Skip to content

chore: add actionlint and zizmor linters #19459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Aug 21, 2025
Merged

chore: add actionlint and zizmor linters #19459

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
97a2554
chore: add actionlint and zizmor linters
deansheather Aug 21, 2025
41b81ac
zizmor fixes
deansheather Aug 21, 2025
d300914
makefile changes
deansheather Aug 21, 2025
eca31a8
fmt
deansheather Aug 21, 2025
7c0c086
fixes
deansheather Aug 21, 2025
d35feb0
Merge branch 'main' into dean/zizmor
deansheather Aug 21, 2025
2fa737a
fix new one
deansheather Aug 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
zizmor fixes
  • Loading branch information
@deansheather
deansheather committed Aug 21, 2025
commit 41b81ac71ab4fd6034319c6d1ef235220980c021
4 changes: 2 additions & 2 deletions .github/actions/embedded-pg-cache/download/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,9 @@ runs:
export DAY=$(date +'%d')
echo "year-month=$YEAR_MONTH" >> "$GITHUB_OUTPUT"
echo "prev-year-month=$PREV_YEAR_MONTH" >> "$GITHUB_OUTPUT"
echo "cache-key=${KEY_PREFIX}-${YEAR_MONTH}-${DAY}" >> "$GITHUB_OUTPUT"
echo "cache-key=${INPUTS_KEY_PREFIX}-${YEAR_MONTH}-${DAY}" >> "$GITHUB_OUTPUT"
env:
KEY_PREFIX: ${{ inputs.key-prefix }}
INPUTS_KEY_PREFIX: ${{ inputs.key-prefix }}

# By default, depot keeps caches for 14 days. This is plenty for embedded
# postgres, which changes infrequently.
Expand Down
4 changes: 3 additions & 1 deletion .github/actions/test-cache/download/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,9 @@ runs:
export DAY=$(date +'%d')
echo "year-month=$YEAR_MONTH" >> "$GITHUB_OUTPUT"
echo "prev-year-month=$PREV_YEAR_MONTH" >> "$GITHUB_OUTPUT"
echo "cache-key=${{ inputs.key-prefix }}-${YEAR_MONTH}-${DAY}" >> "$GITHUB_OUTPUT"
echo "cache-key=${INPUTS_KEY_PREFIX}-${YEAR_MONTH}-${DAY}" >> "$GITHUB_OUTPUT"
env:
INPUTS_KEY_PREFIX: ${{ inputs.key-prefix }}

# TODO: As a cost optimization, we could remove caches that are older than
# a day or two. By default, depot keeps caches for 14 days, which isn't
Expand Down
28 changes: 14 additions & 14 deletions .github/actions/upload-datadog/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,12 @@ runs:
run: |
set -e

owner="${{ github.repository_owner }}"
echo "owner: $owner"
if [[ $owner != "coder" ]]; then
echo "owner: $REPO_OWNER"
if [[ "$REPO_OWNER" != "coder" ]]; then
echo "Not a pull request from the main repo, skipping..."
exit 0
fi
if [[ -z "${{ inputs.api-key }}" ]]; then
if [[ -z "${DATADOG_API_KEY}" ]]; then
# This can happen for dependabot.
echo "No API key provided, skipping..."
exit 0
Expand All @@ -31,37 +30,38 @@ runs:

TMP_DIR=$(mktemp -d)

if [[ "${{ runner.os }}" == "Windows" ]]; then
if [[ "${RUNNER_OS}" == "Windows" ]]; then
BINARY_PATH="${TMP_DIR}/datadog-ci.exe"
BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_win-x64"
elif [[ "${{ runner.os }}" == "macOS" ]]; then
elif [[ "${RUNNER_OS}" == "macOS" ]]; then
BINARY_PATH="${TMP_DIR}/datadog-ci"
BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_darwin-arm64"
elif [[ "${{ runner.os }}" == "Linux" ]]; then
elif [[ "${RUNNER_OS}" == "Linux" ]]; then
BINARY_PATH="${TMP_DIR}/datadog-ci"
BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_linux-x64"
else
echo "Unsupported OS: ${{ runner.os }}"
echo "Unsupported OS: $RUNNER_OS"
exit 1
fi

echo "Downloading DataDog CI binary version ${BINARY_VERSION} for ${{ runner.os }}..."
echo "Downloading DataDog CI binary version ${BINARY_VERSION} for $RUNNER_OS..."
curl -sSL "$BINARY_URL" -o "$BINARY_PATH"

if [[ "${{ runner.os }}" == "Windows" ]]; then
if [[ "${RUNNER_OS}" == "Windows" ]]; then
echo "$BINARY_HASH_WINDOWS $BINARY_PATH" | sha256sum --check
elif [[ "${{ runner.os }}" == "macOS" ]]; then
elif [[ "${RUNNER_OS}" == "macOS" ]]; then
echo "$BINARY_HASH_MACOS $BINARY_PATH" | shasum -a 256 --check
elif [[ "${{ runner.os }}" == "Linux" ]]; then
elif [[ "${RUNNER_OS}" == "Linux" ]]; then
echo "$BINARY_HASH_LINUX $BINARY_PATH" | sha256sum --check
fi

# Make binary executable (not needed for Windows)
if [[ "${{ runner.os }}" != "Windows" ]]; then
if [[ "${RUNNER_OS}" != "Windows" ]]; then
chmod +x "$BINARY_PATH"
fi

"$BINARY_PATH" junit upload --service coder ./gotests.xml \
--tags os:${{runner.os}} --tags runner_name:${{runner.name}}
--tags "os:${RUNNER_OS}" --tags "runner_name:${RUNNER_NAME}"
env:
REPO_OWNER: ${{ github.repository_owner }}
DATADOG_API_KEY: ${{ inputs.api-key }}
54 changes: 36 additions & 18 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 1
# For pull requests it's not necessary to checkout the code
persist-credentials: false
- name: check changed files
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
Expand Down Expand Up @@ -111,7 +111,9 @@ jobs:

- id: debug
run: |
echo "${{ toJSON(steps.filter )}}"
echo "$FILTER_JSON"
env:
FILTER_JSON: ${{ toJSON(steps.filter.outputs) }}

# Disabled due to instability. See: https://github.com/coder/coder/issues/14553
# Re-enable once the flake hash calculation is stable.
Expand Down Expand Up @@ -162,6 +164,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 1
persist-credentials: false

- name: Setup Node
uses: ./.github/actions/setup-node
Expand Down Expand Up @@ -234,6 +237,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 1
persist-credentials: false

- name: Setup Node
uses: ./.github/actions/setup-node
Expand Down Expand Up @@ -289,6 +293,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 1
persist-credentials: false

- name: Setup Node
uses: ./.github/actions/setup-node
Expand Down Expand Up @@ -353,12 +358,13 @@ jobs:
# a separate repository to allow its use before actions/checkout.
- name: Setup RAM Disks
if: runner.os == 'Windows'
uses: coder/setup-ramdisk-action@e1100847ab2d7bcd9d14bcda8f2d1b0f07b36f1b
uses: coder/setup-ramdisk-action@e1100847ab2d7bcd9d14bcda8f2d1b0f07b36f1b # v0.1.0

- name: Checkout
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 1
persist-credentials: false

- name: Setup Go Paths
id: go-paths
Expand Down Expand Up @@ -421,34 +427,34 @@ jobs:
set -o errexit
set -o pipefail

if [ "${{ runner.os }}" == "Windows" ]; then
if [ "$RUNNER_OS" == "Windows" ]; then
# Create a temp dir on the R: ramdisk drive for Windows. The default
# C: drive is extremely slow: https://github.com/actions/runner-images/issues/8755
mkdir -p "R:/temp/embedded-pg"
go run scripts/embedded-pg/main.go -path "R:/temp/embedded-pg" -cache "${EMBEDDED_PG_CACHE_DIR}"
elif [ "${{ runner.os }}" == "macOS" ]; then
elif [ "$RUNNER_OS" == "macOS" ]; then
# Postgres runs faster on a ramdisk on macOS too
mkdir -p /tmp/tmpfs
sudo mount_tmpfs -o noowners -s 8g /tmp/tmpfs
go run scripts/embedded-pg/main.go -path /tmp/tmpfs/embedded-pg -cache "${EMBEDDED_PG_CACHE_DIR}"
elif [ "${{ runner.os }}" == "Linux" ]; then
elif [ "$RUNNER_OS" == "Linux" ]; then
make test-postgres-docker
fi

# if macOS, install google-chrome for scaletests
# As another concern, should we really have this kind of external dependency
# requirement on standard CI?
if [ "${{ matrix.os }}" == "macos-latest" ]; then
if [ "${RUNNER_OS}" == "macos-latest" ]; then
brew install google-chrome
fi

# macOS will output "The default interactive shell is now zsh"
# intermittently in CI...
if [ "${{ matrix.os }}" == "macos-latest" ]; then
if [ "${RUNNER_OS}" == "macos-latest" ]; then
touch ~/.bash_profile && echo "export BASH_SILENCE_DEPRECATION_WARNING=1" >> ~/.bash_profile
fi

if [ "${{ runner.os }}" == "Windows" ]; then
if [ "${RUNNER_OS}" == "Windows" ]; then
# Our Windows runners have 16 cores.
# On Windows Postgres chokes up when we have 16x16=256 tests
# running in parallel, and dbtestutil.NewDB starts to take more than
Expand All @@ -458,15 +464,15 @@ jobs:
NUM_PARALLEL_TESTS=16
# Only the CLI and Agent are officially supported on Windows and the rest are too flaky
PACKAGES="./cli/... ./enterprise/cli/... ./agent/..."
elif [ "${{ runner.os }}" == "macOS" ]; then
elif [ "${RUNNER_OS}" == "macOS" ]; then
# Our macOS runners have 8 cores. We set NUM_PARALLEL_TESTS to 16
# because the tests complete faster and Postgres doesn't choke. It seems
# that macOS's tmpfs is faster than the one on Windows.
NUM_PARALLEL_PACKAGES=8
NUM_PARALLEL_TESTS=16
# Only the CLI and Agent are officially supported on macOS and the rest are too flaky
PACKAGES="./cli/... ./enterprise/cli/... ./agent/..."
elif [ "${{ runner.os }}" == "Linux" ]; then
elif [ "${RUNNER_OS}" == "Linux" ]; then
# Our Linux runners have 8 cores.
NUM_PARALLEL_PACKAGES=8
NUM_PARALLEL_TESTS=8
Expand All @@ -475,7 +481,7 @@ jobs:

# by default, run tests with cache
TESTCOUNT=""
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
if [ "${GITHUB_REF}" == "refs/heads/main" ]; then
# on main, run tests without cache
TESTCOUNT="-count=1"
fi
Expand Down Expand Up @@ -546,6 +552,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 1
persist-credentials: false

- name: Setup Go
uses: ./.github/actions/setup-go
Expand Down Expand Up @@ -594,6 +601,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 1
persist-credentials: false

- name: Setup Go
uses: ./.github/actions/setup-go
Expand Down Expand Up @@ -653,6 +661,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 1
persist-credentials: false

- name: Setup Go
uses: ./.github/actions/setup-go
Expand All @@ -679,6 +688,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 1
persist-credentials: false

- name: Setup Node
uses: ./.github/actions/setup-node
Expand Down Expand Up @@ -711,6 +721,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 1
persist-credentials: false

- name: Setup Node
uses: ./.github/actions/setup-node
Expand Down Expand Up @@ -785,6 +796,7 @@ jobs:
fetch-depth: 0
# 👇 Tells the checkout which commit hash to reference
ref: ${{ github.event.pull_request.head.ref }}
persist-credentials: false

- name: Setup Node
uses: ./.github/actions/setup-node
Expand Down Expand Up @@ -863,6 +875,7 @@ jobs:
with:
# 0 is required here for version.sh to work.
fetch-depth: 0
persist-credentials: false

- name: Setup Node
uses: ./.github/actions/setup-node
Expand Down Expand Up @@ -926,7 +939,7 @@ jobs:
egress-policy: audit

- name: Ensure required checks
run: |
run: | # zizmor: ignore[template-injection] We're just reading needs.x.result here, no risk of injection
echo "Checking required checks"
echo "- fmt: ${{ needs.fmt.result }}"
echo "- lint: ${{ needs.lint.result }}"
Expand Down Expand Up @@ -959,6 +972,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 0
persist-credentials: false

- name: Setup build tools
run: |
Expand Down Expand Up @@ -1059,6 +1073,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 0
persist-credentials: false

- name: GHCR Login
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
Expand Down Expand Up @@ -1201,7 +1216,7 @@ jobs:
make build/coder_"$version"_linux_{amd64,arm64,armv7}.tag

# only push if we are on main branch
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
if [ "${GITHUB_REF}" == "refs/heads/main" ]; then
# build and push multi-arch manifest, this depends on the other images
# being pushed so will automatically push them
# note: omitting the -j argument to avoid race conditions when pushing
Expand All @@ -1228,12 +1243,13 @@ jobs:
continue-on-error: true
env:
COSIGN_EXPERIMENTAL: 1
BUILD_TAG: ${{ steps.build-docker.outputs.tag }}
run: |
set -euxo pipefail

# Define image base and tags
IMAGE_BASE="ghcr.io/coder/coder-preview"
TAGS=("${{ steps.build-docker.outputs.tag }}" "main" "latest")
TAGS=("${BUILD_TAG}" "main" "latest")

# Generate and attest SBOM for each tag
for tag in "${TAGS[@]}"; do
Expand Down Expand Up @@ -1372,7 +1388,7 @@ jobs:
# Report attestation failures but don't fail the workflow
- name: Check attestation status
if: github.ref == 'refs/heads/main'
run: |
run: | # zizmor: ignore[template-injection] We're just reading steps.attest_x.outcome here, no risk of injection
if [[ "${{ steps.attest_main.outcome }}" == "failure" ]]; then
echo "::warning::GitHub attestation for main tag failed"
fi
Expand Down Expand Up @@ -1432,6 +1448,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 0
persist-credentials: false

- name: Authenticate to Google Cloud
uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
Expand Down Expand Up @@ -1496,6 +1513,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 0
persist-credentials: false

- name: Setup flyctl
uses: superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # v1.5
Expand Down Expand Up @@ -1531,7 +1549,7 @@ jobs:
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 1
# We need golang to run the migration main.go
persist-credentials: false
- name: Setup Go
uses: ./.github/actions/setup-go

Expand All @@ -1550,7 +1568,7 @@ jobs:

steps:
- name: Send Slack notification
run: |
run: | # zizmor: ignore[template-injection] We're reading variables from github context into a json string, so replacing with envs is tricky
curl -X POST -H 'Content-type: application/json' \
--data '{
"blocks": [
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/contrib.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name: contrib
on:
issue_comment:
types: [created, edited]
# zizmor: ignore[dangerous-triggers] We explicitly want to run on pull_request_target.
pull_request_target:
types:
- opened
Expand Down
Loading