Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .github/workflows/_reusable_run_tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ on:
required: true
OP_SERVICE_ACCOUNT_TOKEN:
required: true
WIRE_IOS_CI_WEBHOOK:
required: false
WIRE_IOS_NIGHTLY_WEBHOOK:
required: false

env: # https://docs.fastlane.tools/getting-started/ios/setup/
LC_ALL: en_US.UTF-8
Expand Down Expand Up @@ -450,4 +454,3 @@ jobs:
uses: ./.github/actions/upload-datadog-junit
with:
api_key: ${{ secrets.DD_API_KEY }}

54 changes: 52 additions & 2 deletions .github/workflows/test_pr_changes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,26 +6,64 @@
merge_group:
types: [checks_requested]

permissions:
contents: read # required for workflows that need repository checkout access

Check warning on line 10 in .github/workflows/test_pr_changes.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Move this read permission from workflow level to job level.

See more on https://sonarcloud.io/project/issues?id=wireapp_wire-ios&issues=AZ5KXW1FX4tegLrCrws6&open=AZ5KXW1FX4tegLrCrws6&pullRequest=4750

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: should this be fixed?

actions: read # required for reading workflow/action metadata

Check warning on line 11 in .github/workflows/test_pr_changes.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Move this read permission from workflow level to job level.

See more on https://sonarcloud.io/project/issues?id=wireapp_wire-ios&issues=AZ5KXW1FX4tegLrCrws7&open=AZ5KXW1FX4tegLrCrws7&pullRequest=4750

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: should this be fixed?


# This is what will cancel the workflow
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
workflow-security:
name: Workflow security analysis
runs-on: ubuntu-24.04
permissions:
contents: read # required for actions/checkout to read workflow sources
actions: read # required for zizmor online audits in private repositories
security-events: write # required for SARIF upload
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
Comment on lines +27 to +30

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: Does this need to run on separate job? Why not run zizmor step within the detect-changes so we don't pay twice the checkout and job costs?


- name: Run zizmor
id: zizmor
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
inputs: .github/workflows/test_pr_changes.yml
version: 1.25.2
persona: pedantic
min-severity: informational
min-confidence: low
config: .github/zizmor.yml

- name: Fail if zizmor reported findings
env:
sarifFilePath: ${{ steps.zizmor.outputs.output-file }}
run: |
findingsCount="$(jq '[.runs[].results[]] | length' "$sarifFilePath")"
echo "zizmor findings: $findingsCount"
test "$findingsCount" -eq 0

# This job will tell us which frameworks have source code changes.
# We'll use the results to run tests only for changed frameworks.
detect-changes:
name: Detect PR Changes
needs: [workflow-security]
if: ${{ github.event.pull_request.draft != true }}
runs-on: ubuntu-24.04
# Set job outputs to values from filter step
outputs:
folders: ${{ steps.filter.outputs.changes }}

steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
if: ${{ github.event_name == 'merge_group' }} # on PR, paths-filter can access list of changed files from event payload
with:
persist-credentials: false
lfs: 'false' # as long as we use lfs only for snapshotTesting it should not be useful here
- uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
id: filter
Expand Down Expand Up @@ -139,20 +177,32 @@
needs: [detect-changes, decide-strategy]
name: PR Tests
if: ${{ needs.decide-strategy.outputs.use_parallel != 'true' }}
permissions:
contents: read # required for called workflow repository checkout
pull-requests: write # required for called workflow test result publication
checks: write # required for called workflow check annotations
uses: ./.github/workflows/_reusable_run_tests.yml
with:
folders: ${{ join(fromJson(needs.detect-changes.outputs.folders), ',') }}
notify_secret: WIRE_IOS_CI_WEBHOOK
test_dependencies: ${{ github.event_name != 'pull_request' || startsWith(github.base_ref, 'release/cycle') }}
run_critical_flows: false # separate workflow
notify: failure
secrets: inherit
secrets:
ZENKINS_USERNAME: ${{ secrets.ZENKINS_USERNAME }}
DD_API_KEY: ${{ secrets.DD_API_KEY }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
WIRE_IOS_CI_WEBHOOK: ${{ secrets.WIRE_IOS_CI_WEBHOOK }}

# ── Parallel ────────────────────────────────────────────────────────────────
trigger_tests_pr_parallel:
needs: [detect-changes, decide-strategy]
name: PR Tests
if: ${{ needs.decide-strategy.outputs.use_parallel == 'true' }}
permissions:
contents: read # required for called workflow repository checkout
pull-requests: write # required for called workflow test result publication
checks: write # required for called workflow check annotations
uses: ./.github/workflows/_reusable_run_tests_parallel.yml
with:
folders: ${{ join(fromJson(needs.detect-changes.outputs.folders), ',') }}
Expand Down
12 changes: 12 additions & 0 deletions .github/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
# All audits run with defaults; only configurable audits are overridden below.
# Persona, severity floor, and confidence floor are set in workflow files.
rules:
unpinned-uses:
config:
policies:
'*': hash-pin

secrets-outside-env:
config:
allow: []
Loading