Skip to content

Commit 8e529b9

Browse files
justice-adams-applejustice-adams-apple
authored
Fix template injection (#247)
* fix template injection * yaml cleanup
1 parent 5867741 commit 8e529b9

4 files changed

Lines changed: 97 additions & 30 deletions

File tree

.github/workflows/create_automerge_pr.yml

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -74,13 +74,16 @@ jobs:
7474
fetch-depth: 0
7575
- name: Check if there are commits to merge
7676
id: create_merge_commit
77+
env:
78+
HEAD_BRANCH: ${{ inputs.head_branch }}
79+
BASE_BRANCH: ${{ inputs.base_branch }}
7780
run: |
7881
# Without this, we can't perform git operations in GitHub actions.
7982
git config --global --add safe.directory "$(realpath .)"
8083
git config --local user.name 'swift-ci'
8184
git config --local user.email 'swift-ci@users.noreply.github.com'
8285
83-
if [[ "$(git rev-list --left-only --count origin/${{ inputs.head_branch }}...origin/${{ inputs.base_branch }})" == 0 ]]; then
86+
if [[ "$(git rev-list --left-only --count origin/${HEAD_BRANCH}...origin/${BASE_BRANCH})" == 0 ]]; then
8487
echo "Nothing to merge"
8588
echo "has_commits_to_merge=false" >> "$GITHUB_OUTPUT"
8689
exit
@@ -92,17 +95,20 @@ jobs:
9295
if: ${{ steps.create_merge_commit.outputs.has_commits_to_merge == 'true' }}
9396
env:
9497
GH_TOKEN: ${{ github.token }}
98+
HEAD_BRANCH: ${{ inputs.head_branch }}
99+
BASE_BRANCH: ${{ inputs.base_branch }}
100+
PR_MESSAGE: ${{ inputs.pr_message }}
95101
run: |
96102
# Create a branch for the PR instead of opening a PR that merges head_branch directly so that we have a fixed
97103
# target in the PR and don't modify the PR as new commits are put on the head branch.
98104
PR_BRANCH="automerge/merge-main-$(date +%Y-%m-%d_%H-%M)"
99-
git checkout ${{ inputs.head_branch }}
105+
git checkout "${HEAD_BRANCH}"
100106
git checkout -b "$PR_BRANCH"
101107
git push --set-upstream origin "$PR_BRANCH"
102108
103109
gh pr create \
104-
--base "${{ inputs.base_branch }}" \
110+
--base "${BASE_BRANCH}" \
105111
--head "$PR_BRANCH" \
106-
--title 'Merge `${{ inputs.head_branch }}` into `${{ inputs.base_branch }}`' \
107-
--body '${{ inputs.pr_message }}' \
112+
--title "Merge \`${HEAD_BRANCH}\` into \`${BASE_BRANCH}\`" \
113+
--body "${PR_MESSAGE}" \
108114
--draft

.github/workflows/performance_test.yml

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,16 +42,26 @@ jobs:
4242
# https://github.com/actions/checkout/issues/766
4343
run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
4444
- name: Measure PR performance
45+
env:
46+
PACKAGE_PATH: ${{ inputs.package_path }}
47+
HEAD_REF: ${{ github.head_ref }}
4548
run: |
46-
swift package --package-path ${{ inputs.package_path }} --allow-writing-to-directory ${{ inputs.package_path }}/.benchmarkBaselines/ benchmark baseline update "${{ github.head_ref }}"
49+
swift package --package-path "${PACKAGE_PATH}" --allow-writing-to-directory "${PACKAGE_PATH}/.benchmarkBaselines/" benchmark baseline update "${HEAD_REF}"
4750
- name: Measure base branch performance
51+
env:
52+
PACKAGE_PATH: ${{ inputs.package_path }}
53+
BASE_REF: ${{ github.base_ref }}
4854
run: |
49-
git checkout ${{ github.base_ref }}
50-
swift package --package-path ${{ inputs.package_path }} --allow-writing-to-directory ${{ inputs.package_path }}/.benchmarkBaselines/ benchmark baseline update "${{ github.base_ref }}"
55+
git checkout "${BASE_REF}"
56+
swift package --package-path "${PACKAGE_PATH}" --allow-writing-to-directory "${PACKAGE_PATH}/.benchmarkBaselines/" benchmark baseline update "${BASE_REF}"
5157
- name: Compare performance measurements
5258
id: compare_performance
59+
env:
60+
PACKAGE_PATH: ${{ inputs.package_path }}
61+
BASE_REF: ${{ github.base_ref }}
62+
HEAD_REF: ${{ github.head_ref }}
5363
run: |
54-
if ! swift package --package-path ${{ inputs.package_path }} benchmark baseline check "${{ github.base_ref }}" "${{ github.head_ref }}" --format markdown > /tmp/comparison.md 2>/tmp/comparison-stderr.txt; then
64+
if ! swift package --package-path "${PACKAGE_PATH}" benchmark baseline check "${BASE_REF}" "${HEAD_REF}" --format markdown > /tmp/comparison.md 2>/tmp/comparison-stderr.txt; then
5565
echo "has_significant_changes=true" >> "$GITHUB_OUTPUT"
5666
else
5767
echo "has_significant_changes=false" >> "$GITHUB_OUTPUT"

.github/workflows/soundness.yml

Lines changed: 32 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -132,21 +132,25 @@ jobs:
132132
run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
133133
- name: Pre-build
134134
if: ${{ inputs.linux_pre_build_command }}
135+
# zizmor: ignore[template-injection]
135136
run: ${{ inputs.linux_pre_build_command }}
136137
- name: Run API breakage check
137138
shell: bash
139+
env:
140+
API_BREAKAGE_CHECK_BASELINE: ${{ inputs.api_breakage_check_baseline }}
141+
API_BREAKAGE_CHECK_ALLOWLIST_PATH: ${{ inputs.api_breakage_check_allowlist_path }}
138142
run: |
139-
if [[ -z '${{ inputs.api_breakage_check_baseline }}' ]]; then
143+
if [[ -z "${API_BREAKAGE_CHECK_BASELINE}" ]]; then
140144
git fetch ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY} ${GITHUB_BASE_REF}:pull-base-ref
141145
BASELINE_REF='pull-base-ref'
142146
else
143-
BASELINE_REF='${{ inputs.api_breakage_check_baseline }}'
147+
BASELINE_REF="${API_BREAKAGE_CHECK_BASELINE}"
144148
fi
145149
echo "Using baseline: $BASELINE_REF"
146-
if [[ -z '${{ inputs.api_breakage_check_allowlist_path }}' ]]; then
150+
if [[ -z "${API_BREAKAGE_CHECK_ALLOWLIST_PATH}" ]]; then
147151
swift package diagnose-api-breaking-changes "$BASELINE_REF"
148152
else
149-
swift package diagnose-api-breaking-changes "$BASELINE_REF" --breakage-allowlist-path '${{ inputs.api_breakage_check_allowlist_path }}'
153+
swift package diagnose-api-breaking-changes "$BASELINE_REF" --breakage-allowlist-path "${API_BREAKAGE_CHECK_ALLOWLIST_PATH}"
150154
fi
151155
152156
docs-check:
@@ -178,11 +182,13 @@ jobs:
178182
fi
179183
- name: Pre-build
180184
if: ${{ inputs.linux_pre_build_command }}
185+
# zizmor: ignore[template-injection]
181186
run: ${{ inputs.linux_pre_build_command }}
182187
- name: Run documentation check
183188
env:
184189
ADDITIONAL_DOCC_ARGUMENTS: ${{ inputs.docs_check_additional_arguments }}
185-
run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-docs.sh
190+
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
191+
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-docs.sh
186192

187193
docs-check-macos:
188194
name: Documentation check (macOS)
@@ -210,15 +216,18 @@ jobs:
210216
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
211217
fi
212218
- name: Select Xcode
213-
run: echo "DEVELOPER_DIR=/Applications/Xcode_${{ inputs.docs_check_macos_xcode_version }}.app" >> $GITHUB_ENV
219+
env:
220+
XCODE_VERSION: ${{ inputs.docs_check_macos_xcode_version }}
221+
run: echo "DEVELOPER_DIR=/Applications/Xcode_${XCODE_VERSION}.app" >> $GITHUB_ENV
214222
- name: Swift version
215223
run: xcrun swift --version
216224
- name: Clang version
217225
run: xcrun clang --version
218226
- name: Run documentation check
219227
env:
220228
ADDITIONAL_DOCC_ARGUMENTS: ${{ inputs.docs_check_macos_additional_arguments }}
221-
run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-docs.sh
229+
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
230+
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-docs.sh
222231

223232
unacceptable-language-check:
224233
name: Unacceptable language check
@@ -248,7 +257,8 @@ jobs:
248257
- name: Run unacceptable language check
249258
env:
250259
UNACCEPTABLE_WORD_LIST: ${{ inputs.unacceptable_language_check_word_list}}
251-
run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-unacceptable-language.sh
260+
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
261+
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-unacceptable-language.sh
252262

253263
license-header-check:
254264
name: License headers check
@@ -278,7 +288,8 @@ jobs:
278288
- name: Run license header check
279289
env:
280290
PROJECT_NAME: ${{ inputs.license_header_check_project_name }}
281-
run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-license-header.sh
291+
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
292+
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-license-header.sh
282293

283294
broken-symlink-check:
284295
name: Broken symlinks check
@@ -306,7 +317,9 @@ jobs:
306317
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
307318
fi
308319
- name: Run broken symlinks check
309-
run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-broken-symlinks.sh
320+
env:
321+
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
322+
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-broken-symlinks.sh
310323

311324
format-check:
312325
name: Format check
@@ -339,7 +352,9 @@ jobs:
339352
# https://github.com/actions/checkout/issues/766
340353
run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
341354
- name: Run format check
342-
run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-swift-format.sh
355+
env:
356+
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
357+
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-swift-format.sh
343358

344359
shell-check:
345360
name: Shell check
@@ -390,12 +405,14 @@ jobs:
390405
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
391406
fi
392407
- name: Run yamllint
408+
env:
409+
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
393410
run: |
394411
which yamllint || (apt -q update && apt install -yq yamllint)
395412
cd ${GITHUB_WORKSPACE}
396413
if [ ! -f ".yamllint.yml" ]; then
397414
echo "Downloading default yamllint config file"
398-
cat ${{ steps.script_path.outputs.root }}/.github/workflows/configs/yamllint.yml > .yamllint.yml
415+
cat "${SCRIPT_ROOT}/.github/workflows/configs/yamllint.yml" > .yamllint.yml
399416
fi
400417
yamllint --strict --config-file .yamllint.yml .
401418
@@ -425,11 +442,13 @@ jobs:
425442
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
426443
fi
427444
- name: Run flake8
445+
env:
446+
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
428447
run: |
429448
pip3 install flake8 flake8-import-order
430449
cd ${GITHUB_WORKSPACE}
431450
if [ ! -f ".flake8" ]; then
432451
echo "Downloading default flake8 config file"
433-
cat ${{ steps.script_path.outputs.root }}/.github/workflows/configs/.flake8 > .flake8
452+
cat "${SCRIPT_ROOT}/.github/workflows/configs/.flake8" > .flake8
434453
fi
435454
flake8

.github/workflows/swift_package_test.yml

Lines changed: 40 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -261,8 +261,10 @@ jobs:
261261
echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
262262
- name: Set environment variables
263263
if: ${{ inputs.macos_env_vars }}
264+
env:
265+
ENV_VARS: ${{ inputs.macos_env_vars }}
264266
run: |
265-
for i in "${{ inputs.macos_env_vars }}"
267+
for i in "${ENV_VARS}"
266268
do
267269
printf "%s\n" $i >> $GITHUB_ENV
268270
done
@@ -273,8 +275,10 @@ jobs:
273275
- name: Clang version
274276
run: xcrun clang --version
275277
- name: Pre-build
278+
# zizmor: ignore[template-injection]
276279
run: ${{ inputs.macos_pre_build_command }}
277280
- name: Build / Test
281+
# zizmor: ignore[template-injection]
278282
run: ${{ inputs.macos_build_command }} ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }}
279283
timeout-minutes: ${{ inputs.macos_build_timeout }}
280284

@@ -299,8 +303,10 @@ jobs:
299303
echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
300304
- name: Set environment variables
301305
if: ${{ inputs.ios_host_env_vars }}
306+
env:
307+
ENV_VARS: ${{ inputs.ios_host_env_vars }}
302308
run: |
303-
for i in "${{ inputs.ios_host_env_vars }}"
309+
for i in "${ENV_VARS}"
304310
do
305311
printf "%s\n" $i >> $GITHUB_ENV
306312
done
@@ -310,8 +316,10 @@ jobs:
310316
run: |
311317
"$(xcrun -f swift)" --version
312318
- name: Pre-build
319+
# zizmor: ignore[template-injection]
313320
run: ${{ inputs.ios_pre_build_command }}
314321
- name: Build
322+
# zizmor: ignore[template-injection]
315323
run: ${{ inputs.ios_build_command }} ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }}
316324
timeout-minutes: ${{ inputs.ios_build_timeout }}
317325

@@ -385,14 +393,18 @@ jobs:
385393
swift /tmp/cross-pr-checkout.swift "${{ github.repository }}" "${{ github.event.number }}"
386394
- name: Set environment variables
387395
if: ${{ inputs.linux_env_vars }}
396+
env:
397+
ENV_VARS: ${{ inputs.linux_env_vars }}
388398
run: |
389-
for i in "${{ inputs.linux_env_vars }}"
399+
for i in "${ENV_VARS}"
390400
do
391401
printf "%s\n" $i >> $GITHUB_ENV
392402
done
393403
- name: Pre-build
404+
# zizmor: ignore[template-injection]
394405
run: ${{ inputs.linux_pre_build_command }}
395406
- name: Build / Test
407+
# zizmor: ignore[template-injection]
396408
run: ${{ inputs.linux_build_command }} ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }}
397409

398410
linux-static-sdk-build:
@@ -460,16 +472,20 @@ jobs:
460472
echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
461473
- name: Set environment variables
462474
if: ${{ inputs.linux_env_vars }}
475+
env:
476+
ENV_VARS: ${{ inputs.linux_env_vars }}
463477
run: |
464-
for i in "${{ inputs.linux_env_vars }}"
478+
for i in "${ENV_VARS}"
465479
do
466480
printf "%s\n" $i >> $GITHUB_ENV
467481
done
468482
- name: Pre-build
483+
# zizmor: ignore[template-injection]
469484
run: ${{ inputs.linux_pre_build_command }}
470485
- name: Install Static Linux Swift SDK and build
471486
env:
472487
BUILD_FLAGS: ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }}
488+
# zizmor: ignore[template-injection]
473489
run: |
474490
${{ inputs.linux_static_sdk_pre_build_command }}
475491
${{ steps.script_path.outputs.root }}/.github/workflows/scripts/install-and-build-with-sdk.sh --static --flags="$BUILD_FLAGS" --build-command="${{ inputs.linux_static_sdk_build_command }}" ${{ matrix.swift_version }}
@@ -525,16 +541,20 @@ jobs:
525541
echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
526542
- name: Set environment variables
527543
if: ${{ inputs.linux_env_vars }}
544+
env:
545+
ENV_VARS: ${{ inputs.linux_env_vars }}
528546
run: |
529-
for i in "${{ inputs.linux_env_vars }}"
547+
for i in "${ENV_VARS}"
530548
do
531549
printf "%s\n" $i >> $GITHUB_ENV
532550
done
533551
- name: Pre-build
552+
# zizmor: ignore[template-injection]
534553
run: ${{ inputs.linux_pre_build_command }}
535554
- name: Install Swift SDK for Wasm and build
536555
env:
537556
BUILD_FLAGS: ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }}
557+
# zizmor: ignore[template-injection]
538558
run: |
539559
${{ inputs.wasm_sdk_pre_build_command }}
540560
${{ steps.script_path.outputs.root }}/.github/workflows/scripts/install-and-build-with-sdk.sh --wasm --flags="$BUILD_FLAGS" --build-command="${{ inputs.wasm_sdk_build_command }}" ${{ matrix.swift_version }}
@@ -590,16 +610,20 @@ jobs:
590610
echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
591611
- name: Set environment variables
592612
if: ${{ inputs.linux_env_vars }}
613+
env:
614+
ENV_VARS: ${{ inputs.linux_env_vars }}
593615
run: |
594-
for i in "${{ inputs.linux_env_vars }}"
616+
for i in "${ENV_VARS}"
595617
do
596618
printf "%s\n" $i >> $GITHUB_ENV
597619
done
598620
- name: Pre-build
621+
# zizmor: ignore[template-injection]
599622
run: ${{ inputs.linux_pre_build_command }}
600623
- name: Install Swift SDK for Wasm and build
601624
env:
602625
BUILD_FLAGS: ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }}
626+
# zizmor: ignore[template-injection]
603627
run: |
604628
${{ inputs.wasm_sdk_pre_build_command }}
605629
${{ steps.script_path.outputs.root }}/.github/workflows/scripts/install-and-build-with-sdk.sh --embedded-wasm --flags="$BUILD_FLAGS" ${{ matrix.swift_version }}
@@ -641,17 +665,21 @@ jobs:
641665
echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
642666
- name: Set environment variables
643667
if: ${{ inputs.linux_env_vars }}
668+
env:
669+
ENV_VARS: ${{ inputs.linux_env_vars }}
644670
run: |
645-
for i in "${{ inputs.linux_env_vars }}"
671+
for i in "${ENV_VARS}"
646672
do
647673
printf "%s\n" $i >> $GITHUB_ENV
648674
done
649675
- name: Pre-build
676+
# zizmor: ignore[template-injection]
650677
run: ${{ inputs.linux_pre_build_command }}
651678
- name: Install Swift SDK for Android and build
652679
env:
653680
BUILD_FLAGS: ${{ inputs.enable_android_sdk_checks && '--build-tests' || '' }} ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }}
654681
shell: bash
682+
# zizmor: ignore[template-injection]
655683
run: |
656684
${{ inputs.android_sdk_pre_build_command }}
657685
${{ steps.script_path.outputs.root }}/.github/workflows/scripts/install-and-build-with-sdk.sh --android --flags="$BUILD_FLAGS" --build-command="${{ inputs.android_sdk_build_command }}" --android-sdk-triple=${{ join(fromJson(inputs.android_sdk_triples), ' --android-sdk-triple=') }} --android-ndk-version="${{ matrix.ndk_version }}" ${{ matrix.swift_version }}
@@ -670,6 +698,7 @@ jobs:
670698
- name: Install Android Emulator and run tests
671699
if: ${{ inputs.enable_android_sdk_checks }}
672700
shell: bash
701+
# zizmor: ignore[template-injection]
673702
run: |
674703
${{ inputs.android_sdk_pre_build_command }}
675704
${{ steps.script_path.outputs.root }}/.github/workflows/scripts/android/android-emulator-tests.sh --android-sdk-triple=${{ join(fromJson(inputs.android_sdk_triples), ' --android-sdk-triple=') }}
@@ -714,8 +743,10 @@ jobs:
714743
echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
715744
- name: Set environment variables
716745
if: ${{ inputs.windows_env_vars }}
746+
env:
747+
WINDOWS_ENV_VARS: ${{ inputs.windows_env_vars }}
717748
run: |
718-
$lines = "${{ inputs.windows_env_vars }}" -split "`r`n"
749+
$lines = $env:WINDOWS_ENV_VARS -split "`r`n"
719750
foreach ($line in $lines) {
720751
echo $line | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
721752
}
@@ -749,6 +780,7 @@ jobs:
749780
if: ${{ !inputs.enable_windows_docker }}
750781
run: . ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/windows/swift/install-swift-${{ matrix.swift_version }}.ps1
751782
- name: Create test script
783+
# zizmor: ignore[template-injection]
752784
run: |
753785
mkdir $env:TEMP\test-script
754786
echo @'

0 commit comments

Comments
 (0)