ci: add zizmor check and configuration (#396451) (8e19f0f9) · Commits · nix / nixpkgs

.github/workflows/backport.yml

+1 −0

Original line number	Diff line number	Diff line
		@@ -40,6 +40,7 @@ jobs:
		with:
		ref: ${{ github.event.pull_request.head.sha }}
		token: ${{ steps.app-token.outputs.token }}
		persist-credentials: false

		- name: Log current API rate limits
		env:

.github/workflows/build.yml

+1 −0

Original line number	Diff line number	Diff line
		@@ -46,6 +46,7 @@ jobs:
		steps:
		- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
		with:
		persist-credentials: false
		sparse-checkout: .github/actions
		- name: Checkout the merge commit
		uses: ./.github/actions/checkout

.github/workflows/check.yml

+2 −0

Original line number	Diff line number	Diff line
		@@ -34,6 +34,7 @@ jobs:
		steps:
		- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
		with:
		persist-credentials: false
		path: trusted
		sparse-checkout: \|
		ci/github-script
		@@ -73,6 +74,7 @@ jobs:
		steps:
		- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
		with:
		persist-credentials: false
		sparse-checkout: .github/actions
		- name: Checkout merge and target commits
		uses: ./.github/actions/checkout

.github/workflows/eval.yml

+7 −1

Original line number	Diff line number	Diff line
		@@ -34,6 +34,7 @@ jobs:
		steps:
		- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
		with:
		persist-credentials: false
		path: trusted
		sparse-checkout: \|
		ci/supportedVersions.nix
		@@ -41,6 +42,7 @@ jobs:
		- name: Check out the PR at the test merge commit
		uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
		with:
		persist-credentials: false
		ref: ${{ inputs.mergedSha }}
		path: untrusted
		sparse-checkout: \|
		@@ -84,6 +86,7 @@ jobs:

		- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
		with:
		persist-credentials: false
		sparse-checkout: .github/actions
		- name: Check out the PR at merged and target commits
		uses: ./.github/actions/checkout
		@@ -155,6 +158,7 @@ jobs:
		steps:
		- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
		with:
		persist-credentials: false
		sparse-checkout: .github/actions
		- name: Check out the PR at the target commit
		uses: ./.github/actions/checkout
		@@ -181,8 +185,9 @@ jobs:
		- name: Compare against the target branch
		env:
		AUTHOR_ID: ${{ github.event.pull_request.user.id }}
		TARGET_SHA: ${{ inputs.mergedSha }}
		run: \|
		git -C nixpkgs/trusted diff --name-only ${{ inputs.mergedSha }} \
		git -C nixpkgs/trusted diff --name-only "$TARGET_SHA" \
		\| jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json

		# Use the target branch to get accurate maintainer info
		@@ -318,6 +323,7 @@ jobs:
		steps:
		- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
		with:
		persist-credentials: false
		sparse-checkout: .github/actions
		- name: Checkout the merge commit
		uses: ./.github/actions/checkout

.github/workflows/labels.yml

+1 −0

Original line number	Diff line number	Diff line
		@@ -46,6 +46,7 @@ jobs:
		steps:
		- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
		with:
		persist-credentials: false
		sparse-checkout: \|
		ci/github-script