mirror of
https://github.com/yt-dlp/yt-dlp.git
synced 2026-01-01 04:21:25 +00:00
ab3ff2d5dd
* NOTE: the release workflows' new handling of secrets may be a breaking change for forks that are using any secrets other than GPG_SIGNING_KEY or ARCHIVE_REPO_TOKEN. Previously, the release workflow would try to resolve a token secret name based on the `target` or `source` input, e.g. NIGHTLY_ARCHIVE_REPO_TOKEN or CUSTOM_ARCHIVE_REPO_TOKEN, and then fall back to using the ARCHIVE_REPO_TOKEN secret if the resolved token secret name was not found in the repository. This behavior has been replaced by the release workflow always using the ARCHIVE_REPO_TOKEN secret as the token for publishing releases to any external archive repository. * Add zizmor CI job for auditing workflows * Pin all actions to commit hashes instead of symbolic references * Explicitly set GITHUB_TOKEN permissions at the job level * Use actions/checkout with `persist-credentials: false` whenever possible * Remove/replace template expansions in workflow scripts * Remove all usage of actions/cache from build/release workflows * Remove the cache-warmer.yml workflow * Remove the unused download.yml workflow * Set concurrency limits for any workflows that are triggered by PRs * Avoid loading the entire secrets context * Replace usage of `secrets: inherit` with explicit `secrets:` blocks * Pin all external docker images to hash that are used by the build workflow * Explicitly set `shell: bash` for some steps to avoid pwsh or set pipefail * Ensure any pwsh steps will fail on non-zero exit codes Authored by: bashonly
84 lines
2.7 KiB
YAML
84 lines
2.7 KiB
YAML
name: Test and lint workflows
|
|
on:
|
|
push:
|
|
branches: [master]
|
|
paths:
|
|
- .github/*.yml
|
|
- .github/workflows/*
|
|
- bundle/docker/linux/*.sh
|
|
- devscripts/setup_variables.py
|
|
- devscripts/setup_variables_tests.py
|
|
- devscripts/utils.py
|
|
pull_request:
|
|
branches: [master]
|
|
paths:
|
|
- .github/*.yml
|
|
- .github/workflows/*
|
|
- bundle/docker/linux/*.sh
|
|
- devscripts/setup_variables.py
|
|
- devscripts/setup_variables_tests.py
|
|
- devscripts/utils.py
|
|
|
|
permissions: {}
|
|
|
|
concurrency:
|
|
group: test-workflows-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
|
|
|
|
env:
|
|
ACTIONLINT_VERSION: "1.7.9"
|
|
ACTIONLINT_SHA256SUM: 233b280d05e100837f4af1433c7b40a5dcb306e3aa68fb4f17f8a7f45a7df7b4
|
|
ACTIONLINT_REPO: https://github.com/rhysd/actionlint
|
|
|
|
jobs:
|
|
check:
|
|
name: Check workflows
|
|
permissions:
|
|
contents: read
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
persist-credentials: false
|
|
- uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
|
|
with:
|
|
python-version: "3.10" # Keep this in sync with release.yml's prepare job
|
|
- name: Install requirements
|
|
env:
|
|
ACTIONLINT_TARBALL: ${{ format('actionlint_{0}_linux_amd64.tar.gz', env.ACTIONLINT_VERSION) }}
|
|
shell: bash
|
|
run: |
|
|
python -m devscripts.install_deps --omit-default --include-extra test
|
|
sudo apt -y install shellcheck
|
|
python -m pip install -U pyflakes
|
|
curl -LO "${ACTIONLINT_REPO}/releases/download/v${ACTIONLINT_VERSION}/${ACTIONLINT_TARBALL}"
|
|
printf '%s %s' "${ACTIONLINT_SHA256SUM}" "${ACTIONLINT_TARBALL}" | sha256sum -c -
|
|
tar xvzf "${ACTIONLINT_TARBALL}" actionlint
|
|
chmod +x actionlint
|
|
- name: Run actionlint
|
|
run: |
|
|
./actionlint -color
|
|
- name: Check Docker shell scripts
|
|
run: |
|
|
shellcheck bundle/docker/linux/*.sh
|
|
- name: Test GHA devscripts
|
|
run: |
|
|
pytest -Werror --tb=short --color=yes devscripts/setup_variables_tests.py
|
|
|
|
zizmor:
|
|
name: Run zizmor
|
|
permissions:
|
|
contents: read
|
|
actions: read # Needed by zizmorcore/zizmor-action if repository is private
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
persist-credentials: false
|
|
- name: Run zizmor
|
|
uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
|
|
with:
|
|
advanced-security: false
|
|
persona: pedantic
|
|
version: v1.19.0
|