mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2026-04-23 07:45:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: eliminate template expansion in code contexts

Browse Source 
Replace all template expansions in code contexts with environment
variable substitutions. Template expansion in code contexts can be a
source of code injection vulnerabilities; for more info, see:
https://docs.zizmor.sh/audits/#template-injection
This commit is contained in:
Daniel Hast
2026-03-07 12:03:52 -05:00
parent 755087f8ef
commit 3572bf7e16
7 changed files with 57 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.github/actions/cache/action.yml vendored
View File

@@ -3,18 +3,22 @@ description: "This action caches neovim dependencies"
runs:
using: "composite"
steps:
- run: echo "CACHE_KEY=${{ github.workflow }}" >> $GITHUB_ENV
- run: echo "CACHE_KEY=${GITHUB_WORKFLOW}" >> $GITHUB_ENV
shell: bash
- run: echo "CACHE_KEY=${{ github.job }}" >> $GITHUB_ENV
- run: echo "CACHE_KEY=${GITHUB_JOB}" >> $GITHUB_ENV
shell: bash
- if: ${{ matrix }}
run: echo "CACHE_KEY=$CACHE_KEY-${{ join(matrix.*, '-') }}" >> $GITHUB_ENV
env:
MATRIX_JOIN: ${{ join(matrix.*, '-') }}
run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV
shell: bash
- if: ${{ matrix.build }}
run: echo "CACHE_KEY=$CACHE_KEY-${{ join(matrix.build.*, '-') }}" >> $GITHUB_ENV
env:
MATRIX_JOIN: ${{ join(matrix.build.*, '-') }}
run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV
shell: bash
- id: image

4
.github/actions/setup/action.yml vendored
View File

@@ -22,7 +22,9 @@ runs:
shell: pwsh
- name: Install dependencies
run: ./.github/scripts/install_deps.sh ${{ inputs.install_flags }}
env:
INSTALL_FLAGS: ${{ inputs.install_flags }}
run: ./.github/scripts/install_deps.sh ${INSTALL_FLAGS}
shell: bash
- name: Cache

4
.github/workflows/backport.yml vendored
View File

@@ -48,4 +48,6 @@ jobs:
if: ${{ steps.backport.outputs.was_successful == 'true' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr merge --rebase --auto ${{ steps.backport.outputs.created_pull_numbers }}
CREATED_PULL_NUMBERS: ${{ steps.backport.outputs.created_pull_numbers }}
run: |
gh pr merge --rebase --auto "${CREATED_PULL_NUMBERS}"

6
.github/workflows/news.yml vendored
View File

@@ -19,13 +19,15 @@ jobs:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- name: news.txt needs to be updated
env:
PULL_REQUEST_COMMITS: ${{ github.event.pull_request.commits }}
run: |
for commit in $(git rev-list HEAD~${{ github.event.pull_request.commits }}..HEAD); do
for commit in $(git rev-list "HEAD~${PULL_REQUEST_COMMITS}..HEAD"); do
message=$(git log -n1 --pretty=format:%s $commit)
type="$(echo "$message" | sed -E 's|([[:alpha:]]+)(\(.*\))?!?:.*|\1|')"
breaking="$(echo "$message" | sed -E 's|[[:alpha:]]+(\(.*\))?!:.*|breaking-change|')"
if [[ "$type" == "feat" ]] || [[ "$type" == "perf" ]] || [[ "$breaking" == "breaking-change" ]]; then
! git diff HEAD~${{ github.event.pull_request.commits }}..HEAD --quiet runtime/doc/news.txt runtime/doc/deprecated.txt ||
! git diff "HEAD~${PULL_REQUEST_COMMITS}..HEAD" --quiet runtime/doc/news.txt runtime/doc/deprecated.txt ||
{
echo "
Pull request includes a new feature, performance improvement

36
.github/workflows/release.yml vendored
View File

@@ -65,10 +65,17 @@ jobs:
persist-credentials: false
- run: ./.github/scripts/install_deps.sh
- run: sudo apt-get install -y libfuse2
- run: echo "CMAKE_BUILD_TYPE=${{ needs.setup.outputs.build_type }}" >> $GITHUB_ENV
- run: echo "CMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}" >> $GITHUB_ENV
env:
CMAKE_BUILD_TYPE: ${{ needs.setup.outputs.build_type }}
- name: appimage
env:
APPIMAGE_TAG: ${{ needs.setup.outputs.appimage_tag }}
run: |
./scripts/genappimage.sh ${{ needs.setup.outputs.appimage_tag }}
./scripts/genappimage.sh "${APPIMAGE_TAG}"
- name: tar.gz
run: cpack --config build/CPackConfig.cmake -G TGZ
- uses: actions/upload-artifact@v7
@@ -103,6 +110,7 @@ jobs:
arch: arm64
runs-on: ${{ matrix.runner }}
env:
CMAKE_BUILD_TYPE: ${{ needs.setup.outputs.build_type }}
MACOSX_DEPLOYMENT_TARGET: 11.0
steps:
- uses: actions/checkout@v6
@@ -116,13 +124,13 @@ jobs:
- name: Build deps
run: |
cmake -S cmake.deps -B .deps -G Ninja \
-D CMAKE_BUILD_TYPE=${{ needs.setup.outputs.build_type }} \
-D CMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}" \
-D CMAKE_FIND_FRAMEWORK=NEVER
cmake --build .deps
- name: Build neovim
run: |
cmake -B build -G Ninja \
-D CMAKE_BUILD_TYPE=${{ needs.setup.outputs.build_type }} \
-D CMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}" \
-D ENABLE_LIBINTL=OFF \
-D CMAKE_FIND_FRAMEWORK=NEVER
cmake --build build
@@ -147,6 +155,8 @@ jobs:
arch: arm64
archive_name: nvim-win-arm64
runs-on: ${{ matrix.runner }}
env:
CMAKE_BUILD_TYPE: ${{ needs.setup.outputs.build_type }}
steps:
- uses: actions/checkout@v6
with:
@@ -162,12 +172,14 @@ jobs:
Expand-Archive -Path "wix314-binaries.zip" -DestinationPath "C:/wix"
echo "C:\wix" >> $env:GITHUB_PATH
- name: Build deps
shell: pwsh
run: |
cmake -S cmake.deps -B .deps -G Ninja -DCMAKE_BUILD_TYPE=${{ needs.setup.outputs.build_type }}
cmake -S cmake.deps -B .deps -G Ninja -DCMAKE_BUILD_TYPE="${env:CMAKE_BUILD_TYPE}"
cmake --build .deps
- name: Build package
shell: pwsh
run: |
cmake -B build -G Ninja -DCMAKE_BUILD_TYPE=${{ needs.setup.outputs.build_type }}
cmake -B build -G Ninja -DCMAKE_BUILD_TYPE="${env:CMAKE_BUILD_TYPE}"
cmake --build build --target package
- name: Upload artifact
uses: actions/upload-artifact@v7
@@ -199,25 +211,31 @@ jobs:
run: sudo apt-get update && sudo apt-get install -y gettext-base
- if: github.event_name == 'workflow_dispatch'
run: echo "TAG_NAME=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV
env:
TAG_NAME: ${{ github.event.inputs.tag_name }}
run: echo "TAG_NAME=${TAG_NAME}" >> $GITHUB_ENV
- if: github.event_name == 'schedule'
run: echo 'TAG_NAME=nightly' >> $GITHUB_ENV
- if: github.event_name == 'push'
run: |
TAG_NAME=${{ github.ref }}
echo "TAG_NAME=${TAG_NAME#refs/tags/}" >> $GITHUB_ENV
echo "TAG_NAME=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
- if: env.TAG_NAME == 'nightly'
run: |
(echo 'SUBJECT=Nvim development (prerelease) build';
echo 'PRERELEASE=--prerelease') >> $GITHUB_ENV
gh release delete nightly --yes || true
git push origin :nightly || true
- if: env.TAG_NAME != 'nightly'
run: |
(echo 'SUBJECT=Nvim release build';
echo 'PRERELEASE=') >> $GITHUB_ENV
gh release delete stable --yes || true
git push origin :stable || true
- name: Publish release
env:
NVIM_VERSION: ${{ needs.linux.outputs.version }}

12
.github/workflows/test.yml vendored
View File

@@ -62,7 +62,9 @@ jobs:
- if: "!cancelled()"
name: Determine if run should be aborted
id: abort_job
run: echo "status=${{ job.status }}" >> $GITHUB_OUTPUT
env:
JOB_STATUS: ${{ job.status }}
run: echo "status=${JOB_STATUS}" >> $GITHUB_OUTPUT
- if: success() || failure() && steps.abort_job.outputs.status == 'success'
name: stylua
@@ -175,13 +177,17 @@ jobs:
run: cmake -E rm -rf -- .git
- name: Build third-party deps
env:
BUILD_DEPS_FLAGS: ${{ matrix.build.deps_flags }}
run: |
cmake -S cmake.deps --preset ci -D CMAKE_BUILD_TYPE=Debug ${{ matrix.build.deps_flags }}
cmake -S cmake.deps --preset ci -D CMAKE_BUILD_TYPE=Debug $BUILD_DEPS_FLAGS
cmake --build .deps
- name: Build
env:
BUILD_FLAGS: ${{ matrix.build.flags }}
run: |
cmake --preset ci -D CMAKE_BUILD_TYPE=Debug -D CMAKE_INSTALL_PREFIX:PATH=$INSTALL_PREFIX ${{ matrix.build.flags }}
cmake --preset ci -D CMAKE_BUILD_TYPE=Debug -D CMAKE_INSTALL_PREFIX:PATH=$INSTALL_PREFIX $BUILD_FLAGS
cmake --build build
- if: ${{ matrix.test == 'unittest' }}

4
.github/workflows/test_windows.yml vendored
View File

@@ -33,8 +33,10 @@ jobs:
cmake --build .deps
- name: Build
env:
BUILD_FLAGS: ${{ inputs.build_flags }}
run: |
cmake --preset ci -D CMAKE_BUILD_TYPE='RelWithDebInfo' ${{ inputs.build_flags }}
cmake --preset ci -D CMAKE_BUILD_TYPE='RelWithDebInfo' $env:BUILD_FLAGS
cmake --build build
- name: Install test deps