Skip to content

chore(ci): address lint findings in release workflow #15167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(ci): address lint findings in release workflow #15167

wants to merge 1 commit into from
+32 −14

Conversation

woodruffw
Copy link
Member

Summary

This should be the last of the main linting changes; with this, there will be no more non-pedantic zizmor findings.

Test Plan

See what happens in CI. I'll also and manually dispatch a dry-run.

@woodruffw woodruffw requested review from zanieb and konstin August 8, 2025 14:36
@woodruffw woodruffw added the internal A refactor or improvement that is not user-facing label Aug 8, 2025
@woodruffw
Copy link
Member Author

Oh hm. I guess I need to update cargo-dist itself for this?

@woodruffw woodruffw temporarily deployed to uv-test-registries August 8, 2025 14:37 — with GitHub Actions Inactive
@zanieb
Copy link
Member

zanieb commented Aug 8, 2025

cc @Gankra

konstin
konstin reviewed Aug 8, 2025
View reviewed changes
.github/workflows/release.yml
@@ -15,8 +15,7 @@
# title/body based on your changelogs.

name: Release
permissions:
"contents": "write"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

iirc those are actually used, we're pushing a tag and creating a release

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

iirc those are actually used, we're pushing a tag and creating a release

Oh hmm, I thought each job had its permissions explicitly set already but I see I missed announce. I'll fix this.

@konstin
Copy link
Member

konstin commented Aug 8, 2025

The cargo-dist workflow is generated from https://github.com/astral-sh/cargo-dist/blob/622170f09a1521bc0782332317076e4805737cef/cargo-dist/templates/ci/github/release.yml.j2, where we can update it.

@woodruffw
Copy link
Member Author

The cargo-dist workflow is generated from astral-sh/cargo-dist@622170f/cargo-dist/templates/ci/github/release.yml.j2, where we can update it.

Ah, this looks like it's architecturally non-trivial to fix: looks like cargo-dist favors reusable workflows and doesn't have a view of which exact secrets a given reusable workflow needs, so it shares all of them with secrets: inherit:

https://github.com/astral-sh/cargo-dist/blob/622170f09a1521bc0782332317076e4805737cef/cargo-dist/templates/ci/github/release.yml.j2#L478

This makes sense as a constraint there, but it also means that I can't remediate these directly. I'm inclined to WONTFIX them for now, since handling secret inheritance with full generality in cargo-dist seems complicated 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@konstin konstin konstin left review comments

@zanieb zanieb Awaiting requested review from zanieb

Assignees
No one assigned
Labels
internal A refactor or improvement that is not user-facing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@woodruffw @zanieb @konstin