aboutsummaryrefslogtreecommitdiffstats
path: root/.github/workflows/profile-checks.yml
Commit message (Collapse)AuthorAge
* ci: rename profile-checks.yml to check-profiles.ymlLibravatar Kelvin M. Klann2023-08-20
|
* ci: use path whitelists instead of blacklistsLibravatar Kelvin M. Klann2023-08-20
| | | | | | | | | | That is, replace `paths-ignore` with `paths`. This should reduce the number of unnecessary workflow executions and the frequency at which paths are changed. It also reduces the overall number of paths used. Also, add the missing ci/printenv.sh to the path whitelists.
* build(deps): bump step-security/harden-runner from 2.5.0 to 2.5.1Libravatar Varun Sharma2023-08-12
| | | | Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
* build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0Libravatar dependabot[bot]2023-07-31
| | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.4.1 to 2.5.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/55d479fb1c5bcad5a4f9099a5d9f37c8857b2845...cba0d00b1fc9a034e1e642ea0f1103c282990604) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1Libravatar dependabot[bot]2023-06-26
| | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.4.0 to 2.4.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/128a63446a954579617e875aaab7d2978154e969...55d479fb1c5bcad5a4f9099a5d9f37c8857b2845) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump actions/checkout from 3.5.2 to 3.5.3Libravatar dependabot[bot]2023-06-19
| | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.2 to 3.5.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8e5e7e5ab8b370d6c329ec480221332ada57f0ab...c85c95e3d7251135ab7dc9ce3241c5835cc595a9) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump step-security/harden-runner from 2.3.1 to 2.4.0Libravatar dependabot[bot]2023-05-08
| | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.3.1 to 2.4.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/6b3083af2869dc3314a0257a42f4af696cc79ba3...128a63446a954579617e875aaab7d2978154e969) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* ci: run for every branch instead of just masterLibravatar Kelvin M. Klann2023-05-03
| | | | | | | | | Having CI always run on WIP branches without having to open a PR beforehand makes it easier to debug CI issues. GitHub currently does not have any apparent limit for CI runs and there are no project-specific secrets as far as I know, so it should be safe to remove these restrictions.
* ci: print env-related settings in each jobLibravatar Kelvin M. Klann2023-04-28
| | | | | | | To make debugging easier. Use a separate shell script instead of just a make target to ensure that it can safely run before ./configure and without having make installed.
* ci: print some program versionsLibravatar Kelvin M. Klann2023-04-28
| | | | To make debugging easier.
* ci: line-wrap and split/join some commandsLibravatar Kelvin M. Klann2023-04-24
| | | | | | | | | | | For increased readability. Note: `>` basically turns each newline into a space while `|` keeps newlines as is. Both remove leading indentation. Note2: On jobs using `apt-get install`, this commit moves package names to their own line, to make it easier to compare which packages are being installed across such jobs.
* build(deps): bump step-security/harden-runner from 2.3.0 to 2.3.1Libravatar dependabot[bot]2023-04-25
| | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/03bee3930647ebbf994244c21ddbc0d4933aab4f...6b3083af2869dc3314a0257a42f4af696cc79ba3) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump actions/checkout from 3.5.0 to 3.5.2Libravatar dependabot[bot]2023-04-17
| | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.0 to 3.5.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8f4b7f84864484a7bf31766abe9204da3cbe65b3...8e5e7e5ab8b370d6c329ec480221332ada57f0ab) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump step-security/harden-runner from 2.2.1 to 2.3.0Libravatar dependabot[bot]2023-04-10
| | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.2.1 to 2.3.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/1f99358870fe1c846a3ccba386cc2b2246836776...03bee3930647ebbf994244c21ddbc0d4933aab4f) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump actions/checkout from 3.4.0 to 3.5.0Libravatar dependabot[bot]2023-03-27
| | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/24cb9080177205b6e8c946b17badbe402adc938f...8f4b7f84864484a7bf31766abe9204da3cbe65b3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump actions/checkout from 3.3.0 to 3.4.0Libravatar dependabot[bot]2023-03-20
| | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/ac593985615ec2ede58e132d2e21d2b1cbd6127c...24cb9080177205b6e8c946b17badbe402adc938f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump step-security/harden-runner from 2.2.0 to 2.2.1Libravatar dependabot[bot]2023-03-13
| | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.2.0 to 2.2.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/c8454efe5d0bdefd25384362fe217428ca277d57...1f99358870fe1c846a3ccba386cc2b2246836776) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump step-security/harden-runner from 2.1.0 to 2.2.0Libravatar dependabot[bot]2023-02-27
| | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/18bf8ad2ca49c14cbb28b91346d626ccfb00c518...c8454efe5d0bdefd25384362fe217428ca277d57) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* merges, disable sort.py in profile checks temporarely, two more private-etc ↵Libravatar netblue302023-02-14
| | | | profiles
* ci: profile-checks: comment private-etc-always-required.shLibravatar Kelvin M. Klann2023-01-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This check was broken by commit 34d004892 ("private-etc: corss-distro test for curl, gimp, inkscape, firefox, warzone2100", 2023-01-28). private-etc is currently being reworked and the files in question may no longer be required. Output of running the check: $ ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile etc/profile-a-l/curl.profile misses alternatives etc/profile-a-l/curl.profile misses ld.so.cache etc/profile-a-l/curl.profile misses ld.so.preload etc/profile-a-l/firefox-common.profile misses alternatives etc/profile-a-l/firefox-common.profile misses ld.so.cache etc/profile-a-l/firefox-common.profile misses ld.so.preload etc/profile-a-l/gimp.profile misses alternatives etc/profile-a-l/gimp.profile misses ld.so.cache etc/profile-a-l/gimp.profile misses ld.so.preload etc/profile-a-l/inkscape.profile misses alternatives etc/profile-a-l/inkscape.profile misses ld.so.cache etc/profile-a-l/inkscape.profile misses ld.so.preload etc/profile-m-z/warzone2100.profile misses alternatives etc/profile-m-z/warzone2100.profile misses ld.so.cache etc/profile-m-z/warzone2100.profile misses ld.so.preload Relates to #4643 #5610.
* build(deps): bump step-security/harden-runner from 2.0.0 to 2.1.0Libravatar dependabot[bot]2023-01-17
| | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.0.0 to 2.1.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5...18bf8ad2ca49c14cbb28b91346d626ccfb00c518) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump actions/checkout from 3.2.0 to 3.3.0Libravatar dependabot[bot]2023-01-09
| | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/755da8c3cf115ac066823e79a1e1788f8940201b...ac593985615ec2ede58e132d2e21d2b1cbd6127c) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump actions/checkout from 3.1.0 to 3.2.0Libravatar dependabot[bot]2022-12-19
| | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8...755da8c3cf115ac066823e79a1e1788f8940201b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* profile-checks.yml: sort paths-ignoreLibravatar Kelvin M. Klann2022-11-27
| | | | | See commit 9bf5e453c ("ci: sort items on paths-ignore lists", 2022-07-12) / PR #5481 for details.
* Run profile-ckeck on workflow editsLibravatar rusty-snake2022-11-27
|
* Workflows: Change egress-policy to block (#5485)Libravatar rusty-snake2022-11-27
|
* Workflows: Change egress-policy to blockLibravatar rusty-snake2022-11-26
|
* ci: sort items on paths-ignore listsLibravatar Kelvin M. Klann2022-11-24
| | | | | | | | | | | | | Leave quotes only on paths with wildcards so that they are sorted before normal paths, then sort everything. Note that in the current workflow files, ignored directories always use wildcards, so this also ensures that ignored directories (along with all other paths with wildcards) are always listed before ignored files (similarly to `--group-directories-first` in GNU `ls`). This order is similar to the one on .github/workflows/profile-checks.yml.
* build(deps): bump step-security/harden-runner from 1.5.0 to 2.0.0dependabot/github_actions/step-security/harden-runner-2.0.0Libravatar dependabot[bot]2022-11-14
| | | | | | | | | | | | | | Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/2e205a28d0e1da00c5f53b161f4067b052c61f34...ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
* [StepSecurity] ci: Harden GitHub ActionsLibravatar StepSecurity Bot2022-10-31
| | | Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
* build(deps): bump actions/checkout from 3.0.2 to 3.1.0Libravatar dependabot[bot]2022-10-10
| | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.2 to 3.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/2541b1294d2704b0964813337f33b291d3f8596b...93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* CI: bump ubuntu to 22.04 and use newer compilers / analyzersLibravatar Reiner Herrmann2022-07-30
|
* build(deps): bump actions/checkout from 3.0.1 to 3.0.2Libravatar dependabot[bot]2022-04-25
| | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/dcd71f646680f2efd8db4afa5ad64fdcba30e748...2541b1294d2704b0964813337f33b291d3f8596b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump actions/checkout from 3.0.0 to 3.0.1Libravatar dependabot[bot]2022-04-18
| | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/a12a3943b4bdde767164f792f33f40b04645d846...dcd71f646680f2efd8db4afa5ad64fdcba30e748) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* Bump actions/checkout from 2.4.0 to 3Libravatar dependabot[bot]2022-03-08
| | | | | | | | | | | | | | | Bumps [actions/checkout](https://github.com/actions/checkout) from 2.4.0 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/ec3a7ce113134d7a93b817d10a8272cb61118579...a12a3943b4bdde767164f792f33f40b04645d846) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
* CI: pin GitHub actions to SHAsLibravatar Topi Miettinen2021-12-26
| | | | | | Pinning actions to SHAs instead of versions improves the supply chain security: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
* Add Profile ChecksLibravatar rusty-snake2021-10-29
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-20 04:24:57 +0000