From 4bd3d412f6f35626cd99ad993c6a54b075438ebb Mon Sep 17 00:00:00 2001 From: Samuel Attard Date: Wed, 8 Apr 2026 16:30:18 -0700 Subject: [PATCH 1/2] ci: use only first-party actions and bump to latest pinned SHAs Replaces softprops/action-gh-release with the preinstalled gh CLI: matrix build jobs now upload via actions/upload-artifact, and a single release job downloads all artifacts and runs gh release create once, avoiding the create-race the matrix had. Bumps actions/checkout to v6.0.2, actions/setup-go to v6.4.0, and adds actions/upload-artifact v7.0.0 and actions/download-artifact v8.0.1, all pinned to commit SHAs. --- .github/workflows/release.yml | 40 ++++++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2fc825d..d88bf96 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,14 +19,17 @@ jobs: goarch: amd64 - goos: windows goarch: arm64 + env: + GOOS: ${{ matrix.goos }} + GOARCH: ${{ matrix.goarch }} steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true - name: Set up Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: vendor/build/siso/go.mod cache-dependency-path: vendor/build/siso/go.sum @@ -35,18 +38,35 @@ jobs: run: script/apply-patches - name: Build - env: - GOOS: ${{ matrix.goos }} - GOARCH: ${{ matrix.goarch }} run: script/build - name: Checksum run: | cd out - sha256sum siso-${{ matrix.goos }}-${{ matrix.goarch }}* > siso-${{ matrix.goos }}-${{ matrix.goarch }}.sha256 + sha256sum "siso-${GOOS}-${GOARCH}"* > "siso-${GOOS}-${GOARCH}.sha256" + + - name: Upload artifact + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: siso-${{ matrix.goos }}-${{ matrix.goarch }} + path: out/siso-${{ matrix.goos }}-${{ matrix.goarch }}* + if-no-files-found: error - - name: Upload release assets - uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2 + release: + needs: build + runs-on: ubuntu-latest + steps: + - name: Download artifacts + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: - files: | - out/siso-${{ matrix.goos }}-${{ matrix.goarch }}* + path: dist + merge-multiple: true + + - name: Create release + env: + GH_TOKEN: ${{ github.token }} + GH_REPO: ${{ github.repository }} + TAG: ${{ github.ref_name }} + run: | + ls -la dist/ + gh release create "$TAG" --verify-tag --title "$TAG" --generate-notes dist/* From 3e8a63a536d061384456435dba36145b1878a739 Mon Sep 17 00:00:00 2001 From: Samuel Attard Date: Wed, 8 Apr 2026 16:34:20 -0700 Subject: [PATCH 2/2] ci: fix zizmor findings - Scope contents: write to the release job only; build job gets read - Set persist-credentials: false on checkout - Disable setup-go module caching on the release workflow --- .github/workflows/release.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d88bf96..8e4c8f2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,11 +5,12 @@ on: tags: - 'v*' -permissions: - contents: write +permissions: {} jobs: build: + permissions: + contents: read runs-on: ubuntu-latest strategy: fail-fast: false @@ -27,12 +28,13 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true + persist-credentials: false - name: Set up Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: vendor/build/siso/go.mod - cache-dependency-path: vendor/build/siso/go.sum + cache: false - name: Apply patches run: script/apply-patches @@ -54,6 +56,8 @@ jobs: release: needs: build + permissions: + contents: write runs-on: ubuntu-latest steps: - name: Download artifacts