greg/cpython
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Add zizmor to pre-commit and fix most findings (#127749)

Browse Source 
Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
This commit is contained in:
Hugo van Kemenade
2024-12-10 12:51:12 +02:00
committed by GitHub
parent 8dbdbad6e0
commit ae31df354d
18 changed files with 89 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/build.yml vendored
View File

@@ -58,6 +58,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 1 fetch-depth: 1
persist-credentials: false
- name: Runner image version - name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV" run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV"
- name: Check Autoconf and aclocal versions - name: Check Autoconf and aclocal versions
@@ -94,6 +95,8 @@ jobs:
if: needs.check_source.outputs.run_tests == 'true' if: needs.check_source.outputs.run_tests == 'true'
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5 - uses: actions/setup-python@v5
with: with:
python-version: '3.x' python-version: '3.x'
@@ -268,6 +271,8 @@ jobs:
LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}/lib LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}/lib
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Runner image version - name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV" run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV"
- name: Restore config.cache - name: Restore config.cache
@@ -328,6 +333,8 @@ jobs:
PYTHONSTRICTEXTENSIONBUILD: 1 PYTHONSTRICTEXTENSIONBUILD: 1
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Register gcc problem matcher - name: Register gcc problem matcher
run: echo "::add-matcher::.github/problem-matchers/gcc.json" run: echo "::add-matcher::.github/problem-matchers/gcc.json"
- name: Install Dependencies - name: Install Dependencies
@@ -411,7 +418,7 @@ jobs:
# #
# (GH-104097) test_sysconfig is skipped because it has tests that are # (GH-104097) test_sysconfig is skipped because it has tests that are
# failing when executed from inside a virtual environment. # failing when executed from inside a virtual environment.
${{ env.VENV_PYTHON }} -m test \ "${VENV_PYTHON}" -m test \
-W \ -W \
-o \ -o \
-j4 \ -j4 \
@@ -446,6 +453,8 @@ jobs:
ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0 ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Runner image version - name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV" run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV"
- name: Restore config.cache - name: Restore config.cache

6
.github/workflows/documentation-links.yml vendored
View File

@@ -10,9 +10,6 @@ on:
- 'Doc/**' - 'Doc/**'
- '.github/workflows/doc.yml' - '.github/workflows/doc.yml'
permissions:
pull-requests: write
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
@@ -20,6 +17,9 @@ concurrency:
jobs: jobs:
documentation-links: documentation-links:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
pull-requests: write
steps: steps:
- uses: readthedocs/actions/preview@v1 - uses: readthedocs/actions/preview@v1
with: with:

6
.github/workflows/jit.yml vendored
View File

@@ -32,6 +32,8 @@ jobs:
timeout-minutes: 90 timeout-minutes: 90
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Build tier two interpreter - name: Build tier two interpreter
run: | run: |
./configure --enable-experimental-jit=interpreter --with-pydebug ./configure --enable-experimental-jit=interpreter --with-pydebug
@@ -85,6 +87,8 @@ jobs:
runner: ${{ github.repository_owner == 'python' && 'ubuntu-24.04-aarch64' || 'ubuntu-24.04' }} runner: ${{ github.repository_owner == 'python' && 'ubuntu-24.04-aarch64' || 'ubuntu-24.04' }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5 - uses: actions/setup-python@v5
with: with:
python-version: '3.11' python-version: '3.11'
@@ -138,6 +142,8 @@ jobs:
- 19 - 19
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5 - uses: actions/setup-python@v5
with: with:
python-version: '3.11' python-version: '3.11'

2
.github/workflows/lint.yml vendored
View File

@@ -20,6 +20,8 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5 - uses: actions/setup-python@v5
with: with:
python-version: "3.x" python-version: "3.x"

2
.github/workflows/mypy.yml vendored
View File

@@ -51,6 +51,8 @@ jobs:
timeout-minutes: 10 timeout-minutes: 10
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5 - uses: actions/setup-python@v5
with: with:
python-version: "3.13" python-version: "3.13"

10
.github/workflows/require-pr-label.yml vendored
View File

@@ -4,15 +4,14 @@ on:
pull_request: pull_request:
types: [opened, reopened, labeled, unlabeled, synchronize] types: [opened, reopened, labeled, unlabeled, synchronize]
permissions:
issues: write
pull-requests: write
jobs: jobs:
label-dnm: label-dnm:
name: DO-NOT-MERGE name: DO-NOT-MERGE
if: github.repository_owner == 'python' if: github.repository_owner == 'python'
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
timeout-minutes: 10 timeout-minutes: 10
steps: steps:
@@ -28,6 +27,9 @@ jobs:
name: Unresolved review name: Unresolved review
if: github.repository_owner == 'python' if: github.repository_owner == 'python'
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
timeout-minutes: 10 timeout-minutes: 10
steps: steps:

2
.github/workflows/reusable-change-detection.yml vendored
View File

@@ -61,6 +61,8 @@ jobs:
- run: >- - run: >-
echo '${{ github.event_name }}' echo '${{ github.event_name }}'
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Check for source changes - name: Check for source changes
id: check id: check
run: | run: |

14
.github/workflows/reusable-docs.yml vendored
View File

@@ -22,12 +22,14 @@ jobs:
env: env:
branch_base: 'origin/${{ github.event.pull_request.base.ref }}' branch_base: 'origin/${{ github.event.pull_request.base.ref }}'
branch_pr: 'origin/${{ github.event.pull_request.head.ref }}' branch_pr: 'origin/${{ github.event.pull_request.head.ref }}'
commits: ${{ github.event.pull_request.commits }}
refspec_base: '+${{ github.event.pull_request.base.sha }}:remotes/origin/${{ github.event.pull_request.base.ref }}' refspec_base: '+${{ github.event.pull_request.base.sha }}:remotes/origin/${{ github.event.pull_request.base.ref }}'
refspec_pr: '+${{ github.event.pull_request.head.sha }}:remotes/origin/${{ github.event.pull_request.head.ref }}' refspec_pr: '+${{ github.event.pull_request.head.sha }}:remotes/origin/${{ github.event.pull_request.head.ref }}'
steps: steps:
- name: 'Check out latest PR branch commit' - name: 'Check out latest PR branch commit'
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
persist-credentials: false
ref: >- ref: >-
${{ ${{
github.event_name == 'pull_request' github.event_name == 'pull_request'
@@ -39,15 +41,15 @@ jobs:
if: github.event_name == 'pull_request' if: github.event_name == 'pull_request'
run: | run: |
# Fetch enough history to find a common ancestor commit (aka merge-base): # Fetch enough history to find a common ancestor commit (aka merge-base):
git fetch origin ${{ env.refspec_pr }} --depth=$(( ${{ github.event.pull_request.commits }} + 1 )) \ git fetch origin "${refspec_pr}" --depth=$(( commits + 1 )) \
--no-tags --prune --no-recurse-submodules --no-tags --prune --no-recurse-submodules
# This should get the oldest commit in the local fetched history (which may not be the commit the PR branched from): # This should get the oldest commit in the local fetched history (which may not be the commit the PR branched from):
COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 ${{ env.branch_pr }} ) COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 "${branch_pr}" )
DATE=$( git log --date=iso8601 --format=%cd "${COMMON_ANCESTOR}" ) DATE=$( git log --date=iso8601 --format=%cd "${COMMON_ANCESTOR}" )
# Get all commits since that commit date from the base branch (eg: master or main): # Get all commits since that commit date from the base branch (eg: master or main):
git fetch origin ${{ env.refspec_base }} --shallow-since="${DATE}" \ git fetch origin "${refspec_base}" --shallow-since="${DATE}" \
--no-tags --prune --no-recurse-submodules --no-tags --prune --no-recurse-submodules
- name: 'Set up Python' - name: 'Set up Python'
uses: actions/setup-python@v5 uses: actions/setup-python@v5
@@ -69,7 +71,7 @@ jobs:
if: github.event_name == 'pull_request' if: github.event_name == 'pull_request'
run: | run: |
python Doc/tools/check-warnings.py \ python Doc/tools/check-warnings.py \
--annotate-diff '${{ env.branch_base }}' '${{ env.branch_pr }}' \ --annotate-diff "${branch_base}" "${branch_pr}" \
--fail-if-regression \ --fail-if-regression \
--fail-if-improved \ --fail-if-improved \
--fail-if-new-news-nit --fail-if-new-news-nit
@@ -81,6 +83,8 @@ jobs:
timeout-minutes: 60 timeout-minutes: 60
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: 'Set up Python' - name: 'Set up Python'
uses: actions/setup-python@v5 uses: actions/setup-python@v5
with: with:
@@ -99,6 +103,8 @@ jobs:
timeout-minutes: 60 timeout-minutes: 60
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/cache@v4 - uses: actions/cache@v4
with: with:
path: ~/.cache/pip path: ~/.cache/pip

2
.github/workflows/reusable-macos.yml vendored
View File

@@ -29,6 +29,8 @@ jobs:
runs-on: ${{ inputs.os }} runs-on: ${{ inputs.os }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Runner image version - name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV" run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV"
- name: Restore config.cache - name: Restore config.cache

9
.github/workflows/reusable-tsan.yml vendored
View File

@@ -23,8 +23,13 @@ jobs:
name: 'Thread sanitizer' name: 'Thread sanitizer'
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
timeout-minutes: 60 timeout-minutes: 60
env:
OPTIONS: ${{ inputs.options }}
SUPPRESSIONS_PATH: ${{ inputs.suppressions_path }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Runner image version - name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV" run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV"
- name: Restore config.cache - name: Restore config.cache
@@ -47,7 +52,7 @@ jobs:
sudo sysctl -w vm.mmap_rnd_bits=28 sudo sysctl -w vm.mmap_rnd_bits=28
- name: TSAN Option Setup - name: TSAN Option Setup
run: | run: |
echo "TSAN_OPTIONS=log_path=${GITHUB_WORKSPACE}/tsan_log suppressions=${GITHUB_WORKSPACE}/${{ inputs.suppressions_path }} handle_segv=0" >> "$GITHUB_ENV" echo "TSAN_OPTIONS=log_path=${GITHUB_WORKSPACE}/tsan_log suppressions=${GITHUB_WORKSPACE}/${SUPPRESSIONS_PATH} handle_segv=0" >> "$GITHUB_ENV"
echo "CC=clang" >> "$GITHUB_ENV" echo "CC=clang" >> "$GITHUB_ENV"
echo "CXX=clang++" >> "$GITHUB_ENV" echo "CXX=clang++" >> "$GITHUB_ENV"
- name: Add ccache to PATH - name: Add ccache to PATH
@@ -59,7 +64,7 @@ jobs:
save: ${{ github.event_name == 'push' }} save: ${{ github.event_name == 'push' }}
max-size: "200M" max-size: "200M"
- name: Configure CPython - name: Configure CPython
run: ${{ inputs.options }} run: "${OPTIONS}"
- name: Build CPython - name: Build CPython
run: make -j4 run: make -j4
- name: Display build info - name: Display build info

4
.github/workflows/reusable-ubuntu.yml vendored
View File

@@ -28,6 +28,8 @@ jobs:
TERM: linux TERM: linux
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Register gcc problem matcher - name: Register gcc problem matcher
run: echo "::add-matcher::.github/problem-matchers/gcc.json" run: echo "::add-matcher::.github/problem-matchers/gcc.json"
- name: Install dependencies - name: Install dependencies
@@ -94,7 +96,7 @@ jobs:
if: ${{ !inputs.free-threading }} if: ${{ !inputs.free-threading }}
run: >- run: >-
python Tools/build/check_warnings.py python Tools/build/check_warnings.py
--compiler-output-file-path=${{ env.CPYTHON_BUILDDIR }}/compiler_output_ubuntu.txt --compiler-output-file-path="${CPYTHON_BUILDDIR}/compiler_output_ubuntu.txt"
--warning-ignore-file-path "${GITHUB_WORKSPACE}/Tools/build/.warningignore_ubuntu" --warning-ignore-file-path "${GITHUB_WORKSPACE}/Tools/build/.warningignore_ubuntu"
--compiler-output-type=gcc --compiler-output-type=gcc
--fail-on-regression --fail-on-regression

12
.github/workflows/reusable-wasi.yml vendored
View File

@@ -20,6 +20,8 @@ jobs:
CROSS_BUILD_WASI: cross-build/wasm32-wasip1 CROSS_BUILD_WASI: cross-build/wasm32-wasip1
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
# No problem resolver registered as one doesn't currently exist for Clang. # No problem resolver registered as one doesn't currently exist for Clang.
- name: "Install wasmtime" - name: "Install wasmtime"
uses: bytecodealliance/actions/wasmtime/setup@v1 uses: bytecodealliance/actions/wasmtime/setup@v1
@@ -34,9 +36,9 @@ jobs:
- name: "Install WASI SDK" # Hard-coded to x64. - name: "Install WASI SDK" # Hard-coded to x64.
if: steps.cache-wasi-sdk.outputs.cache-hit != 'true' if: steps.cache-wasi-sdk.outputs.cache-hit != 'true'
run: | run: |
mkdir ${{ env.WASI_SDK_PATH }} && \ mkdir "${WASI_SDK_PATH}" && \
curl -s -S --location https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-${{ env.WASI_SDK_VERSION }}/wasi-sdk-${{ env.WASI_SDK_VERSION }}.0-x86_64-linux.tar.gz | \ curl -s -S --location "https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-${WASI_SDK_VERSION}/wasi-sdk-${WASI_SDK_VERSION}.0-x86_64-linux.tar.gz" | \
tar --strip-components 1 --directory ${{ env.WASI_SDK_PATH }} --extract --gunzip tar --strip-components 1 --directory "${WASI_SDK_PATH}" --extract --gunzip
- name: "Configure ccache action" - name: "Configure ccache action"
uses: hendrikmuhs/ccache-action@v1.2 uses: hendrikmuhs/ccache-action@v1.2
with: with:
@@ -72,6 +74,6 @@ jobs:
- name: "Make host" - name: "Make host"
run: python3 Tools/wasm/wasi.py make-host run: python3 Tools/wasm/wasi.py make-host
- name: "Display build info" - name: "Display build info"
run: make --directory ${{ env.CROSS_BUILD_WASI }} pythoninfo run: make --directory "${CROSS_BUILD_WASI}" pythoninfo
- name: "Test" - name: "Test"
run: make --directory ${{ env.CROSS_BUILD_WASI }} test run: make --directory "${CROSS_BUILD_WASI}" test

5
.github/workflows/reusable-windows-msi.yml vendored
View File

@@ -17,8 +17,11 @@ jobs:
runs-on: windows-latest runs-on: windows-latest
timeout-minutes: 60 timeout-minutes: 60
env: env:
ARCH: ${{ inputs.arch }}
IncludeFreethreaded: true IncludeFreethreaded: true
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Build CPython installer - name: Build CPython installer
run: .\Tools\msi\build.bat --doc -${{ inputs.arch }} run: .\Tools\msi\build.bat --doc -"${ARCH}"

10
.github/workflows/reusable-windows.yml vendored
View File

@@ -26,8 +26,12 @@ jobs:
name: 'build and test (${{ inputs.arch }})' name: 'build and test (${{ inputs.arch }})'
runs-on: ${{ inputs.os }} runs-on: ${{ inputs.os }}
timeout-minutes: 60 timeout-minutes: 60
env:
ARCH: ${{ inputs.arch }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- name: Register MSVC problem matcher - name: Register MSVC problem matcher
if: inputs.arch != 'Win32' if: inputs.arch != 'Win32'
run: echo "::add-matcher::.github/problem-matchers/msvc.json" run: echo "::add-matcher::.github/problem-matchers/msvc.json"
@@ -35,8 +39,9 @@ jobs:
run: >- run: >-
.\\PCbuild\\build.bat .\\PCbuild\\build.bat
-e -d -v -e -d -v
-p ${{ inputs.arch }} -p "${ARCH}"
${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }} ${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
shell: bash
- name: Display build info # FIXME(diegorusso): remove the `if` - name: Display build info # FIXME(diegorusso): remove the `if`
if: inputs.arch != 'arm64' if: inputs.arch != 'arm64'
run: .\\python.bat -m test.pythoninfo run: .\\python.bat -m test.pythoninfo
@@ -44,6 +49,7 @@ jobs:
if: inputs.arch != 'arm64' if: inputs.arch != 'arm64'
run: >- run: >-
.\\PCbuild\\rt.bat .\\PCbuild\\rt.bat
-p ${{ inputs.arch }} -p "${ARCH}"
-d -q --fast-ci -d -q --fast-ci
${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }} ${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
shell: bash

5
.github/workflows/stale.yml vendored
View File

@@ -4,14 +4,13 @@ on:
schedule: schedule:
- cron: "0 */6 * * *" - cron: "0 */6 * * *"
permissions:
pull-requests: write
jobs: jobs:
stale: stale:
if: github.repository_owner == 'python' if: github.repository_owner == 'python'
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
pull-requests: write
timeout-minutes: 10 timeout-minutes: 10
steps: steps:

2
.github/workflows/verify-ensurepip-wheels.yml vendored
View File

@@ -26,6 +26,8 @@ jobs:
timeout-minutes: 10 timeout-minutes: 10
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5 - uses: actions/setup-python@v5
with: with:
python-version: '3' python-version: '3'

6
.github/zizmor.yml vendored Normal file
View File

@@ -0,0 +1,6 @@
# Configuration for the zizmor static analysis tool, run via pre-commit in CI
# https://woodruffw.github.io/zizmor/configuration/
rules:
dangerous-triggers:
ignore:
- documentation-links.yml

9
.pre-commit-config.yaml
View File

@@ -1,6 +1,6 @@
repos: repos:
- repo: https://github.com/astral-sh/ruff-pre-commit - repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.7.1 rev: v0.8.2
hooks: hooks:
- id: ruff - id: ruff
name: Run Ruff (lint) on Doc/ name: Run Ruff (lint) on Doc/
@@ -51,7 +51,7 @@ repos:
types_or: [c, inc, python, rst] types_or: [c, inc, python, rst]
- repo: https://github.com/python-jsonschema/check-jsonschema - repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.29.4 rev: 0.30.0
hooks: hooks:
- id: check-dependabot - id: check-dependabot
- id: check-github-workflows - id: check-github-workflows
@@ -61,6 +61,11 @@ repos:
hooks: hooks:
- id: actionlint - id: actionlint
- repo: https://github.com/woodruffw/zizmor-pre-commit
rev: v0.8.0
hooks:
- id: zizmor
- repo: https://github.com/sphinx-contrib/sphinx-lint - repo: https://github.com/sphinx-contrib/sphinx-lint
rev: v1.0.0 rev: v1.0.0
hooks: hooks: