Skip to content

Commit 6b8d507

Browse files
jdaltonjdalton
committed
feat(ci): add setup-and-install workflow, replace pip with native zizmor
Add a setup-and-install reusable workflow and replace pip-based zizmor with a native binary download. setup-and-install.yml provides a complete CI environment in one line: - pnpm v10.33.0 (native binary, checksum-verified) - Node.js 25.9.0 (via actions/setup-node) - sfw-free (Socket firewall with shims for npm, yarn, pnpm, pip, uv, cargo) - pnpm install audit-gha-workflows.yml now downloads zizmor v1.23.1 as a native binary instead of pip install. No Python dependency needed. All binary downloads are SHA-256 checksum-verified. Handles Linux, macOS, and Windows (sha256sum/shasum fallback, backslash stripping, pnpm.exe copy, MSYS path conversion).
1 parent 2976cfb commit 6b8d507

File tree

2 files changed

+176
-2
lines changed

2 files changed

+176
-2
lines changed

.github/workflows/audit-gha-workflows.yml

Lines changed: 38 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,46 @@ jobs:
1616
with:
1717
persist-credentials: false
1818
- name: Install zizmor
19-
run: pip install zizmor==1.23.1
19+
shell: bash
20+
run: | # zizmor: ignore[github-env]
21+
ZIZMOR_VERSION="1.23.1"
22+
ZIZMOR_DIR="${RUNNER_TEMP:-/tmp}/zizmor-bin"
23+
KERNEL="$(uname -s | cut -d- -f1)"
24+
ARCH="$(uname -m)"
25+
case "${KERNEL}-${ARCH}" in
26+
Linux-x86_64) ASSET="zizmor-x86_64-unknown-linux-gnu.tar.gz" ; EXPECTED_SHA256="67a8df0a14352dd81882e14876653d097b99b0f4f6b6fe798edc0320cff27aff" ;;
27+
Linux-aarch64) ASSET="zizmor-aarch64-unknown-linux-gnu.tar.gz" ; EXPECTED_SHA256="3725d7cd7102e4d70827186389f7d5930b6878232930d0a3eb058d7e5b47e658" ;;
28+
Darwin-x86_64) ASSET="zizmor-x86_64-apple-darwin.tar.gz" ; EXPECTED_SHA256="89d5ed42081dd9d0433a10b7545fac42b35f1f030885c278b9712b32c66f2597" ;;
29+
Darwin-arm64) ASSET="zizmor-aarch64-apple-darwin.tar.gz" ; EXPECTED_SHA256="2632561b974c69f952258c1ab4b7432d5c7f92e555704155c3ac28a2910bd717" ;;
30+
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="zizmor-x86_64-pc-windows-msvc.zip" ; EXPECTED_SHA256="33c2293ff02834720dd7cd8b47348aafb2e95a19bdc993c0ecaca9c804ade92a" ;;
31+
*) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
32+
esac
33+
ZIZMOR_BIN="$ZIZMOR_DIR/zizmor"
34+
[[ "$ASSET" == *.zip ]] && ZIZMOR_BIN="$ZIZMOR_DIR/zizmor.exe"
35+
if [ ! -x "$ZIZMOR_BIN" ]; then
36+
mkdir -p "$ZIZMOR_DIR"
37+
DOWNLOAD_URL="https://github.com/woodruffw/zizmor/releases/download/v${ZIZMOR_VERSION}/${ASSET}"
38+
DOWNLOAD_FILE="${ZIZMOR_DIR}/${ASSET}"
39+
curl -fsSL -o "$DOWNLOAD_FILE" "$DOWNLOAD_URL"
40+
ACTUAL_SHA256="$( (sha256sum "$DOWNLOAD_FILE" 2>/dev/null || shasum -a 256 "$DOWNLOAD_FILE") | cut -d' ' -f1 | tr -d '\\')"
41+
if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
42+
echo "Checksum mismatch for ${ASSET}!" >&2
43+
echo " Expected: ${EXPECTED_SHA256}" >&2
44+
echo " Actual: ${ACTUAL_SHA256}" >&2
45+
exit 1
46+
fi
47+
if [[ "$ASSET" == *.zip ]]; then
48+
unzip -qo "$DOWNLOAD_FILE" -d "$ZIZMOR_DIR"
49+
else
50+
tar xzf "$DOWNLOAD_FILE" -C "$ZIZMOR_DIR"
51+
fi
52+
rm -f "$DOWNLOAD_FILE"
53+
chmod +x "$ZIZMOR_BIN"
54+
fi
55+
echo "$ZIZMOR_DIR" >> "${GITHUB_PATH:-/dev/null}"
2056
- name: Run zizmor
2157
env:
22-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
58+
GITHUB_TOKEN: ${{ github.token }}
2359
run: |
2460
if [ -d .github ]; then
2561
zizmor .github --gh-token "${GITHUB_TOKEN}" --min-severity medium

.github/workflows/setup-and-install.yml

Lines changed: 138 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,138 @@
1+
name: Setup and Install
2+
on:
3+
workflow_call:
4+
inputs:
5+
node-version:
6+
description: 'Node.js version'
7+
required: false
8+
type: string
9+
default: '25.9.0'
10+
working-directory:
11+
description: 'Working directory for pnpm install'
12+
required: false
13+
type: string
14+
default: '.'
15+
jobs:
16+
setup-and-install:
17+
runs-on: ubuntu-latest
18+
steps:
19+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
20+
with:
21+
persist-credentials: false
22+
23+
- name: Install pnpm
24+
shell: bash
25+
run: | # zizmor: ignore[github-env]
26+
PNPM_VERSION="10.33.0"
27+
PNPM_DIR="${RUNNER_TEMP:-/tmp}/pnpm-bin"
28+
KERNEL="$(uname -s | cut -d- -f1)"
29+
ARCH="$(uname -m)"
30+
case "${KERNEL}-${ARCH}" in
31+
Linux-x86_64) ASSET="pnpm-linux-x64" ; EXPECTED_SHA256="8d4e8f7d778e8ac482022e2577011706a872542f6f6f233e795a4d9f978ea8b5" ;;
32+
Linux-aarch64) ASSET="pnpm-linux-arm64" ; EXPECTED_SHA256="06755ad2817548b84317d857d5c8003dc6e9e28416a3ea7467256c49ab400d48" ;;
33+
Darwin-x86_64) ASSET="pnpm-macos-x64" ; EXPECTED_SHA256="c31e29554b0e3f4e03f4617195c949595e4dca36085922003de4896c3ca4057d" ;;
34+
Darwin-arm64) ASSET="pnpm-macos-arm64" ; EXPECTED_SHA256="ed8a1f140f4de457b01ebe0be3ae28e9a7e28863315dcd53d22ff1e5a32d63ae" ;;
35+
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="pnpm-win-x64.exe" ; EXPECTED_SHA256="afc96009dc39fe23a835d65192049e6a995f342496b175585dc2beda7d42d33f" ;;
36+
*) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
37+
esac
38+
PNPM_BIN="$PNPM_DIR/$ASSET"
39+
if [ ! -x "$PNPM_BIN" ]; then
40+
mkdir -p "$PNPM_DIR"
41+
curl -fsSL -o "$PNPM_BIN" "https://github.com/pnpm/pnpm/releases/download/v${PNPM_VERSION}/${ASSET}"
42+
ACTUAL_SHA256="$( (sha256sum "$PNPM_BIN" 2>/dev/null || shasum -a 256 "$PNPM_BIN") | cut -d' ' -f1 | tr -d '\\')"
43+
if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
44+
echo "Checksum mismatch for ${ASSET}!" >&2
45+
echo " Expected: ${EXPECTED_SHA256}" >&2
46+
echo " Actual: ${ACTUAL_SHA256}" >&2
47+
rm -f "$PNPM_BIN"
48+
exit 1
49+
fi
50+
chmod +x "$PNPM_BIN"
51+
# Create pnpm alias. Windows needs a .exe copy; Unix uses a symlink.
52+
if [[ "$ASSET" == *.exe ]]; then
53+
cp "$PNPM_BIN" "$PNPM_DIR/pnpm.exe"
54+
else
55+
ln -sf "$PNPM_BIN" "$PNPM_DIR/pnpm"
56+
fi
57+
fi
58+
echo "$PNPM_DIR" >> "${GITHUB_PATH:-/dev/null}"
59+
60+
- name: Setup Node.js
61+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
62+
with:
63+
node-version: ${{ inputs.node-version }}
64+
65+
- name: Download sfw-free
66+
shell: bash
67+
env:
68+
GH_TOKEN: ${{ github.token }}
69+
run: | # zizmor: ignore[github-env]
70+
SFW_DIR="${RUNNER_TEMP:-/tmp}/sfw-bin"
71+
KERNEL="$(uname -s | cut -d- -f1)"
72+
ARCH="$(uname -m)"
73+
case "${KERNEL}-${ARCH}" in
74+
Linux-x86_64) ASSET="sfw-free-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="4a1e8b65e90fce7d5fd066cf0af6c93d512065fa4222a475c8d959a6bc14b9ff" ;;
75+
Linux-aarch64) ASSET="sfw-free-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="df2eedb2daf2572eee047adb8bfd81c9069edcb200fc7d3710fca98ec3ca81a1" ;;
76+
Darwin-x86_64) ASSET="sfw-free-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="724ccea19d847b79db8cc8e38f5f18ce2dd32336007f42b11bed7d2e5f4a2566" ;;
77+
Darwin-arm64) ASSET="sfw-free-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="bf1616fc44ac49f1cb2067fedfa127a3ae65d6ec6d634efbb3098cfa355e5555" ;;
78+
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-free-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="c953e62ad7928d4d8f2302f5737884ea1a757babc26bed6a42b9b6b68a5d54af" ;;
79+
*) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
80+
esac
81+
if [ ! -x "$SFW_BIN" ]; then
82+
mkdir -p "$SFW_DIR"
83+
DOWNLOAD_URL="$(gh api repos/SocketDev/sfw-free/releases/latest \
84+
--jq ".assets[] | select(.name == \"$ASSET\") | .browser_download_url")"
85+
curl -fsSL -o "$SFW_BIN" "$DOWNLOAD_URL"
86+
ACTUAL_SHA256="$( (sha256sum "$SFW_BIN" 2>/dev/null || shasum -a 256 "$SFW_BIN") | cut -d' ' -f1 | tr -d '\\')"
87+
if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
88+
echo "Checksum mismatch for ${ASSET}!" >&2
89+
echo " Expected: ${EXPECTED_SHA256}" >&2
90+
echo " Actual: ${ACTUAL_SHA256}" >&2
91+
rm -f "$SFW_BIN"
92+
exit 1
93+
fi
94+
chmod +x "$SFW_BIN"
95+
fi
96+
echo "SFW_BIN=$SFW_BIN" >> "${GITHUB_ENV:-/dev/null}"
97+
98+
- name: Create sfw shims
99+
shell: bash
100+
run: | # zizmor: ignore[github-env]
101+
SHIM_DIR="${RUNNER_TEMP:-/tmp}/sfw-shim"
102+
rm -rf "$SHIM_DIR"
103+
mkdir -p "$SHIM_DIR"
104+
IS_WINDOWS=false
105+
[[ "$OSTYPE" == msys* || "$OSTYPE" == cygwin* ]] && IS_WINDOWS=true
106+
msys_to_win_path() {
107+
if $IS_WINDOWS && [[ "$1" =~ ^/([a-zA-Z])/(.*) ]]; then
108+
echo "${BASH_REMATCH[1]^^}:\\${BASH_REMATCH[2]//\//\\}"
109+
else
110+
echo "$1"
111+
fi
112+
}
113+
strip_shim_dir() { echo "$PATH" | tr ':' '\n' | grep -vxF "$SHIM_DIR" | paste -sd: -; }
114+
CLEAN_PATH="$(strip_shim_dir)"
115+
# https://docs.socket.dev/docs/socket-firewall-free#what-ecosystems-and-package-managers-are-supported
116+
for CMD in npm yarn pnpm pip uv cargo; do
117+
REAL="$(PATH="$CLEAN_PATH" command -v "$CMD" 2>/dev/null || true)"
118+
[ -z "$REAL" ] && continue
119+
REAL="$(msys_to_win_path "$REAL")"
120+
printf '%s\n' \
121+
'#!/bin/bash' \
122+
"export PATH=\"\$(echo \"\$PATH\" | tr ':' '\n' | grep -vxF '${SHIM_DIR}' | paste -sd: -)\"" \
123+
'export GIT_SSL_NO_VERIFY=true # Workaround: sfw-free does not yet set GIT_SSL_CAINFO.' \
124+
"exec \"${SFW_BIN}\" \"${REAL}\" \"\$@\"" \
125+
> "$SHIM_DIR/$CMD"
126+
chmod +x "$SHIM_DIR/$CMD"
127+
if $IS_WINDOWS; then
128+
printf '@echo off\r\nset "PATH=;%%PATH%%;"\r\nset "PATH=%%PATH:;%s;=;%%"\r\nset "PATH=%%PATH:~1,-1%%"\r\n"%s" "%s" %%*\r\n' \
129+
"$SHIM_DIR" "$SFW_BIN" "$REAL" > "$SHIM_DIR/$CMD.cmd"
130+
fi
131+
done
132+
echo "$SHIM_DIR" >> "${GITHUB_PATH:-/dev/null}"
133+
echo "SFW_SHIM_DIR=$SHIM_DIR" >> "${GITHUB_ENV:-/dev/null}"
134+
135+
- name: Install dependencies
136+
shell: bash
137+
working-directory: ${{ inputs.working-directory }}
138+
run: pnpm install --loglevel error

0 commit comments

Comments
 (0)