mirror of https://github.com/YosysHQ/yosys.git
CI: Fixes from zizmor
> A static analysis tool for Github Actions https://github.com/woodruffw/zizmor Mostly means adding `persist-credentials: false` to checkouts and replacing `{{ env.VARNAME }}` with shell substitution.
This commit is contained in:
parent
e32e199ca8
commit
e609a59325
|
@ -16,7 +16,9 @@ jobs:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
submodules: true
|
submodules: true
|
||||||
|
persist-credentials: false
|
||||||
|
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
uses: github/codeql-action/init@v3
|
uses: github/codeql-action/init@v3
|
||||||
with:
|
with:
|
||||||
|
|
|
@ -25,7 +25,8 @@ jobs:
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
submodules: true
|
submodules: true
|
||||||
|
persist-credentials: false
|
||||||
- name: Build
|
- name: Build
|
||||||
run: make vcxsrc YOSYS_VER=latest
|
run: make vcxsrc YOSYS_VER=latest
|
||||||
- uses: actions/upload-artifact@v4
|
- uses: actions/upload-artifact@v4
|
||||||
|
@ -59,7 +60,8 @@ jobs:
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
submodules: true
|
submodules: true
|
||||||
|
persist-credentials: false
|
||||||
- name: Build
|
- name: Build
|
||||||
run: |
|
run: |
|
||||||
WASI_SDK=wasi-sdk-19.0
|
WASI_SDK=wasi-sdk-19.0
|
||||||
|
@ -95,6 +97,7 @@ jobs:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
submodules: true
|
submodules: true
|
||||||
|
persist-credentials: false
|
||||||
- uses: cachix/install-nix-action@v26
|
- uses: cachix/install-nix-action@v26
|
||||||
with:
|
with:
|
||||||
install_url: https://releases.nixos.org/nix/nix-2.18.1/install
|
install_url: https://releases.nixos.org/nix/nix-2.18.1/install
|
||||||
|
|
|
@ -20,7 +20,7 @@ jobs:
|
||||||
# only run on push *or* pull_request, not both
|
# only run on push *or* pull_request, not both
|
||||||
concurrent_skipping: ${{ env.docs_export && 'never' || 'same_content_newer'}}
|
concurrent_skipping: ${{ env.docs_export && 'never' || 'same_content_newer'}}
|
||||||
- id: docs_var
|
- id: docs_var
|
||||||
run: echo "docs_export=${{ env.docs_export }}" >> $GITHUB_OUTPUT
|
run: echo "docs_export=${docs_export}" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
prepare-docs:
|
prepare-docs:
|
||||||
# docs builds are needed for anything on main, any tagged versions, and any tag
|
# docs builds are needed for anything on main, any tagged versions, and any tag
|
||||||
|
@ -47,12 +47,12 @@ jobs:
|
||||||
echo "ENABLE_VERIFIC_LIBERTY := 1" >> Makefile.conf
|
echo "ENABLE_VERIFIC_LIBERTY := 1" >> Makefile.conf
|
||||||
echo "ENABLE_VERIFIC_YOSYSHQ_EXTENSIONS := 1" >> Makefile.conf
|
echo "ENABLE_VERIFIC_YOSYSHQ_EXTENSIONS := 1" >> Makefile.conf
|
||||||
echo "ENABLE_CCACHE := 1" >> Makefile.conf
|
echo "ENABLE_CCACHE := 1" >> Makefile.conf
|
||||||
make -j${{ env.procs }} ENABLE_LTO=1
|
make -j$procs ENABLE_LTO=1
|
||||||
|
|
||||||
- name: Prepare docs
|
- name: Prepare docs
|
||||||
shell: bash
|
shell: bash
|
||||||
run:
|
run:
|
||||||
make docs/prep -j${{ env.procs }} TARGETS= EXTRA_TARGETS=
|
make docs/prep -j$procs TARGETS= EXTRA_TARGETS=
|
||||||
|
|
||||||
- name: Upload artifact
|
- name: Upload artifact
|
||||||
uses: actions/upload-artifact@v4
|
uses: actions/upload-artifact@v4
|
||||||
|
@ -72,7 +72,7 @@ jobs:
|
||||||
- name: Test build docs
|
- name: Test build docs
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
make -C docs html -j${{ env.procs }} TARGETS= EXTRA_TARGETS=
|
make -C docs html -j$procs TARGETS= EXTRA_TARGETS=
|
||||||
|
|
||||||
- name: Trigger RTDs build
|
- name: Trigger RTDs build
|
||||||
if: ${{ needs.check_docs_rebuild.outputs.docs_export == 'true' }}
|
if: ${{ needs.check_docs_rebuild.outputs.docs_export == 'true' }}
|
||||||
|
|
|
@ -10,6 +10,7 @@ jobs:
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
submodules: 'recursive'
|
submodules: 'recursive'
|
||||||
|
persist-credentials: false
|
||||||
|
|
||||||
- name: Create clean tarball
|
- name: Create clean tarball
|
||||||
run: |
|
run: |
|
||||||
|
|
|
@ -46,6 +46,7 @@ jobs:
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
submodules: true
|
submodules: true
|
||||||
|
persist-credentials: false
|
||||||
|
|
||||||
- name: Setup environment
|
- name: Setup environment
|
||||||
uses: ./.github/actions/setup-build-env
|
uses: ./.github/actions/setup-build-env
|
||||||
|
@ -89,6 +90,8 @@ jobs:
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout Yosys
|
- name: Checkout Yosys
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
persist-credentials: false
|
||||||
|
|
||||||
- name: Setup environment
|
- name: Setup environment
|
||||||
uses: ./.github/actions/setup-build-env
|
uses: ./.github/actions/setup-build-env
|
||||||
|
@ -115,7 +118,7 @@ jobs:
|
||||||
uses: actions/cache@v4
|
uses: actions/cache@v4
|
||||||
with:
|
with:
|
||||||
path: .local/
|
path: .local/
|
||||||
key: ${{ matrix.os }}-${{ env.IVERILOG_GIT }}
|
key: ${{ matrix.os }}-${IVERILOG_GIT}
|
||||||
|
|
||||||
- name: Build iverilog
|
- name: Build iverilog
|
||||||
if: steps.cache-iverilog.outputs.cache-hit != 'true'
|
if: steps.cache-iverilog.outputs.cache-hit != 'true'
|
||||||
|
@ -167,6 +170,8 @@ jobs:
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout Yosys
|
- name: Checkout Yosys
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
persist-credentials: false
|
||||||
|
|
||||||
- name: Setup environment
|
- name: Setup environment
|
||||||
uses: ./.github/actions/setup-build-env
|
uses: ./.github/actions/setup-build-env
|
||||||
|
@ -188,7 +193,7 @@ jobs:
|
||||||
- name: Run tests
|
- name: Run tests
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
make -C docs test -j${{ env.procs }}
|
make -C docs test -j$procs
|
||||||
|
|
||||||
test-docs-build:
|
test-docs-build:
|
||||||
name: Try build docs
|
name: Try build docs
|
||||||
|
@ -204,6 +209,7 @@ jobs:
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
submodules: true
|
submodules: true
|
||||||
|
persist-credentials: false
|
||||||
|
|
||||||
- name: Runtime environment
|
- name: Runtime environment
|
||||||
run: |
|
run: |
|
||||||
|
@ -213,7 +219,7 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
make config-clang
|
make config-clang
|
||||||
echo "ENABLE_CCACHE := 1" >> Makefile.conf
|
echo "ENABLE_CCACHE := 1" >> Makefile.conf
|
||||||
make -j${{ env.procs }}
|
make -j$procs
|
||||||
|
|
||||||
- name: Install doc prereqs
|
- name: Install doc prereqs
|
||||||
shell: bash
|
shell: bash
|
||||||
|
@ -223,7 +229,7 @@ jobs:
|
||||||
- name: Build docs
|
- name: Build docs
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
make docs DOC_TARGET=${{ matrix.docs-target }} -j${{ env.procs }}
|
make docs DOC_TARGET=${{ matrix.docs-target }} -j$procs
|
||||||
|
|
||||||
- name: Store docs build artifact
|
- name: Store docs build artifact
|
||||||
uses: actions/upload-artifact@v4
|
uses: actions/upload-artifact@v4
|
||||||
|
|
|
@ -48,6 +48,7 @@ jobs:
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
submodules: true
|
submodules: true
|
||||||
|
persist-credentials: false
|
||||||
|
|
||||||
- name: Setup environment
|
- name: Setup environment
|
||||||
uses: ./.github/actions/setup-build-env
|
uses: ./.github/actions/setup-build-env
|
||||||
|
|
|
@ -40,7 +40,7 @@ jobs:
|
||||||
echo "ENABLE_VERIFIC_YOSYSHQ_EXTENSIONS := 1" >> Makefile.conf
|
echo "ENABLE_VERIFIC_YOSYSHQ_EXTENSIONS := 1" >> Makefile.conf
|
||||||
echo "ENABLE_CCACHE := 1" >> Makefile.conf
|
echo "ENABLE_CCACHE := 1" >> Makefile.conf
|
||||||
echo "ENABLE_FUNCTIONAL_TESTS := 1" >> Makefile.conf
|
echo "ENABLE_FUNCTIONAL_TESTS := 1" >> Makefile.conf
|
||||||
make -j${{ env.procs }} ENABLE_LTO=1
|
make -j$procs ENABLE_LTO=1
|
||||||
|
|
||||||
- name: Install Yosys
|
- name: Install Yosys
|
||||||
run: |
|
run: |
|
||||||
|
@ -51,6 +51,7 @@ jobs:
|
||||||
with:
|
with:
|
||||||
repository: 'YosysHQ/sby'
|
repository: 'YosysHQ/sby'
|
||||||
path: 'sby'
|
path: 'sby'
|
||||||
|
persist-credentials: false
|
||||||
|
|
||||||
- name: Build SBY
|
- name: Build SBY
|
||||||
run: |
|
run: |
|
||||||
|
@ -58,7 +59,7 @@ jobs:
|
||||||
|
|
||||||
- name: Run Yosys tests
|
- name: Run Yosys tests
|
||||||
run: |
|
run: |
|
||||||
make -j${{ env.procs }} test
|
make -j$procs test
|
||||||
|
|
||||||
- name: Run Verific specific Yosys tests
|
- name: Run Verific specific Yosys tests
|
||||||
run: |
|
run: |
|
||||||
|
|
|
@ -10,6 +10,8 @@ jobs:
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
persist-credentials: false
|
||||||
- name: Install Nix
|
- name: Install Nix
|
||||||
uses: DeterminateSystems/nix-installer-action@main
|
uses: DeterminateSystems/nix-installer-action@main
|
||||||
- name: Update flake.lock
|
- name: Update flake.lock
|
||||||
|
|
|
@ -14,6 +14,7 @@ jobs:
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
submodules: true
|
submodules: true
|
||||||
|
persist-credentials: false
|
||||||
- name: Take last commit
|
- name: Take last commit
|
||||||
id: log
|
id: log
|
||||||
run: echo "message=$(git log --no-merges -1 --oneline)" >> $GITHUB_OUTPUT
|
run: echo "message=$(git log --no-merges -1 --oneline)" >> $GITHUB_OUTPUT
|
||||||
|
|
|
@ -53,6 +53,7 @@ jobs:
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
submodules: true
|
submodules: true
|
||||||
|
persist-credentials: false
|
||||||
- if: ${{ matrix.os.family == 'linux' }}
|
- if: ${{ matrix.os.family == 'linux' }}
|
||||||
name: "[Linux] Set up QEMU"
|
name: "[Linux] Set up QEMU"
|
||||||
uses: docker/setup-qemu-action@v3
|
uses: docker/setup-qemu-action@v3
|
||||||
|
|
Loading…
Reference in New Issue