althaea.zone / wire
ALPHA: wire is a tool to deploy nixos systems wire.althaea.zone/
2
fork

Configure Feed

Select the types of activity you want to include in your feed.

run repo against zizmor (#373)

authored by

marshmallow and committed by
GitHub eef772da e4b28d4c

+53 -22
+5 -3
.github/actions/setup-nix/action.yml
··· 10 10 runs: 11 11 using: "composite" 12 12 steps: 13 - - uses: wimpysworld/nothing-but-nix@main 13 + - uses: wimpysworld/nothing-but-nix@10c936d9e46521bf923f75458e0cbd4fa309300d 14 14 with: 15 15 hatchet-protocol: "carve" 16 16 - name: Generate nix.conf ··· 21 21 echo 'config<<EOF' 22 22 echo "system-features = nixos-test benchmark big-parallel kvm" 23 23 24 - if [ "${{ inputs.withQEMU }}" = "true" ]; then 24 + if [ "${INPUTS_WITHQEMU}" = "true" ]; then 25 25 echo "extra-platforms = aarch64-linux i686-linux" 26 26 fi 27 27 ··· 30 30 31 31 echo EOF 32 32 } >> "$GITHUB_OUTPUT" 33 - - uses: cachix/install-nix-action@v31 33 + env: 34 + INPUTS_WITHQEMU: ${{ inputs.withQEMU }} 35 + - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 34 36 with: 35 37 nix_path: nixpkgs=channel:nixos-unstable 36 38 extra_nix_config: ${{ steps.config.outputs.config }}
+7 -3
.github/workflows/autofix.yml
··· 14 14 outputs: 15 15 docs-pnpm: ${{ steps.filter.outputs.docs-pnpm }} 16 16 steps: 17 - - uses: actions/checkout@v6 18 - - uses: dorny/paths-filter@v3 17 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 18 + with: 19 + persist-credentials: false 20 + - uses: dorny/paths-filter@668c092af3649c4b664c54e4b704aa46782f6f7c 19 21 id: filter 20 22 with: 21 23 filters: | ··· 25 27 runs-on: ubuntu-latest 26 28 needs: check-changes 27 29 steps: 28 - - uses: actions/checkout@v6 30 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 31 + with: 32 + persist-credentials: false 29 33 - uses: ./.github/actions/setup-nix 30 34 - name: Cache Cargo 31 35 uses: actions/cache@v5
+10 -4
.github/workflows/follow-nixpkgs.yml
··· 8 8 pre-job: 9 9 continue-on-error: true 10 10 runs-on: ubuntu-latest 11 + permissions: {} 11 12 outputs: 12 13 number: ${{ steps.skip_check.outputs.number }} 13 14 steps: 14 - - uses: actions/checkout@v6 15 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 16 + with: 17 + persist-credentials: false 15 18 - id: skip_check 16 19 run: | 17 20 echo "number=$(gh pr list --label flake-lock-update --state open --json id | jq 'length')" >> "$GITHUB_OUTPUT" ··· 19 22 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 20 23 update: 21 24 runs-on: ubuntu-latest 25 + permissions: {} 22 26 needs: pre-job 23 27 if: needs.pre-job.outputs.number == '0' 24 28 steps: 25 - - uses: actions/checkout@v6 29 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 26 30 with: 27 31 ssh-key: ${{ secrets.FOLLOW_NIXPKGS_PRIVATE_KEY }} 28 32 ref: main 33 + persist-credentials: false 29 34 - uses: ./.github/actions/setup-nix 30 35 - run: | 31 36 git config user.name 'github-actions[bot]' ··· 36 41 run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT" 37 42 - name: Create Pull Request 38 43 id: cpr 39 - uses: peter-evans/create-pull-request@v8 44 + uses: peter-evans/create-pull-request@0979079bc20c05bbbb590a56c21c4e2b1d1f1bbe 40 45 with: 41 46 title: Update flake.lock ${{ steps.date.outputs.date }} 42 47 labels: flake-lock-update 43 48 branch: ci/flake-update 44 49 - name: Enable automerge 45 50 if: steps.cpr.outputs.pull-request-number 46 - run: gh pr merge --squash --auto "${{ steps.cpr.outputs.pull-request-number }}" 51 + run: gh pr merge --squash --auto "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}" 47 52 env: 48 53 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 54 + STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
+1 -1
.github/workflows/labeler.yml
··· 1 1 name: "Pull Request Labeler" 2 2 on: 3 - - pull_request_target 3 + - pull_request 4 4 5 5 jobs: 6 6 labeler:
+7 -3
.github/workflows/pages.yml
··· 10 10 pre-job: 11 11 continue-on-error: true 12 12 runs-on: ubuntu-latest 13 + permissions: {} 13 14 outputs: 14 15 should_skip: ${{ steps.skip_check.outputs.should_skip }} 15 16 steps: 16 17 - id: skip_check 17 - uses: fkirc/skip-duplicate-actions@v5 18 + uses: fkirc/skip-duplicate-actions@04a1aebece824b56e6ad6a401d015479cd1c50b3 18 19 deploy: 19 20 runs-on: ubuntu-latest 21 + permissions: {} 20 22 environment: 21 23 name: production 22 24 url: https://wire.althaea.zone/ 23 25 if: github.actor != 'dependabot[bot]' && needs.pre-job.outputs.should_skip != 'true' 24 26 steps: 25 - - uses: actions/checkout@v6 27 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 28 + with: 29 + persist-credentials: false 26 30 - uses: ./.github/actions/setup-nix 27 31 - run: nix build .#docs 28 32 if: github.ref == 'refs/heads/stable' ··· 30 34 if: github.ref != 'refs/heads/stable' 31 35 - name: Deploy to Cloudflare Pages 32 36 id: deployment 33 - uses: cloudflare/wrangler-action@v3 37 + uses: cloudflare/wrangler-action@707f63750981584eb6abc365a50d441516fb04b8 34 38 with: 35 39 apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} 36 40 accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+17 -6
.github/workflows/pr-preview.yml
··· 7 7 runs-on: ubuntu-latest 8 8 outputs: 9 9 number: ${{ steps.find-pr.outputs.number }} 10 + permissions: {} 10 11 if: ${{ github.actor != 'dependabot[bot]' }} 11 12 steps: 12 - - uses: jwalton/gh-find-current-pr@master 13 + - uses: jwalton/gh-find-current-pr@89ee5799558265a1e0e31fab792ebb4ee91c016b 13 14 id: find-pr 14 15 with: 15 16 state: all 16 17 base-ref: 17 18 runs-on: ubuntu-latest 19 + permissions: {} 18 20 needs: get-pr 19 21 outputs: 20 22 base-ref: ${{ steps.base-ref.outputs.base-ref }} ··· 24 26 - name: Locate Base Ref 25 27 id: base-ref 26 28 run: | 27 - echo "base-ref=$(gh api /repos/${{ github.repository }}/pulls/${{ needs.get-pr.outputs.number }} | jq -r '.base.ref')" >> "$GITHUB_OUTPUT" 29 + echo "base-ref=$(gh api /repos/${{ github.repository }}/pulls/${NEEDS_GET_PR_OUTPUTS_NUMBER} | jq -r '.base.ref')" >> "$GITHUB_OUTPUT" 28 30 env: 29 31 GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 32 + NEEDS_GET_PR_OUTPUTS_NUMBER: ${{ needs.get-pr.outputs.number }} 30 33 eval-base: 31 34 runs-on: ubuntu-latest 35 + permissions: {} 32 36 needs: base-ref 33 37 outputs: 34 38 drv: ${{ steps.drv.outputs.drv }} 35 39 steps: 36 - - uses: actions/checkout@v6 40 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 37 41 with: 38 42 ref: ${{ needs.base-ref.outputs.base-ref }} 43 + persist-credentials: false 39 44 - uses: ./.github/actions/setup-nix 40 45 - id: drv 41 46 run: echo "drv=$(nix eval .#docs --json)" >> "$GITHUB_OUTPUT" 42 47 eval-head: 43 48 runs-on: ubuntu-latest 49 + permissions: {} 44 50 needs: get-pr 45 51 outputs: 46 52 drv: ${{ steps.drv.outputs.drv }} 47 53 if: ${{ needs.get-pr.outputs.number != '' }} 48 54 steps: 49 - - uses: actions/checkout@v6 55 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 56 + with: 57 + persist-credentials: false 50 58 - uses: ./.github/actions/setup-nix 51 59 - id: drv 52 60 run: echo "drv=$(nix eval .#docs --json)" >> "$GITHUB_OUTPUT" 53 61 deploy: 54 62 runs-on: ubuntu-latest 63 + permissions: {} 55 64 needs: 56 65 - eval-head 57 66 - eval-base ··· 62 71 # skip if nothing changed in the docs package 63 72 if: needs.eval-head.outputs.drv != needs.eval-base.outputs.drv 64 73 steps: 65 - - uses: actions/checkout@v6 74 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 75 + with: 76 + persist-credentials: false 66 77 - uses: ./.github/actions/setup-nix 67 78 - run: nix build .#docs 68 79 - name: Deploy to Cloudflare Pages 69 80 id: deployment 70 - uses: cloudflare/wrangler-action@v3 81 + uses: cloudflare/wrangler-action@707f63750981584eb6abc365a50d441516fb04b8 71 82 with: 72 83 apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} 73 84 accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+5 -2
.github/workflows/test.yml
··· 7 7 pre-job: 8 8 continue-on-error: true 9 9 runs-on: ubuntu-latest 10 + permissions: {} 10 11 outputs: 11 12 should_skip: ${{ steps.skip_check.outputs.should_skip }} 12 13 steps: 13 14 - id: skip_check 14 - uses: fkirc/skip-duplicate-actions@v5 15 + uses: fkirc/skip-duplicate-actions@04a1aebece824b56e6ad6a401d015479cd1c50b3 15 16 with: 16 17 concurrent_skipping: "same_content_newer" 17 18 cancel_others: "true" ··· 22 23 contents: read 23 24 if: needs.pre-job.outputs.should_skip != 'true' 24 25 steps: 25 - - uses: actions/checkout@v6 26 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 27 + with: 28 + persist-credentials: false 26 29 - uses: ./.github/actions/setup-nix 27 30 - name: Build Tests 28 31 run: nix build .#cargo-tests -L -vv
+1
nix/hooks.nix
··· 15 15 enable = true; 16 16 settings.edit = true; 17 17 }; 18 + zizmor.enable = true; 18 19 clippy = { 19 20 enable = true; 20 21 settings.extraArgs = "--tests";