Add Zizmor to checks

.github/workflows/check.yml

@@ -60,6 +60,14 @@ jobs:
         pip --version
         bin/check/install_prerequisites.sh
 
+    - name: Zizmor
+      env:
+        GITHUB_TOKEN: ${{ secrets.HURL_BOT_TOKEN }}
+      if: always()
+      run: |
+        pip install zizmor
+        bin/check/zizmor.sh --github-token ${GITHUB_TOKEN} .github/workflows/*.yml
+
     - name: Check Rust version
       if: always()
       run: |

.github/workflows/release.yml

@@ -13,8 +13,10 @@ concurrency: release
 jobs:
   set-context:
     env:
+      GITHUB_REF: ${{ github.ref_name }}
       GITHUB_CONTEXT: ${{ toJson(github) }}
       GITHUB_TOKEN: ${{ secrets.HURL_BOT_TOKEN }}
+      SET_RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
     outputs:
       release_version: ${{ steps.set-release-version.outputs.release_version }}
       release_branch: ${{ steps.set-release-branch.outputs.release_branch }}
@@ -23,25 +25,25 @@ jobs:
     steps:
       - name: Check trigger branch
         run: |
-          if [ $(echo "${{ github.ref_name }}" | grep -Ec "^master$|^release/") -eq 1 ] ; then
-            echo "  - ✅ The branch triggering this workflow is ${{ github.ref_name }}."
+          if [ $(echo "${GITHUB_REF}" | grep -Ec "^master$|^release/") -eq 1 ] ; then
+            echo "  - ✅ The branch triggering this workflow is ${GITHUB_REF}."
           else
-            echo "  - ❌ The branch triggering this workflow is ${{ github.ref_name }} instead of master or release/[0-9].[0-9].[0-9]."
+            echo "  - ❌ The branch triggering this workflow is ${GITHUB_REF} instead of master or release/[0-9].[0-9].[0-9]."
             exit 1
           fi
 
       - name: Set release version
         id: set-release-version
         run: |
-          echo "release_version=${{ github.event.inputs.set-release-version }}" | tee -a $GITHUB_OUTPUT
+          echo "release_version=${SET_RELEASE_VERSION}" | tee -a $GITHUB_OUTPUT
 
       - name: Set release branch
         id: set-release-branch
         run: |
-          if [ $(echo "${{ github.ref_name }}" | grep -c "^release/") -eq 1 ] ; then
-            echo "release_branch=${{ github.ref_name }}" | tee -a $GITHUB_OUTPUT
+          if [ $(echo "${GITHUB_REF}" | grep -c "^release/") -eq 1 ] ; then
+            echo "release_branch=${GITHUB_REF}" | tee -a $GITHUB_OUTPUT
           else
-            echo "release_branch=release/${{ github.event.inputs.set-release-version }}" | tee -a $GITHUB_OUTPUT
+            echo "release_branch=release/${SET_RELEASE_VERSION}" | tee -a $GITHUB_OUTPUT
           fi
 
   clean-release:
@@ -279,9 +281,12 @@ jobs:
 
   deliver-github-release:
     env:
+      GITHUB_REF: ${{ github.ref_name }}
+      GITHUB_OWNER: ${{ github.repository_owner }}
+      GITHUB_REPO_NAME: ${{ github.event.repository.name }}
       GITHUB_CONTEXT: ${{ toJson(github) }}
       GITHUB_TOKEN: ${{ secrets.HURL_BOT_TOKEN }}
-      REPO: ${{ github.repository }}
+      RELEASE_VERSION: ${{ needs.set-context.outputs.release_version }}
     needs:
       - set-context
       - clean-release
@@ -311,29 +316,29 @@ jobs:
 
       - name: Push tag
         run: |
-          git tag -a ${{ needs.set-context.outputs.release_version }} -m "Release ${{ needs.set-context.outputs.release_version }}"
+          git tag -a "${RELEASE_VERSION}" -m "Release ${RELEASE_VERSION}"
           git tag -n
           git push --tags && git_exit_code=0 || git_exit_code=$?
           if [ ${git_exit_code} -eq 0 ] ; then
-            echo "  - ✅ ${{ needs.set-context.outputs.release_version }} tag created."
+            echo "  - ✅ ${RELEASE_VERSION} tag created."
             git fetch
           else
-            echo "  - ❌ A problem occurs when attempting to create ${{ needs.set-context.outputs.release_version }} tag."
+            echo "  - ❌ A problem occurs when attempting to create ${RELEASE_VERSION} tag."
             exit 1
           fi
 
       - name: Create sha256sums
         run: |
             bin/release/sha256sum.sh --write \
-            artifacts/release-deb-x64-artifacts/hurl_"${{ needs.set-context.outputs.release_version }}"_amd64.deb \
-            artifacts/release-generic-linux-x64-artifacts/hurl-"${{ needs.set-context.outputs.release_version }}"-x86_64-unknown-linux-gnu.tar.gz \
-            artifacts/release-generic-linux-aarch64-artifacts/hurl-"${{ needs.set-context.outputs.release_version }}"-aarch64-unknown-linux-gnu.tar.gz \
-            artifacts/release-macos-x64-artifacts/hurl-"${{ needs.set-context.outputs.release_version }}"-x86_64-apple-darwin.tar.gz \
-            artifacts/release-macos-aarch64-artifacts/hurl-"${{ needs.set-context.outputs.release_version }}"-aarch64-apple-darwin.tar.gz \
-            artifacts/release-windows-x64-artifacts/hurl-"${{ needs.set-context.outputs.release_version }}"-x86_64-pc-windows-msvc-installer.exe \
-            artifacts/release-windows-x64-artifacts/hurl-"${{ needs.set-context.outputs.release_version }}"-x86_64-pc-windows-msvc.zip
-            echo "file,sha256" > release-${{ needs.set-context.outputs.release_version }}.sha256.csv
-            find ./artifacts -name "*sha256" | xargs -I FILE sh -c 'echo "https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/${{ needs.set-context.outputs.release_version }}/$(basename FILE),$(cat FILE)"' >> release-${{ needs.set-context.outputs.release_version }}.sha256.csv
+            artifacts/release-deb-x64-artifacts/hurl_"${RELEASE_VERSION}"_amd64.deb \
+            artifacts/release-generic-linux-x64-artifacts/hurl-"${RELEASE_VERSION}"-x86_64-unknown-linux-gnu.tar.gz \
+            artifacts/release-generic-linux-aarch64-artifacts/hurl-"${RELEASE_VERSION}"-aarch64-unknown-linux-gnu.tar.gz \
+            artifacts/release-macos-x64-artifacts/hurl-"${RELEASE_VERSION}"-x86_64-apple-darwin.tar.gz \
+            artifacts/release-macos-aarch64-artifacts/hurl-"${RELEASE_VERSION}"-aarch64-apple-darwin.tar.gz \
+            artifacts/release-windows-x64-artifacts/hurl-"${RELEASE_VERSION}"-x86_64-pc-windows-msvc-installer.exe \
+            artifacts/release-windows-x64-artifacts/hurl-"${RELEASE_VERSION}"-x86_64-pc-windows-msvc.zip
+            echo "file,sha256" > release-"${RELEASE_VERSION}".sha256.csv
+            find ./artifacts -name "*sha256" | xargs -I FILE sh -c 'echo "https://github.com/${GITHUB_OWNER}/${GITHUB_REPO_NAME}/releases/download/${RELEASE_VERSION}/$(basename FILE),$(cat FILE)"' >> release-"${RELEASE_VERSION}".sha256.csv
 
       - name: Archive sha256 artifacts
         uses: actions/[email protected]
@@ -396,13 +401,12 @@ jobs:
 
       - name: Create new pull request
         run: |
-          GITHUB_TOKEN=${{ secrets.HURL_BOT_TOKEN }}
           {
           echo "⚠ This is a GitHub releasing PR."
           echo "- Please use \`/accept\` as usual then run the \`update-branch-version\` github workflow if you want to automatically update master branch to next SNAPSHOT version"
           } > file-body.txt
           gh pr create \
-            --title "Merge GitHub ${{ needs.set-context.outputs.release_branch }} into ${{ github.ref_name }}" \
+            --title "Merge GitHub ${{ needs.set-context.outputs.release_branch }} into ${GITHUB_REF}" \
             --body-file file-body.txt \
             --base master \
             --label bot && gh_exit_code=0 || gh_exit_code=$?

.github/workflows/update-branch-version.yml

@@ -38,6 +38,7 @@ concurrency: update-branch-version
 jobs:
   update-branch-version:
     env:
+      GITHUB_REF: ${{ github.ref }}
       GITHUB_CONTEXT: ${{ toJson(github) }}
       GITHUB_TOKEN: ${{ secrets.HURL_BOT_TOKEN }}
       REPO: ${{ github.repository }}
@@ -53,7 +54,7 @@ jobs:
 
       - name: Init bot branch name
         run: |
-          base=$(echo "${{ github.ref }}" | sed "s#refs/heads/##g" | tr '/' '-')
+          base=$(echo "${GITHUB_REF}" | sed "s#refs/heads/##g" | tr '/' '-')
           echo "BOT_UPDATE_VERSION_BRANCH_NAME=bot/update-branch-version-${base}" | tee -a $GITHUB_ENV
 
       - name: Update version
@@ -115,9 +116,8 @@ jobs:
       - name: Create new version PR
         id: create-new-version-pr
         run: |
-          GITHUB_TOKEN=${{ secrets.HURL_BOT_TOKEN }}
           git fetch
-          base=$(echo "${{ github.ref }}" | sed "s#refs/heads/##g")
+          base=$(echo "${GITHUB_REF}" | sed "s#refs/heads/##g")
           gh pr create --fill --label bot --base "${base}"  --head "${BOT_UPDATE_VERSION_BRANCH_NAME}" && gh_exit_code=0 || gh_exit_code=$?
           if [ ${gh_exit_code} -eq 0 ] ; then
             NEW_PR_NUMBER=$(gh pr list --repo "${REPO}" --head "${BOT_UPDATE_VERSION_BRANCH_NAME}" --state "open" --json number --jq .[].number)
@@ -127,3 +127,4 @@ jobs:
             echo "  - ❌ A problem occurs when attempting to create new pull request."
             exit 1
           fi
+

bin/check/zizmor.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+set -Eeuo pipefail
+
+# functions
+function init_terminal_colors(){
+    color_red=$(echo -ne "\033[1;31m")
+    color_green=$(echo -ne "\033[1;32m")
+    color_reset=$(echo -ne "\033[0m")
+}
+
+function usage(){
+    echo
+    echo "Usage: $(basename "$0") [Options]... file1 file2..."
+    echo
+    echo "Options: #mandatory #optional"
+    echo
+    echo "  --help #optional"
+    echo "      This help text"
+    echo
+    echo "  --github-token <github token access> #mandatory"
+    echo "      specify github user token"
+    echo "        : example: --github-token ghp_kJvDuaalZidk3nB1uYtgsqMrkQ5Hkh76jh2o"
+}
+
+function consume_args(){
+    github_token=
+    files_count=0
+    while [[ $# -gt 0 ]] ; do
+        case "$1" in
+        --help)
+            usage
+            exit 0
+            ;;
+        --github-token)
+            if [[ -n ${2:-} ]] ; then
+                github_token="$2"
+                shift
+                shift
+            else
+                echo "${color_red}Error${color_reset} - Option $1 can not be null."
+                usage >&2
+                return 1
+            fi
+            ;;
+        *)
+            if [[ -f ${1} ]] ; then
+                files+=("$1")
+                files_count=$((files_count+1))
+                shift
+            else
+                echo "${color_red}Error${color_reset} - $1 is not a file or is not readable"
+                usage >&2
+                return 1
+            fi
+            ;;
+        esac
+    done
+    if [[ -z "${github_token}" ]] ; then
+        echo "${color_red}Error${color_reset} - Option --github_token is mandatory."
+        usage >&2
+        return 1
+    fi
+    if [[ $files_count == 0 ]] ; then
+        echo "${color_red}Error${color_reset} - You must provide at least one file for analysis."
+        usage >&2
+        return 1
+    fi
+    if ! (command -v zizmor >/dev/null 2>&1) ; then
+        echo "${color_red}Error${color_reset} - Zizmor has to be installed on your system (https://woodruffw.github.io/zizmor/installation)."
+        return 1
+    fi
+}
+
+# main
+init_terminal_colors
+consume_args "$@"
+zizmor --version
+error_count=0
+for file in  "${files[@]}" ; do
+    zizmor \
+        --min-severity low \
+        --min-confidence medium \
+        --gh-token "${github_token}" \
+        "${file}" || error_count=$((error_count+1))
+done
+if [[ $error_count -gt 0 ]] ; then
+    echo "${color_red}There are problems with github workflows${color_reset}"
+    exit 1
+else
+    echo "${color_green}No problem with github workflows${color_reset}"
+fi