs build - name: Trigger RTDs build
if: ${{ needs.check_docs_rebuild.outputs.docs_export == 'true' }} if: ${{ needs.check_docs_rebuild.outputs.docs_export == 'true' }}

1
.github/workflows/source-vendor.yml vendored
View File

@ -10,6 +10,7 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
submodules: 'recursive' submodules: 'recursive'
persist-credentials: false
- name: Create clean tarball - name: Create clean tarball
run: | run: |

14
.github/workflows/test-build.yml vendored
View File

@ -46,6 +46,7 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
submodules: true submodules: true
persist-credentials: false
- name: Setup environment - name: Setup environment
uses: ./.github/actions/setup-build-env uses: ./.github/actions/setup-build-env
@ -89,6 +90,8 @@ jobs:
steps: steps:
- name: Checkout Yosys - name: Checkout Yosys
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup environment - name: Setup environment
uses: ./.github/actions/setup-build-env uses: ./.github/actions/setup-build-env
@ -115,7 +118,7 @@ jobs:
uses: actions/cache@v4 uses: actions/cache@v4
with: with:
path: .local/ path: .local/
key: ${{ matrix.os }}-${{ env.IVERILOG_GIT }} key: ${{ matrix.os }}-${IVERILOG_GIT}
- name: Build iverilog - name: Build iverilog
if: steps.cache-iverilog.outputs.cache-hit != 'true' if: steps.cache-iverilog.outputs.cache-hit != 'true'
@ -167,6 +170,8 @@ jobs:
steps: steps:
- name: Checkout Yosys - name: Checkout Yosys
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup environment - name: Setup environment
uses: ./.github/actions/setup-build-env uses: ./.github/actions/setup-build-env
@ -188,7 +193,7 @@ jobs:
- name: Run tests - name: Run tests
shell: bash shell: bash
run: | run: |
make -C docs test -j${{ env.procs }} make -C docs test -j$procs
test-docs-build: test-docs-build:
name: Try build docs name: Try build docs
@ -204,6 +209,7 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
submodules: true submodules: true
persist-credentials: false
- name: Runtime environment - name: Runtime environment
run: | run: |
@ -213,7 +219,7 @@ jobs:
run: | run: |
make config-clang make config-clang
echo "ENABLE_CCACHE := 1" >> Makefile.conf echo "ENABLE_CCACHE := 1" >> Makefile.conf
make -j${{ env.procs }} make -j$procs
- name: Install doc prereqs - name: Install doc prereqs
shell: bash shell: bash
@ -223,7 +229,7 @@ jobs:
- name: Build docs - name: Build docs
shell: bash shell: bash
run: | run: |
make docs DOC_TARGET=${{ matrix.docs-target }} -j${{ env.procs }} make docs DOC_TARGET=${{ matrix.docs-target }} -j$procs
- name: Store docs build artifact - name: Store docs build artifact
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4

1
.github/workflows/test-compile.yml vendored
View File

@ -48,6 +48,7 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
submodules: true submodules: true
persist-credentials: false
- name: Setup environment - name: Setup environment
uses: ./.github/actions/setup-build-env uses: ./.github/actions/setup-build-env

5
.github/workflows/test-verific.yml vendored
View File

@ -40,7 +40,7 @@ jobs:
echo "ENABLE_VERIFIC_YOSYSHQ_EXTENSIONS := 1" >> Makefile.conf echo "ENABLE_VERIFIC_YOSYSHQ_EXTENSIONS := 1" >> Makefile.conf
echo "ENABLE_CCACHE := 1" >> Makefile.conf echo "ENABLE_CCACHE := 1" >> Makefile.conf
echo "ENABLE_FUNCTIONAL_TESTS := 1" >> Makefile.conf echo "ENABLE_FUNCTIONAL_TESTS := 1" >> Makefile.conf
make -j${{ env.procs }} ENABLE_LTO=1 make -j$procs ENABLE_LTO=1
- name: Install Yosys - name: Install Yosys
run: | run: |
@ -51,6 +51,7 @@ jobs:
with: with:
repository: 'YosysHQ/sby' repository: 'YosysHQ/sby'
path: 'sby' path: 'sby'
persist-credentials: false
- name: Build SBY - name: Build SBY
run: | run: |
@ -58,7 +59,7 @@ jobs:
- name: Run Yosys tests - name: Run Yosys tests
run: | run: |
make -j${{ env.procs }} test make -j$procs test
- name: Run Verific specific Yosys tests - name: Run Verific specific Yosys tests
run: | run: |

2
.github/workflows/update-flake-lock.yml vendored
View File

@ -10,6 +10,8 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install Nix - name: Install Nix
uses: DeterminateSystems/nix-installer-action@main uses: DeterminateSystems/nix-installer-action@main
- name: Update flake.lock - name: Update flake.lock

1
.github/workflows/version.yml vendored
View File

@ -14,6 +14,7 @@ jobs:
with: with:
fetch-depth: 0 fetch-depth: 0
submodules: true submodules: true
persist-credentials: false
- name: Take last commit - name: Take last commit
id: log id: log
run: echo "message=$(git log --no-merges -1 --oneline)" >> $GITHUB_OUTPUT run: echo "message=$(git log --no-merges -1 --oneline)" >> $GITHUB_OUTPUT

1
.github/workflows/wheels.yml vendored
View File

@ -53,6 +53,7 @@ jobs:
with: with:
fetch-depth: 0 fetch-depth: 0
submodules: true submodules: true
persist-credentials: false
- if: ${{ matrix.os.family == 'linux' }} - if: ${{ matrix.os.family == 'linux' }}
name: "[Linux] Set up QEMU" name: "[Linux] Set up QEMU"
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@v3