diff --git a/.github/workflows/create_automerge_pr.yml b/.github/workflows/create_automerge_pr.yml index ca2e0922..d3e7b96c 100644 --- a/.github/workflows/create_automerge_pr.yml +++ b/.github/workflows/create_automerge_pr.yml @@ -74,13 +74,16 @@ jobs: fetch-depth: 0 - name: Check if there are commits to merge id: create_merge_commit + env: + HEAD_BRANCH: ${{ inputs.head_branch }} + BASE_BRANCH: ${{ inputs.base_branch }} run: | # Without this, we can't perform git operations in GitHub actions. git config --global --add safe.directory "$(realpath .)" git config --local user.name 'swift-ci' git config --local user.email 'swift-ci@users.noreply.github.com' - if [[ "$(git rev-list --left-only --count origin/${{ inputs.head_branch }}...origin/${{ inputs.base_branch }})" == 0 ]]; then + if [[ "$(git rev-list --left-only --count origin/${HEAD_BRANCH}...origin/${BASE_BRANCH})" == 0 ]]; then echo "Nothing to merge" echo "has_commits_to_merge=false" >> "$GITHUB_OUTPUT" exit @@ -92,17 +95,20 @@ jobs: if: ${{ steps.create_merge_commit.outputs.has_commits_to_merge == 'true' }} env: GH_TOKEN: ${{ github.token }} + HEAD_BRANCH: ${{ inputs.head_branch }} + BASE_BRANCH: ${{ inputs.base_branch }} + PR_MESSAGE: ${{ inputs.pr_message }} run: | # Create a branch for the PR instead of opening a PR that merges head_branch directly so that we have a fixed # target in the PR and don't modify the PR as new commits are put on the head branch. PR_BRANCH="automerge/merge-main-$(date +%Y-%m-%d_%H-%M)" - git checkout ${{ inputs.head_branch }} + git checkout "${HEAD_BRANCH}" git checkout -b "$PR_BRANCH" git push --set-upstream origin "$PR_BRANCH" gh pr create \ - --base "${{ inputs.base_branch }}" \ + --base "${BASE_BRANCH}" \ --head "$PR_BRANCH" \ - --title 'Merge `${{ inputs.head_branch }}` into `${{ inputs.base_branch }}`' \ - --body '${{ inputs.pr_message }}' \ + --title "Merge \`${HEAD_BRANCH}\` into \`${BASE_BRANCH}\`" \ + --body "${PR_MESSAGE}" \ --draft diff --git a/.github/workflows/performance_test.yml b/.github/workflows/performance_test.yml index dcec8325..52b813cb 100644 --- a/.github/workflows/performance_test.yml +++ b/.github/workflows/performance_test.yml @@ -42,16 +42,26 @@ jobs: # https://github.com/actions/checkout/issues/766 run: git config --global --add safe.directory ${GITHUB_WORKSPACE} - name: Measure PR performance + env: + PACKAGE_PATH: ${{ inputs.package_path }} + HEAD_REF: ${{ github.head_ref }} run: | - swift package --package-path ${{ inputs.package_path }} --allow-writing-to-directory ${{ inputs.package_path }}/.benchmarkBaselines/ benchmark baseline update "${{ github.head_ref }}" + swift package --package-path "${PACKAGE_PATH}" --allow-writing-to-directory "${PACKAGE_PATH}/.benchmarkBaselines/" benchmark baseline update "${HEAD_REF}" - name: Measure base branch performance + env: + PACKAGE_PATH: ${{ inputs.package_path }} + BASE_REF: ${{ github.base_ref }} run: | - git checkout ${{ github.base_ref }} - swift package --package-path ${{ inputs.package_path }} --allow-writing-to-directory ${{ inputs.package_path }}/.benchmarkBaselines/ benchmark baseline update "${{ github.base_ref }}" + git checkout "${BASE_REF}" + swift package --package-path "${PACKAGE_PATH}" --allow-writing-to-directory "${PACKAGE_PATH}/.benchmarkBaselines/" benchmark baseline update "${BASE_REF}" - name: Compare performance measurements id: compare_performance + env: + PACKAGE_PATH: ${{ inputs.package_path }} + BASE_REF: ${{ github.base_ref }} + HEAD_REF: ${{ github.head_ref }} run: | - if ! swift package --package-path ${{ inputs.package_path }} benchmark baseline check "${{ github.base_ref }}" "${{ github.head_ref }}" --format markdown > /tmp/comparison.md 2>/tmp/comparison-stderr.txt; then + if ! swift package --package-path "${PACKAGE_PATH}" benchmark baseline check "${BASE_REF}" "${HEAD_REF}" --format markdown > /tmp/comparison.md 2>/tmp/comparison-stderr.txt; then echo "has_significant_changes=true" >> "$GITHUB_OUTPUT" else echo "has_significant_changes=false" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/soundness.yml b/.github/workflows/soundness.yml index c1b7b59a..134748e7 100644 --- a/.github/workflows/soundness.yml +++ b/.github/workflows/soundness.yml @@ -132,21 +132,25 @@ jobs: run: git config --global --add safe.directory ${GITHUB_WORKSPACE} - name: Pre-build if: ${{ inputs.linux_pre_build_command }} + # zizmor: ignore[template-injection] run: ${{ inputs.linux_pre_build_command }} - name: Run API breakage check shell: bash + env: + API_BREAKAGE_CHECK_BASELINE: ${{ inputs.api_breakage_check_baseline }} + API_BREAKAGE_CHECK_ALLOWLIST_PATH: ${{ inputs.api_breakage_check_allowlist_path }} run: | - if [[ -z '${{ inputs.api_breakage_check_baseline }}' ]]; then + if [[ -z "${API_BREAKAGE_CHECK_BASELINE}" ]]; then git fetch ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY} ${GITHUB_BASE_REF}:pull-base-ref BASELINE_REF='pull-base-ref' else - BASELINE_REF='${{ inputs.api_breakage_check_baseline }}' + BASELINE_REF="${API_BREAKAGE_CHECK_BASELINE}" fi echo "Using baseline: $BASELINE_REF" - if [[ -z '${{ inputs.api_breakage_check_allowlist_path }}' ]]; then + if [[ -z "${API_BREAKAGE_CHECK_ALLOWLIST_PATH}" ]]; then swift package diagnose-api-breaking-changes "$BASELINE_REF" else - swift package diagnose-api-breaking-changes "$BASELINE_REF" --breakage-allowlist-path '${{ inputs.api_breakage_check_allowlist_path }}' + swift package diagnose-api-breaking-changes "$BASELINE_REF" --breakage-allowlist-path "${API_BREAKAGE_CHECK_ALLOWLIST_PATH}" fi docs-check: @@ -178,11 +182,13 @@ jobs: fi - name: Pre-build if: ${{ inputs.linux_pre_build_command }} + # zizmor: ignore[template-injection] run: ${{ inputs.linux_pre_build_command }} - name: Run documentation check env: ADDITIONAL_DOCC_ARGUMENTS: ${{ inputs.docs_check_additional_arguments }} - run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-docs.sh + SCRIPT_ROOT: ${{ steps.script_path.outputs.root }} + run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-docs.sh docs-check-macos: name: Documentation check (macOS) @@ -210,7 +216,9 @@ jobs: echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT fi - name: Select Xcode - run: echo "DEVELOPER_DIR=/Applications/Xcode_${{ inputs.docs_check_macos_xcode_version }}.app" >> $GITHUB_ENV + env: + XCODE_VERSION: ${{ inputs.docs_check_macos_xcode_version }} + run: echo "DEVELOPER_DIR=/Applications/Xcode_${XCODE_VERSION}.app" >> $GITHUB_ENV - name: Swift version run: xcrun swift --version - name: Clang version @@ -218,7 +226,8 @@ jobs: - name: Run documentation check env: ADDITIONAL_DOCC_ARGUMENTS: ${{ inputs.docs_check_macos_additional_arguments }} - run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-docs.sh + SCRIPT_ROOT: ${{ steps.script_path.outputs.root }} + run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-docs.sh unacceptable-language-check: name: Unacceptable language check @@ -248,7 +257,8 @@ jobs: - name: Run unacceptable language check env: UNACCEPTABLE_WORD_LIST: ${{ inputs.unacceptable_language_check_word_list}} - run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-unacceptable-language.sh + SCRIPT_ROOT: ${{ steps.script_path.outputs.root }} + run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-unacceptable-language.sh license-header-check: name: License headers check @@ -278,7 +288,8 @@ jobs: - name: Run license header check env: PROJECT_NAME: ${{ inputs.license_header_check_project_name }} - run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-license-header.sh + SCRIPT_ROOT: ${{ steps.script_path.outputs.root }} + run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-license-header.sh broken-symlink-check: name: Broken symlinks check @@ -306,7 +317,9 @@ jobs: echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT fi - name: Run broken symlinks check - run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-broken-symlinks.sh + env: + SCRIPT_ROOT: ${{ steps.script_path.outputs.root }} + run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-broken-symlinks.sh format-check: name: Format check @@ -339,7 +352,9 @@ jobs: # https://github.com/actions/checkout/issues/766 run: git config --global --add safe.directory ${GITHUB_WORKSPACE} - name: Run format check - run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-swift-format.sh + env: + SCRIPT_ROOT: ${{ steps.script_path.outputs.root }} + run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-swift-format.sh shell-check: name: Shell check @@ -390,12 +405,14 @@ jobs: echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT fi - name: Run yamllint + env: + SCRIPT_ROOT: ${{ steps.script_path.outputs.root }} run: | which yamllint || (apt -q update && apt install -yq yamllint) cd ${GITHUB_WORKSPACE} if [ ! -f ".yamllint.yml" ]; then echo "Downloading default yamllint config file" - cat ${{ steps.script_path.outputs.root }}/.github/workflows/configs/yamllint.yml > .yamllint.yml + cat "${SCRIPT_ROOT}/.github/workflows/configs/yamllint.yml" > .yamllint.yml fi yamllint --strict --config-file .yamllint.yml . @@ -425,11 +442,13 @@ jobs: echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT fi - name: Run flake8 + env: + SCRIPT_ROOT: ${{ steps.script_path.outputs.root }} run: | pip3 install flake8 flake8-import-order cd ${GITHUB_WORKSPACE} if [ ! -f ".flake8" ]; then echo "Downloading default flake8 config file" - cat ${{ steps.script_path.outputs.root }}/.github/workflows/configs/.flake8 > .flake8 + cat "${SCRIPT_ROOT}/.github/workflows/configs/.flake8" > .flake8 fi flake8 diff --git a/.github/workflows/swift_package_test.yml b/.github/workflows/swift_package_test.yml index e1eb1c32..fe0ab84b 100644 --- a/.github/workflows/swift_package_test.yml +++ b/.github/workflows/swift_package_test.yml @@ -261,8 +261,10 @@ jobs: echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV - name: Set environment variables if: ${{ inputs.macos_env_vars }} + env: + ENV_VARS: ${{ inputs.macos_env_vars }} run: | - for i in "${{ inputs.macos_env_vars }}" + for i in "${ENV_VARS}" do printf "%s\n" $i >> $GITHUB_ENV done @@ -273,8 +275,10 @@ jobs: - name: Clang version run: xcrun clang --version - name: Pre-build + # zizmor: ignore[template-injection] run: ${{ inputs.macos_pre_build_command }} - name: Build / Test + # zizmor: ignore[template-injection] run: ${{ inputs.macos_build_command }} ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }} timeout-minutes: ${{ inputs.macos_build_timeout }} @@ -299,8 +303,10 @@ jobs: echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV - name: Set environment variables if: ${{ inputs.ios_host_env_vars }} + env: + ENV_VARS: ${{ inputs.ios_host_env_vars }} run: | - for i in "${{ inputs.ios_host_env_vars }}" + for i in "${ENV_VARS}" do printf "%s\n" $i >> $GITHUB_ENV done @@ -310,8 +316,10 @@ jobs: run: | "$(xcrun -f swift)" --version - name: Pre-build + # zizmor: ignore[template-injection] run: ${{ inputs.ios_pre_build_command }} - name: Build + # zizmor: ignore[template-injection] run: ${{ inputs.ios_build_command }} ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }} timeout-minutes: ${{ inputs.ios_build_timeout }} @@ -385,14 +393,18 @@ jobs: swift /tmp/cross-pr-checkout.swift "${{ github.repository }}" "${{ github.event.number }}" - name: Set environment variables if: ${{ inputs.linux_env_vars }} + env: + ENV_VARS: ${{ inputs.linux_env_vars }} run: | - for i in "${{ inputs.linux_env_vars }}" + for i in "${ENV_VARS}" do printf "%s\n" $i >> $GITHUB_ENV done - name: Pre-build + # zizmor: ignore[template-injection] run: ${{ inputs.linux_pre_build_command }} - name: Build / Test + # zizmor: ignore[template-injection] run: ${{ inputs.linux_build_command }} ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }} linux-static-sdk-build: @@ -460,16 +472,20 @@ jobs: echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV - name: Set environment variables if: ${{ inputs.linux_env_vars }} + env: + ENV_VARS: ${{ inputs.linux_env_vars }} run: | - for i in "${{ inputs.linux_env_vars }}" + for i in "${ENV_VARS}" do printf "%s\n" $i >> $GITHUB_ENV done - name: Pre-build + # zizmor: ignore[template-injection] run: ${{ inputs.linux_pre_build_command }} - name: Install Static Linux Swift SDK and build env: BUILD_FLAGS: ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }} + # zizmor: ignore[template-injection] run: | ${{ inputs.linux_static_sdk_pre_build_command }} ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/install-and-build-with-sdk.sh --static --flags="$BUILD_FLAGS" --build-command="${{ inputs.linux_static_sdk_build_command }}" ${{ matrix.swift_version }} @@ -525,16 +541,20 @@ jobs: echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV - name: Set environment variables if: ${{ inputs.linux_env_vars }} + env: + ENV_VARS: ${{ inputs.linux_env_vars }} run: | - for i in "${{ inputs.linux_env_vars }}" + for i in "${ENV_VARS}" do printf "%s\n" $i >> $GITHUB_ENV done - name: Pre-build + # zizmor: ignore[template-injection] run: ${{ inputs.linux_pre_build_command }} - name: Install Swift SDK for Wasm and build env: BUILD_FLAGS: ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }} + # zizmor: ignore[template-injection] run: | ${{ inputs.wasm_sdk_pre_build_command }} ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/install-and-build-with-sdk.sh --wasm --flags="$BUILD_FLAGS" --build-command="${{ inputs.wasm_sdk_build_command }}" ${{ matrix.swift_version }} @@ -590,16 +610,20 @@ jobs: echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV - name: Set environment variables if: ${{ inputs.linux_env_vars }} + env: + ENV_VARS: ${{ inputs.linux_env_vars }} run: | - for i in "${{ inputs.linux_env_vars }}" + for i in "${ENV_VARS}" do printf "%s\n" $i >> $GITHUB_ENV done - name: Pre-build + # zizmor: ignore[template-injection] run: ${{ inputs.linux_pre_build_command }} - name: Install Swift SDK for Wasm and build env: BUILD_FLAGS: ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }} + # zizmor: ignore[template-injection] run: | ${{ inputs.wasm_sdk_pre_build_command }} ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/install-and-build-with-sdk.sh --embedded-wasm --flags="$BUILD_FLAGS" ${{ matrix.swift_version }} @@ -641,17 +665,21 @@ jobs: echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV - name: Set environment variables if: ${{ inputs.linux_env_vars }} + env: + ENV_VARS: ${{ inputs.linux_env_vars }} run: | - for i in "${{ inputs.linux_env_vars }}" + for i in "${ENV_VARS}" do printf "%s\n" $i >> $GITHUB_ENV done - name: Pre-build + # zizmor: ignore[template-injection] run: ${{ inputs.linux_pre_build_command }} - name: Install Swift SDK for Android and build env: BUILD_FLAGS: ${{ inputs.enable_android_sdk_checks && '--build-tests' || '' }} ${{ (contains(matrix.swift_version, 'nightly') && inputs.swift_nightly_flags) || inputs.swift_flags }} shell: bash + # zizmor: ignore[template-injection] run: | ${{ inputs.android_sdk_pre_build_command }} ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/install-and-build-with-sdk.sh --android --flags="$BUILD_FLAGS" --build-command="${{ inputs.android_sdk_build_command }}" --android-sdk-triple=${{ join(fromJson(inputs.android_sdk_triples), ' --android-sdk-triple=') }} --android-ndk-version="${{ matrix.ndk_version }}" ${{ matrix.swift_version }} @@ -670,6 +698,7 @@ jobs: - name: Install Android Emulator and run tests if: ${{ inputs.enable_android_sdk_checks }} shell: bash + # zizmor: ignore[template-injection] run: | ${{ inputs.android_sdk_pre_build_command }} ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/android/android-emulator-tests.sh --android-sdk-triple=${{ join(fromJson(inputs.android_sdk_triples), ' --android-sdk-triple=') }} @@ -714,8 +743,10 @@ jobs: echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append - name: Set environment variables if: ${{ inputs.windows_env_vars }} + env: + WINDOWS_ENV_VARS: ${{ inputs.windows_env_vars }} run: | - $lines = "${{ inputs.windows_env_vars }}" -split "`r`n" + $lines = $env:WINDOWS_ENV_VARS -split "`r`n" foreach ($line in $lines) { echo $line | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append } @@ -749,6 +780,7 @@ jobs: if: ${{ !inputs.enable_windows_docker }} run: . ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/windows/swift/install-swift-${{ matrix.swift_version }}.ps1 - name: Create test script + # zizmor: ignore[template-injection] run: | mkdir $env:TEMP\test-script echo @'