Skip to content

Commit 60e5a63

Browse files
Run Zizmor on workflows
1 parent 34daa0c commit 60e5a63

4 files changed

Lines changed: 69 additions & 25 deletions

File tree

.github/workflows/benchmark.yml

Lines changed: 31 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -36,13 +36,18 @@ on:
3636
required: false
3737
default: '19'
3838

39+
permissions:
40+
contents: read
41+
3942
jobs:
4043
benchmark:
4144
runs-on: ubuntu-latest
4245

4346
steps:
4447
- name: Checkout memory tracker
4548
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
49+
with:
50+
persist-credentials: false
4651

4752
- name: Set up Python
4853
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -51,9 +56,11 @@ jobs:
5156

5257
- name: Clone CPython repository
5358
run: |
54-
git clone ${{ github.event.inputs.cpython_repo }} cpython
59+
git clone ${GITHUB_EVENT_INPUTS_CPYTHON_REPO} cpython
5560
cd cpython
5661
git fetch --depth=200
62+
env:
63+
GITHUB_EVENT_INPUTS_CPYTHON_REPO: ${{ github.event.inputs.cpython_repo }}
5764

5865
- name: Install memory tracker worker
5966
run: |
@@ -67,8 +74,8 @@ jobs:
6774
sudo .github/workflows/posix-deps-apt.sh
6875
6976
# Install JIT dependencies
70-
if [ "${{ inputs.binary_id }}" = "jit" ]; then
71-
sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)" ./llvm.sh ${{ inputs.llvm }}
77+
if [ "${INPUTS_BINARY_ID}" = "jit" ]; then
78+
sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)" ./llvm.sh ${INPUTS_LLVM}
7279
fi
7380
7481
# Install Memray dependencies
@@ -77,33 +84,44 @@ jobs:
7784
libdebuginfod-dev \
7885
libunwind-dev \
7986
liblz4-dev
87+
env:
88+
INPUTS_BINARY_ID: ${{ inputs.binary_id }}
89+
INPUTS_LLVM: ${{ inputs.llvm }}
8090

8191
- name: Run memory benchmarks
8292
env:
8393
MEMORY_TRACKER_TOKEN: ${{ secrets.MEMORY_TRACKER_TOKEN }}
94+
INPUTS_BINARY_ID: ${{ inputs.binary_id }}
95+
INPUTS_LLVM: ${{ inputs.llvm }}
96+
GITHUB_EVENT_INPUTS_COMMIT_RANGE: ${{ github.event.inputs.commit_range }}
97+
GITHUB_EVENT_INPUTS_BINARY_ID: ${{ github.event.inputs.binary_id }}
98+
GITHUB_EVENT_INPUTS_ENVIRONMENT_ID: ${{ github.event.inputs.environment_id }}
99+
GITHUB_EVENT_INPUTS_SERVER_URL: ${{ github.event.inputs.server_url }}
100+
GITHUB_EVENT_INPUTS_CONFIGURE_FLAGS: ${{ github.event.inputs.configure_flags }}
101+
GITHUB_EVENT_INPUTS_MAKE_FLAGS: ${{ github.event.inputs.make_flags }}
84102
run: |
85-
if [ "${{ inputs.binary_id }}" = "jit" ]; then
86-
export PATH="$(llvm-config-${{ inputs.llvm }} --bindir):$PATH"
103+
if [ "${INPUTS_BINARY_ID}" = "jit" ]; then
104+
export PATH="$(llvm-config-${INPUTS_LLVM} --bindir):$PATH"
87105
fi
88106
89107
# Build command with conditional flags
90-
CMD="memory-tracker benchmark '${{ github.event.inputs.commit_range }}'"
108+
CMD="memory-tracker benchmark '${GITHUB_EVENT_INPUTS_COMMIT_RANGE}'"
91109
CMD="$CMD --repo-path ./cpython"
92-
CMD="$CMD --binary-id '${{ github.event.inputs.binary_id }}'"
93-
CMD="$CMD --environment-id '${{ github.event.inputs.environment_id }}'"
94-
CMD="$CMD --api-base '${{ github.event.inputs.server_url }}'"
110+
CMD="$CMD --binary-id '${GITHUB_EVENT_INPUTS_BINARY_ID}'"
111+
CMD="$CMD --environment-id '${GITHUB_EVENT_INPUTS_ENVIRONMENT_ID}'"
112+
CMD="$CMD --api-base '${GITHUB_EVENT_INPUTS_SERVER_URL}'"
95113
CMD="$CMD --output-dir ./benchmark_results"
96114
CMD="$CMD --force"
97115
CMD="$CMD -vv"
98116
99117
# Add configure flags if provided
100-
if [ -n "${{ github.event.inputs.configure_flags }}" ]; then
101-
CMD="$CMD --configure-flags='${{ github.event.inputs.configure_flags }}'"
118+
if [ -n "${GITHUB_EVENT_INPUTS_CONFIGURE_FLAGS}" ]; then
119+
CMD="$CMD --configure-flags='${GITHUB_EVENT_INPUTS_CONFIGURE_FLAGS}'"
102120
fi
103121
104122
# Add make flags if provided
105-
if [ -n "${{ github.event.inputs.make_flags }}" ]; then
106-
CMD="$CMD --make-flags='${{ github.event.inputs.make_flags }}'"
123+
if [ -n "${GITHUB_EVENT_INPUTS_MAKE_FLAGS}" ]; then
124+
CMD="$CMD --make-flags='${GITHUB_EVENT_INPUTS_MAKE_FLAGS}'"
107125
fi
108126
109127
echo "Running: $CMD"

.github/workflows/ci.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ on:
55
branches: [main]
66
pull_request:
77

8+
permissions:
9+
contents: read
10+
811
jobs:
912
check-lockfile:
1013
name: Check backend lockfile is up to date
@@ -14,6 +17,7 @@ jobs:
1417
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
1518
with:
1619
fetch-depth: 0
20+
persist-credentials: false
1721
- name: Ensure lockfiles are updated when .in files change
1822
run: |
1923
BASE=${{ github.event.pull_request.base.sha }}
@@ -48,6 +52,7 @@ jobs:
4852
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
4953
with:
5054
fetch-depth: 0
55+
persist-credentials: false
5156
- name: Check for backend changes
5257
id: changes
5358
run: |
@@ -88,6 +93,8 @@ jobs:
8893
working-directory: frontend
8994
steps:
9095
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
96+
with:
97+
persist-credentials: false
9198
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
9299
with:
93100
node-version: 20

.github/workflows/daily-benchmark.yml

Lines changed: 26 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,9 @@ on:
2727
required: false
2828
default: '19'
2929

30+
permissions:
31+
contents: read
32+
3033
jobs:
3134
benchmark-builds:
3235
runs-on: ubuntu-latest
@@ -58,6 +61,8 @@ jobs:
5861
steps:
5962
- name: Checkout memory tracker
6063
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
64+
with:
65+
persist-credentials: false
6166

6267
- name: Set up Python
6368
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -66,13 +71,13 @@ jobs:
6671

6772
- name: Clone CPython repository and get commits
6873
run: |
69-
git clone ${{ github.event.inputs.cpython_repo || 'https://github.com/python/cpython.git' }} cpython
74+
git clone "${GITHUB_EVENT_INPUTS_CPYTHON_REPO}" cpython
7075
cd cpython
7176
git fetch --all
7277
7378
# Determine target date
74-
if [ -n "${{ github.event.inputs.target_date }}" ]; then
75-
TARGET_DATE="${{ github.event.inputs.target_date }}"
79+
if [ -n "${GITHUB_EVENT_INPUTS_TARGET_DATE}" ]; then
80+
TARGET_DATE="${GITHUB_EVENT_INPUTS_TARGET_DATE}"
7681
else
7782
TARGET_DATE=$(date -u +%Y-%m-%d)
7883
fi
@@ -92,6 +97,9 @@ jobs:
9297
9398
echo "Commit to benchmark: $LAST_COMMIT"
9499
fi
100+
env:
101+
GITHUB_EVENT_INPUTS_TARGET_DATE: ${{ github.event.inputs.target_date }}
102+
GITHUB_EVENT_INPUTS_CPYTHON_REPO: ${{ github.event.inputs.cpython_repo || 'https://github.com/python/cpython.git' }}
95103

96104
- name: Print environment variables
97105
run: |
@@ -110,14 +118,16 @@ jobs:
110118
pip install -e .
111119
112120
- name: Install build dependencies
121+
env:
122+
LLVM_VERSION: ${{ github.event.inputs.llvm || '19' }}
113123
run: |
114124
# Install CPython dependencies using their script
115125
cd cpython
116126
sudo .github/workflows/posix-deps-apt.sh
117127
118128
# Install JIT dependencies if needed
119129
if [ "${{ matrix.build_config.install_deps }}" = "jit" ]; then
120-
sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)" ./llvm.sh ${{ github.event.inputs.llvm || '19' }}
130+
sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)" ./llvm.sh "${LLVM_VERSION}"
121131
fi
122132
123133
# Install Memray dependencies
@@ -130,20 +140,22 @@ jobs:
130140
- name: Run memory benchmark for commit range - ${{ matrix.build_config.description }}
131141
env:
132142
MEMORY_TRACKER_TOKEN: ${{ secrets.MEMORY_TRACKER_TOKEN }}
143+
LLVM_VERSION: ${{ github.event.inputs.llvm || '19' }}
144+
ENVIRONMENT_ID: ${{ github.event.inputs.environment_id || 'gh_actions' }}
145+
SERVER_URL: ${{ github.event.inputs.server_url || 'https://memory.python.org' }}
133146
run: |
134147
if [ "${{ matrix.build_config.install_deps }}" = "jit" ]; then
135-
export PATH="$(llvm-config-${{ github.event.inputs.llvm || '19' }} --bindir):$PATH"
136-
export LLVM_VERSION="${{ github.event.inputs.llvm || '19' }}"
137-
echo "LLVM Path: $(llvm-config-${{ github.event.inputs.llvm || '19' }} --bindir)"
138-
echo "Clang version: $(clang-${{ github.event.inputs.llvm || '19' }} --version || echo 'clang-${{ github.event.inputs.llvm || '19' }} not found')"
148+
export PATH="$(llvm-config-${LLVM_VERSION} --bindir):$PATH"
149+
echo "LLVM Path: $(llvm-config-${LLVM_VERSION} --bindir)"
150+
echo "Clang version: $(clang-${LLVM_VERSION} --version || echo "clang-${LLVM_VERSION} not found")"
139151
fi
140152
141153
# Build command for commit range
142154
memory-tracker benchmark "$COMMIT_RANGE" \
143155
--repo-path ./cpython \
144156
--binary-id "${{ matrix.build_config.binary_id }}" \
145-
--environment-id "${{ github.event.inputs.environment_id || 'gh_actions' }}" \
146-
--api-base "${{ github.event.inputs.server_url || 'https://memory.python.org' }}" \
157+
--environment-id "${ENVIRONMENT_ID}" \
158+
--api-base "${SERVER_URL}" \
147159
--output-dir ./benchmark_results \
148160
--configure-flags="${{ matrix.build_config.configure_flags }}" \
149161
--force \
@@ -176,5 +188,7 @@ jobs:
176188
- name: Print summary
177189
run: |
178190
echo "Daily benchmark run completed"
179-
echo "Benchmark jobs completed with status: ${{ needs.benchmark-builds.result }}"
180-
echo "Binary types benchmarked: default, debug, jit, lto-pgo, nogil"
191+
echo "Benchmark jobs completed with status: ${NEEDS_BENCHMARK_BUILDS_RESULT}"
192+
echo "Binary types benchmarked: default, debug, jit, lto-pgo, nogil"
193+
env:
194+
NEEDS_BENCHMARK_BUILDS_RESULT: ${{ needs.benchmark-builds.result }}

.github/zizmor.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
rules:
2+
secrets-outside-env:
3+
ignore:
4+
- benchmark.yml
5+
- daily-benchmark.yml

0 commit comments

Comments
 (0)