zec
/
librustzcash
mirror of https://github.com/zcash/librustzcash.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

CI: Fix potential template injection issues

This commit is contained in:
Jack Grigg 2025-01-09 16:38:43 +00:00
parent df1aa4fe40
commit 81be26650e
4 changed files with 26 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.github/actions/prepare/action.yml vendored
View File

@ -20,7 +20,10 @@ runs:
shell: bash
run: echo "feature=test-dependencies" >> $GITHUB_OUTPUT
if: inputs.test-dependencies == 'true'
- name: Prepare feature flags
# `steps.test.outputs.feature` cannot expand into attacker-controllable code
# because the previous step only enables it to have one of two fixed values.
- name: Prepare feature flags # zizmor: ignore[template-injection]
id: prepare
shell: bash
run: >
@ -34,6 +37,8 @@ runs:
unstable
unstable-serialization
unstable-spanning-tree
${{ inputs.extra-features }}
${EXTRA_FEATURES}
${{ steps.test.outputs.feature }}
'" >> $GITHUB_OUTPUT
env:
EXTRA_FEATURES: ${{ inputs.extra-features }}

8
.github/workflows/audits.yml vendored
View File

@ -18,7 +18,9 @@ jobs:
persist-credentials: false
- uses: dtolnay/rust-toolchain@stable
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}
- run: cargo install cargo-vet --version ~0.10
- run: cargo vet --locked
@ -43,4 +45,6 @@ jobs:
steps:
- name: Determine whether all required-pass steps succeeded
run: |
echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all'
env:
NEEDS: ${{ toJSON(needs) }}

4
.github/workflows/book.yml vendored
View File

@ -16,7 +16,9 @@ jobs:
uses: ./.github/actions/prepare
- uses: dtolnay/rust-toolchain@nightly
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}
- name: Build latest rustdocs
run: >

13
.github/workflows/ci.yml vendored
View File

@ -248,7 +248,10 @@ jobs:
key: ${{ runner.os }}-cargo-latest
- uses: dtolnay/rust-toolchain@stable
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
shell: sh
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}
- name: Remove lockfile to build with latest dependencies
run: rm Cargo.lock
- name: Build crates
@ -383,7 +386,9 @@ jobs:
uses: ./.github/actions/prepare
- uses: dtolnay/rust-toolchain@beta
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: rustup override set "${TOOLCHAIN}"
env:
TOOLCHAIN: ${{steps.toolchain.outputs.name}}
- name: Run Clippy (beta)
uses: actions-rs/clippy-check@v1
continue-on-error: true
@ -535,4 +540,6 @@ jobs:
steps:
- name: Determine whether all required-pass steps succeeded
run: |
echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all'
env:
NEEDS: ${{ toJSON(needs) }}