ci,tools: Update config and script

taiki-e · taiki-e · commit f5a4a72ec757 · 2026-05-24T21:54:22.000+09:00
diff --git a/.editorconfig b/.editorconfig
@@ -11,7 +11,7 @@ indent_style = space
 insert_final_newline = true
 trim_trailing_whitespace = true
 
-[*.{css,html,json,md,rb,sh,yml,yaml}]
+[*.{css,html,json,md,rb,ps1,sh,yml,yaml}]
 indent_size = 2
 
 [*.{js,yml,yaml}]
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -18,7 +18,3 @@ updates:
     commit-message:
       prefix: ''
     labels: []
-    groups:
-      github-actions:
-        patterns:
-          - '*'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -32,22 +32,22 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  miri:
-    uses: taiki-e/github-actions/.github/workflows/miri.yml@5f549ff6b21e9a853f5f613784d5db27746fd2bc # main
-  msrv:
-    uses: taiki-e/github-actions/.github/workflows/msrv.yml@5f549ff6b21e9a853f5f613784d5db27746fd2bc # main
-  release-dry-run:
-    uses: taiki-e/github-actions/.github/workflows/release-dry-run.yml@5f549ff6b21e9a853f5f613784d5db27746fd2bc # main
   tidy:
-    uses: taiki-e/github-actions/.github/workflows/tidy.yml@5f549ff6b21e9a853f5f613784d5db27746fd2bc # main
+    uses: taiki-e/github-actions/.github/workflows/tidy.yml@3637cc7cf76d2ce698edc313bcd39bad8a92caa8 # main
     permissions:
-      contents: write # for creating branch for pr
-      pull-requests: write # unused (used in `codegen-automerge: true` case)
       security-events: write # for github/codeql-action/*
-    secrets:
-      PR_TOKEN_APP_PRIVATE_KEY: ${{ secrets.PR_TOKEN_APP_PRIVATE_KEY }}
+  miri:
+    needs: tidy
+    uses: taiki-e/github-actions/.github/workflows/rust-miri.yml@3637cc7cf76d2ce698edc313bcd39bad8a92caa8 # main
+  msrv:
+    needs: tidy
+    uses: taiki-e/github-actions/.github/workflows/rust-msrv.yml@3637cc7cf76d2ce698edc313bcd39bad8a92caa8 # main
+  release-dry-run:
+    needs: tidy
+    uses: taiki-e/github-actions/.github/workflows/rust-release-dry-run.yml@3637cc7cf76d2ce698edc313bcd39bad8a92caa8 # main
 
   test:
+    needs: tidy
     strategy:
       fail-fast: false
       matrix:
@@ -63,9 +63,10 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
-      - uses: taiki-e/github-actions/install-rust@5f549ff6b21e9a853f5f613784d5db27746fd2bc # main # zizmor: ignore[stale-action-refs]
+      - uses: taiki-e/install-action@ec28e287910af896fd98e04056d31fa68607e7ad # v2.77.4
         with:
-          toolchain: ${{ matrix.rust }}
+          tool: rust@${{ matrix.rust }}
+          fallback: none
       - run: cargo test --workspace --all-features
       - run: |
           cargo install --path . --debug
@@ -76,7 +77,7 @@ jobs:
           rustup toolchain remove 1.63 1.64 1.65
           cargo hack check --rust-version --workspace --locked
           cargo uninstall cargo-hack
-      - uses: taiki-e/install-action@58e862542551f667fa44c8a2a4a1d64ad477c96a # v2.75.17
+      - uses: taiki-e/install-action@ec28e287910af896fd98e04056d31fa68607e7ad # v2.77.4
         with:
           tool: cargo-hack,cargo-minimal-versions
           fallback: none
@@ -86,6 +87,7 @@ jobs:
 
   test-compat:
     name: test (1.${{ matrix.rust }})
+    needs: tidy
     strategy:
       fail-fast: false
       matrix:
@@ -102,9 +104,10 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
-      - uses: taiki-e/github-actions/install-rust@5f549ff6b21e9a853f5f613784d5db27746fd2bc # main # zizmor: ignore[stale-action-refs]
+      - uses: taiki-e/install-action@ec28e287910af896fd98e04056d31fa68607e7ad # v2.77.4
         with:
-          toolchain: nightly
+          tool: rust@nightly
+          fallback: none
       - run: cargo test --workspace --all-features
         env:
           CARGO_HACK_TEST_TOOLCHAIN: ${{ matrix.rust }}
@@ -116,6 +119,7 @@ jobs:
 
   test-no-rustup:
     name: test (no rustup)
+    needs: tidy
     runs-on: ubuntu-24.04
     timeout-minutes: 60
     container: alpine
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,18 +14,14 @@ on:
           - minor
           - major
 
-defaults:
-  run:
-    shell: bash --noprofile --norc -CeEuxo pipefail {0}
-
 concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: false
 
 jobs:
   release:
     if: github.repository_owner == 'taiki-e'
-    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@5f549ff6b21e9a853f5f613784d5db27746fd2bc # main
+    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@3637cc7cf76d2ce698edc313bcd39bad8a92caa8 # main
     permissions:
       contents: write # for taiki-e/create-gh-release-action / taiki-e/upload-rust-binary-action
       id-token: write # for rust-lang/crates-io-auth-action / actions/attest
diff --git a/tools/tidy.sh b/tools/tidy.sh
@@ -9,13 +9,22 @@ cd -- "$(dirname -- "$0")"/..
 #    GITHUB_TOKEN=$(gh auth token) ./tools/tidy.sh
 #
 # Note: This script requires the following tools:
-# - docker
+# - docker or podman (or compatible CLI specified by TIDY_DOCKER_PATH. when both available and TIDY_DOCKER_PATH is not set, docker is preferred)
 #
 # This script is shared by projects under github.com/taiki-e, so there may also
 # be checks for files not included in this repository, but they will be skipped
 # if the corresponding files do not exist.
 # It is not intended for manual editing.
 
+bail() {
+  if [[ -n "${GITHUB_ACTIONS:-}" ]]; then
+    printf '::error::%s\n' "$*"
+  else
+    printf >&2 'error: %s\n' "$*"
+  fi
+  exit 1
+}
+
 if [[ $# -gt 0 ]]; then
   cat <<EOF
 USAGE:
@@ -24,13 +33,14 @@ EOF
   exit 1
 fi
 
+image='ghcr.io/taiki-e/tidy'
 if [[ -n "${TIDY_DEV:-}" ]]; then
-  image="ghcr.io/taiki-e/tidy:latest"
+  image+=':latest'
 else
-  image="ghcr.io/taiki-e/tidy@sha256:c78ba09aa420feddc57ca76fca38b1d4c998a0ede37f76378f12df15a826cf59"
+  image+='@sha256:151cd5c4f7c88bd21322c7dab255d60e699ffe4d4903e4e712429952537df6cf'
 fi
 user="$(id -u):$(id -g)"
-workdir=$(pwd)
+workdir="${PWD}"
 tmp=$(mktemp -d)
 trap -- 'rm -rf -- "${tmp:?}"' EXIT
 mkdir -p -- "${tmp}"/{pwsh-cache,pwsh-local,zizmor-cache,dummy-dir,tmp}
@@ -40,8 +50,12 @@ color=''
 if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then
   color=1
 fi
+# Refs:
+# - https://docs.docker.com/reference/cli/docker/container/run/
+# - https://docs.podman.io/en/latest/markdown/podman-run.1.html
+# - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
 common_args=(
-  run --rm --init -i --user "${user}"
+  run --rm --init
   --cap-drop=all
   --security-opt=no-new-privileges
   --read-only
@@ -59,6 +73,30 @@ common_args=(
   --env TIDY_EXPECTED_SHELL_FILE_COUNT
   --env TIDY_EXPECTED_DOCKER_FILE_COUNT
 )
+if [[ -n "${TIDY_DOCKER_PATH:-}" ]]; then
+  docker="${TIDY_DOCKER_PATH}"
+elif type -P docker >/dev/null; then
+  docker='docker'
+elif type -P podman >/dev/null; then
+  docker='podman'
+else
+  bail 'this script requires docker or podman'
+fi
+rootless=''
+if [[ "$("${docker}" --version)" == *'podman'* ]]; then
+  if [[ "$("${docker}" info)" == *'rootless: true'* ]]; then
+    rootless=1
+  fi
+elif [[ "$("${docker}" info -f '{{println .SecurityOptions}}')" == *'rootless'* ]]; then
+  rootless=1
+fi
+if [[ -n "${rootless}" ]]; then
+  printf 'docker path: %s\n' "${docker} (rootless)"
+else
+  printf 'docker path: %s\n' "${docker}"
+  common_args+=(--user "${user}")
+fi
+
 # Map ignored files (e.g., .env) to dummy files.
 while IFS= read -r path; do
   if [[ -d "${path}" ]]; then
@@ -73,36 +111,33 @@ while IFS= read -r path; do
 done < <(git status --porcelain --ignored | grep -E '^!!' | cut -d' ' -f2)
 
 docker_run() {
-  docker "${common_args[@]}" "$@"
+  local script="$1"
+  shift
+  "${docker}" "${common_args[@]}" "$@" "${image}" /checks/"${script}"
   code2="$?"
   if [[ ${code} -eq 0 ]] && [[ ${code2} -ne 0 ]]; then
     code="${code2}"
   fi
 }
 
 set +e
-docker_run \
+docker_run offline.sh \
   --mount "type=bind,source=${workdir},target=${workdir}" --workdir "${workdir}" \
+  --mount "type=bind,source=${workdir}/.git,target=${workdir}/.git,readonly" \
   --mount "type=bind,source=${tmp}/tmp,target=/tmp/tidy" \
   --mount "type=bind,source=${tmp}/pwsh-cache,target=/.cache/powershell" \
   --mount "type=bind,source=${tmp}/pwsh-local,target=/.local/share/powershell" \
-  --network=none \
-  "${image}" \
-  /checks/offline.sh
+  --network=none
 # Some good audits requires access to GitHub API.
-docker_run \
+docker_run zizmor.sh \
   --mount "type=bind,source=${workdir},target=${workdir},readonly" --workdir "${workdir}" \
   --mount "type=bind,source=${tmp}/zizmor-cache,target=/.cache/zizmor" \
-  --env GH_TOKEN --env GITHUB_TOKEN --env ZIZMOR_GITHUB_TOKEN \
-  "${image}" \
-  /checks/zizmor.sh
+  --env GH_TOKEN --env GITHUB_TOKEN --env ZIZMOR_GITHUB_TOKEN
 # We use remote dictionary.
-docker_run \
+docker_run cspell.sh \
   --mount "type=bind,source=${workdir},target=${workdir},readonly" --workdir "${workdir}" \
   --mount "type=bind,source=${workdir}/.github/.cspell/project-dictionary.txt,target=${workdir}/.github/.cspell/project-dictionary.txt" \
   --mount "type=bind,source=${workdir}/.github/.cspell/rust-dependencies.txt,target=${workdir}/.github/.cspell/rust-dependencies.txt" \
-  --mount "type=bind,source=${tmp}/tmp,target=/tmp/tidy" \
-  "${image}" \
-  /checks/cspell.sh
+  --mount "type=bind,source=${tmp}/tmp,target=/tmp/tidy"
 
 exit "${code}"
