Skip to content

Commit c823f2c

Browse files
woodruffwwoodruffw
authored
Hash-check zizmor Docker images (#68)
1 parent 706c51b commit c823f2c

5 files changed

Lines changed: 141 additions & 1 deletion

File tree

.github/workflows/selftest.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,30 @@ jobs:
4040
advanced-security: true
4141
version: "1.6.0"
4242

43+
selftest-version-nonexistent-xfail:
44+
name: "TEST: nonexistent version of zizmor (expected to fail)"
45+
runs-on: ubuntu-latest
46+
steps:
47+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
48+
with:
49+
persist-credentials: false
50+
51+
- uses: ./
52+
id: zizmor
53+
continue-on-error: true
54+
with:
55+
advanced-security: true
56+
version: "9999.0.0"
57+
58+
- name: assert failure
59+
env:
60+
XFAIL: ${{ steps.zizmor.outcome == 'failure' }}
61+
JOB_NAME: ${{ github.job }}
62+
run: |
63+
echo "xfail ${JOB_NAME}: ${XFAIL}"
64+
65+
[[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; }
66+
4367
selftest-plain:
4468
name: "TEST: emits plan format when 'advanced-security: false'"
4569
runs-on: ubuntu-latest

.github/workflows/sync-zizmor-versions.yml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
on:
2+
schedule:
3+
# every hour
4+
- cron: "0 * * * *"
5+
workflow_dispatch:
6+
7+
name: Sync zizmor versions
8+
9+
env:
10+
BRANCH_NAME: sync-zizmor-versions
11+
12+
jobs:
13+
sync-versions:
14+
name: Sync zizmor versions
15+
runs-on: ubuntu-latest
16+
permissions:
17+
contents: write # to create PR branches
18+
pull-requests: write # to create PRs
19+
steps:
20+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
21+
with:
22+
persist-credentials: false
23+
24+
- name: Install dependencies
25+
run: apt install -y skopeo jq
26+
27+
- name: Sync zizmor versions
28+
run: ./support/sync-zizmor-versions.sh > ./support/zizmor-versions
29+
30+
- name: Create or update pull request
31+
uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
32+
with:
33+
branch: ${{ env.BRANCH_NAME }}
34+
delete-branch: true
35+
commit-message: Sync zizmor versions
36+
title: Sync zizmor versions
37+
body: This PR was created automatically to sync the zizmor versions used in workflows and other places.
38+
assignees: woodruffw
39+
draft: true

action.sh

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,14 @@ installed docker || die "Cannot run this action without Docker"
3333

3434
[[ "${RUNNER_OS}" != "Linux" ]] && warn "Unsupported runner OS: ${RUNNER_OS}"
3535

36+
# Load an associative array of versions from `./support/versions`.
37+
# Each line is of the form `version digest`.
38+
declare -A versions
39+
parent_dir=$(dirname "${GITHUB_ACTION_PATH}")
40+
while IFS=' ' read -r version digest; do
41+
versions["${version}"]="${digest}"
42+
done < "${parent_dir}/support/versions"
43+
3644
output="${RUNNER_TEMP}/zizmor"
3745

3846
version_regex='^v?[0-9]+\.[0-9]+\.[0-9]+$'
@@ -64,7 +72,17 @@ if [[ -n "${GHA_ZIZMOR_CONFIG:-}" ]]; then
6472
arguments+=("--config=${GHA_ZIZMOR_CONFIG}")
6573
fi
6674

67-
image="ghcr.io/zizmorcore/zizmor:${GHA_ZIZMOR_VERSION#v}"
75+
normalized_version="${GHA_ZIZMOR_VERSION#v}"
76+
digest="${versions[${normalized_version}]:-}"
77+
78+
# We only proceed if we have a digest for the requested version; a lookup
79+
# failure indicates an unknown version (i.e. either nonsense or a version
80+
# that was released after this action's last release).
81+
if [[ -z "${digest}" ]]; then
82+
die "Unknown version: ${GHA_ZIZMOR_VERSION}"
83+
fi
84+
85+
image="ghcr.io/zizmorcore/zizmor:${normalized_version}@${digest}"
6886

6987
# Notes:
7088
# - We run the container with ${GITHUB_WORKSPACE} mounted as /workspace

support/sync-zizmor-versions.sh

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
#!/usr/bin/env bash
2+
3+
# sync-zizmor-versions.sh: fetch and store all tagged versions of
4+
# zizmorcore/zizmor on GHCR
5+
6+
set -eu
7+
8+
CI=${CI:-false}
9+
IMAGE="ghcr.io/zizmorcore/zizmor"
10+
11+
err() {
12+
[[ "${CI}" = "true" ]] && echo "::error::${*}" || echo "ERROR: ${*}" >&2
13+
}
14+
15+
die() {
16+
err "${*}"
17+
exit 1
18+
}
19+
20+
installed() {
21+
command -v "${1}" >/dev/null 2>&1
22+
}
23+
24+
installed skopeo || die "'skopeo' is required to continue"
25+
installed jq || die "'jq' is required to continue"
26+
27+
tags=$(skopeo list-tags "docker://${IMAGE}" | jq -r '.Tags[]')
28+
29+
# For each tag, get the corresponding image's digest with `skopeo inspect`
30+
# and emit it as a line in the format:
31+
# <tag> <digest>
32+
for tag in ${tags}; do
33+
digest=$(skopeo --override-os=linux --override-arch=amd64 inspect "docker://${IMAGE}:${tag}" | jq -r '.Digest')
34+
echo "${tag} ${digest}"
35+
done

support/versions

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
latest sha256:4a574a15fc2bfb6c3b30db75410f1faeb7a94b5355d46dcbd32309047dd6d097
2+
1.6.0 sha256:c92dceb026c6858fd51814baf6b9bdc4328c0a36abf42dfa1bdc59f69a1deb77
3+
1.8.0 sha256:4d3128ae1370da9507bdd42a62d72b8304d4d0f290147aaac3eb0ebf51d70890
4+
1.9.0 sha256:ecb5e81e47bdb9e61ffa26b3def736ef4a6842d25e106986fd9dc579da0c9a68
5+
1.5.2 sha256:2eec97e326025cebb147a380011ff40402866275cbb9e85968a471ca592c00a3
6+
1.10.0 sha256:bd82c50b391b70cbf985c46da12c336510b48296e8d8e9bb80f63fe17ca90b6e
7+
1.11.0 sha256:732696b82d9010ea395085f1b620d834ab87c26e6696f46227755bf4bc1ad3f7
8+
1.12.0 sha256:0600e0f4b6ae25bf51fff1325882dc20a61e487e34618de7381322387661211c
9+
1.12.1 sha256:863597f69a59c70538efa2a6589cf3162734d17a818c0f00bbc36fe98133283c
10+
1.13.0 sha256:89ccca3a97b41ab335e30c716b9cd7129baab377f8cf0cb1a19d593820d6b0d0
11+
1.14.0 sha256:4044c6283a7baef51942b7126fb39a6a618a75f18883c1aa93edbc2151e2c85d
12+
1.14.1 sha256:7f035f1304ea7a86e2320b230996fb04ded8721322b1be935523be5ab75f1c28
13+
1.14.2 sha256:d18a6c1e37733db34fbb516e1f168687db53f2e6601ca44d061700757a38ad95
14+
1.15.0 sha256:f036bd8202dd27d56a9a8a727b165678a73bc7520f3003d297b278cc919784e6
15+
1.15.1 sha256:71ea8306dc59248fb0fa9d9c0ba0c67dd655a7ffee69ab29a3d2669ca53babf2
16+
1.15.2 sha256:a8fcfb013f9074e7569c904a38d070009ee40d61cf14bfa70de3bd36d6acaab2
17+
1.16.0 sha256:a6460f1b6fe3dc08e588d314e73563bdd218ee30c995a4be5e9ee5bd300391ce
18+
1.16.1 sha256:f4ec2276a32656a82f97cf2d79b02ee7b0e5b2423d0eba167c9ffc4c5e49956a
19+
1.16.2 sha256:f49ba23d190f90cb837e7e117803cbf96f5632bc65417d7e2fdb04f606e19c17
20+
1.16.3 sha256:f09cee55087d54e7a162fc255ffe82ef942f68e683f967c8a6471ffe35e7ec64
21+
1.17.0 sha256:145f66ca2e40864153e7f2f0174777755976252182a08e72e62364b7f0a44979
22+
1.18.0 sha256:c5bbdb28b75702f181695d7a878e562ccb5c0a01847db87edda7476908d73dd6
23+
1.19.0 sha256:6f31a7b49f7c969f7f8e0b50283bf6570f300d923aaf7b7abefad94f50e3842b
24+
1.20.0 sha256:4a574a15fc2bfb6c3b30db75410f1faeb7a94b5355d46dcbd32309047dd6d097

0 commit comments

Comments
 (0)