From df396f9b75c7fe54cbde4d8e9f6f442461ecc7e2 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 25 Jun 2026 10:24:26 +0200 Subject: [PATCH 1/3] ci: Replace dtolnay/rust-toolchain with rustup command This remediates https://docs.zizmor.sh/audits/#superfluous-actions --- .github/workflows/build_interu.yml | 13 +++++++++---- run-pre-commit/action.yaml | 9 +++++---- run-prek/action.yaml | 9 +++++---- 3 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build_interu.yml b/.github/workflows/build_interu.yml index 803608e..a7afdd7 100644 --- a/.github/workflows/build_interu.yml +++ b/.github/workflows/build_interu.yml @@ -27,10 +27,15 @@ jobs: with: persist-credentials: false - - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 - with: - toolchain: ${{ env.RUST_VERSION }} - targets: ${{ inputs.target }} + - name: Setup Rust Toolchain + env: + RUST_TARGETS: ${{ inputs.target }} + shell: bash + # NOTE: target is a comma separated list of targets, which is fine here + # but further down it would break. Maybe we want to validate the target + # input is actually one target (and use the matrix for building multiple + # targets in parallel) + run: rustup toolchain install "${RUST_VERSION}" --target "${RUST_TARGETS}" - name: Build Binary env: diff --git a/run-pre-commit/action.yaml b/run-pre-commit/action.yaml index 386b762..4a07796 100644 --- a/run-pre-commit/action.yaml +++ b/run-pre-commit/action.yaml @@ -96,11 +96,12 @@ runs: key: rust-toolchains-${{ inputs.rust }}-components-${{ steps.rust-toolchain-cache-key.outputs.RUST_COMPONENTS }} - name: Setup Rust Toolchain - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 if: ${{ inputs.rust && steps.rust-toolchain-cache.outputs.cache-hit != 'true' }} - with: - toolchain: ${{ inputs.rust }} - components: ${{ inputs.rust-components }} + env: + RUST_TOOLCHAIN_VERSION: ${{ inputs.rust }} + RUST_COMPONENTS: ${{ inputs.rust-components }} + shell: bash + run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component "${RUST_COMPONENTS}" - name: Setup Rust Cache if: ${{ inputs.rust }} diff --git a/run-prek/action.yaml b/run-prek/action.yaml index 80fc30e..5a51ea8 100644 --- a/run-prek/action.yaml +++ b/run-prek/action.yaml @@ -79,11 +79,12 @@ runs: key: rust-toolchains-${{ inputs.rust }}-components-${{ steps.rust-toolchain-cache-key.outputs.RUST_COMPONENTS }} - name: Setup Rust Toolchain - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 if: ${{ inputs.rust && steps.rust-toolchain-cache.outputs.cache-hit != 'true' }} - with: - toolchain: ${{ inputs.rust }} - components: ${{ inputs.rust-components }} + env: + RUST_TOOLCHAIN_VERSION: ${{ inputs.rust }} + RUST_COMPONENTS: ${{ inputs.rust-components }} + shell: bash + run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component "${RUST_COMPONENTS}" - name: Setup Rust Cache if: ${{ inputs.rust }} From d718b3dccc7ae4a569eff44be5d76539d5784a72 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 25 Jun 2026 10:46:20 +0200 Subject: [PATCH 2/3] ci: Replace softprops/action-gh-release with gh release create command This remediates https://docs.zizmor.sh/audits/#superfluous-actions --- .github/workflows/release_interu.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release_interu.yml b/.github/workflows/release_interu.yml index 908e14c..13a83c6 100644 --- a/.github/workflows/release_interu.yml +++ b/.github/workflows/release_interu.yml @@ -34,6 +34,7 @@ jobs: path: artifacts - name: Upload Release Binary - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 - with: - files: artifacts/artifact/* + env: + TAG: ${{ github.ref_name }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: gh release create "$TAG" artifacts/artifact/* From 40cbd19538f763941e385f7b3637c311c3f7226e Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 25 Jun 2026 16:40:51 +0200 Subject: [PATCH 3/3] ci: Replace GITHUB_ENV usage with GITHUB_OUTPUT This remediates https://docs.zizmor.sh/audits/#github-env --- run-integration-test/action.yaml | 32 ++++++++++++++++---------- send-slack-notification/action.yaml | 35 ++++++++++++++++++----------- 2 files changed, 42 insertions(+), 25 deletions(-) diff --git a/run-integration-test/action.yaml b/run-integration-test/action.yaml index 8b38962..e272e6d 100644 --- a/run-integration-test/action.yaml +++ b/run-integration-test/action.yaml @@ -67,6 +67,7 @@ runs: run: "$GITHUB_ACTION_PATH/../.scripts/actions/install_interu.sh" - name: Extract Test and Instance Configuration + id: extract env: TEST_MODE_INPUT: ${{ inputs.test-mode-input }} TEST_SUITE: ${{ inputs.test-suite }} @@ -81,19 +82,19 @@ runs: [ -n "${RUNNER_DEBUG+set}" ] && set -x # Generate the cluster name - echo "KUBERNETES_CLUSTER_NAME=integration-test-${GITHUB_REPOSITORY}-${GITHUB_RUN_ID}" | tee -a "$GITHUB_ENV" + echo "KUBERNETES_CLUSTER_NAME=integration-test-${GITHUB_REPOSITORY}-${GITHUB_RUN_ID}" | tee -a "$GITHUB_OUTPUT" - # Run interu to expand parameters into GITHUB_ENV + # Run interu to expand parameters into GITHUB_OUTPUT for use as env vars in later steps. if [ "$TEST_MODE" == "profile" ]; then [ -n "${TEST_SUITE:-}" ] && echo "::warning::The test-suite input is ignored, because a profile is selected." [ -n "${TEST:-}" ] && echo "::warning::The test input is ignored, because a profile is selected." - interu --instances "$GITHUB_ACTION_PATH/instances.yaml" profile "$TEST_MODE_INPUT" --check-test-definitions --output "$GITHUB_ENV" + interu --instances "$GITHUB_ACTION_PATH/instances.yaml" profile "$TEST_MODE_INPUT" --check-test-definitions --output "$GITHUB_OUTPUT" else [ -n "${TEST_SUITE:-}" ] && ARGS+=" --test-suite $TEST_SUITE" [ -n "${TEST:-}" ] && ARGS+=" --test $TEST" - interu --instances "$GITHUB_ACTION_PATH/instances.yaml" custom "$TEST_MODE_INPUT" ${ARGS:-} --output "$GITHUB_ENV" + interu --instances "$GITHUB_ACTION_PATH/instances.yaml" custom "$TEST_MODE_INPUT" ${ARGS:-} --output "$GITHUB_OUTPUT" fi # Install all tools BEFORE creating the cluster, because if some of the tools fail to download @@ -148,19 +149,19 @@ runs: with: # See: https://github.com/replicatedhq/replicated-actions/tree/main/create-cluster#inputs api-token: ${{ inputs.replicated-api-token }} - cluster-name: ${{ env.KUBERNETES_CLUSTER_NAME }} - kubernetes-distribution: ${{ env.INTERU_KUBERNETES_DISTRIBUTION }} - kubernetes-version: ${{ env.INTERU_KUBERNETES_VERSION }} - ttl: ${{ env.INTERU_CLUSTER_TTL }} - node-groups: ${{ env.INTERU_NODE_GROUPS }} + cluster-name: ${{ steps.extract.outputs.KUBERNETES_CLUSTER_NAME }} + kubernetes-distribution: ${{ steps.extract.outputs.INTERU_KUBERNETES_DISTRIBUTION }} + kubernetes-version: ${{ steps.extract.outputs.INTERU_KUBERNETES_VERSION }} + ttl: ${{ steps.extract.outputs.INTERU_CLUSTER_TTL }} + node-groups: ${{ steps.extract.outputs.INTERU_NODE_GROUPS }} # FIXME (@Techassi): Add test-suite and test here tags: | - key: kubernetes-distribution - value: ${{ env.INTERU_KUBERNETES_DISTRIBUTION }} + value: ${{ steps.extract.outputs.INTERU_KUBERNETES_DISTRIBUTION }} - key: triggered-by value: ${{ github.triggering_actor }} - key: test-parallelism - value: "${{ env.BEKU_TEST_PARALLELISM }}" + value: "${{ steps.extract.outputs.BEKU_TEST_PARALLELISM }}" - name: Set Replicated kubeconfig env: @@ -173,6 +174,7 @@ runs: echo "$KUBECONFIG" > ~/.kube/config - name: Extract Operator Name + id: extract env: REPOSITORY: ${{ github.repository }} shell: bash @@ -180,7 +182,7 @@ runs: set -euo pipefail OPERATOR_NAME=$(echo "$REPOSITORY" | cut -d / -f 2 | sed 's/-operator//g') - echo "OPERATOR_NAME=$OPERATOR_NAME" | tee -a "$GITHUB_ENV" + echo "OPERATOR_NAME=$OPERATOR_NAME" | tee -a "$GITHUB_OUTPUT" - name: Install OpenTelemetry Operator shell: bash @@ -197,6 +199,11 @@ runs: - name: Apply OpenTelemetry Collectors configurations shell: bash env: + # These are directly used in the script below, but then used by kustomize/replicated/kustomization.yaml + # (configMapGenerator which supplies env vars for the Otel collector config per patch in the same file) + KUBERNETES_CLUSTER_NAME: ${{ steps.extract.outputs.KUBERNETES_CLUSTER_NAME }} + INTERU_KUBERNETES_DISTRIBUTION: ${{ steps.extract.outputs.INTERU_KUBERNETES_DISTRIBUTION }} + INTERU_KUBERNETES_VERSION: ${{ steps.extract.outputs.INTERU_KUBERNETES_VERSION }} GITHUB_TRIGGERED_BY: ${{ github.triggering_actor }} run: | set -euo pipefail @@ -232,6 +239,7 @@ runs: env: REF_NAME: ${{ github.ref_name }} GH_TOKEN: ${{ github.token }} + OPERATOR_NAME: ${{ steps.extract.outputs.OPERATOR_NAME }} shell: bash run: | set -euo pipefail diff --git a/send-slack-notification/action.yaml b/send-slack-notification/action.yaml index 4535ebc..6e0a35e 100644 --- a/send-slack-notification/action.yaml +++ b/send-slack-notification/action.yaml @@ -31,6 +31,7 @@ runs: using: composite steps: - name: Validate Inputs + id: valid_inputs env: NOTIFICATION_TYPE: ${{ inputs.type }} @@ -52,22 +53,22 @@ runs: [ -z "${PUBLISH_MANIFESTS_RESULT:-}" ] && echo "The publish-manifests-result input must be provided" && exit 1 [ -z "${BUILD_RESULT:-}" ] && echo "The build-result input must be provided" && exit 1 - echo "PUBLISH_MANIFESTS_RESULT=$PUBLISH_MANIFESTS_RESULT" | tee -a "$GITHUB_ENV" - echo "PUBLISH_HELM_CHART_RESULT=$PUBLISH_HELM_CHART_RESULT" | tee -a "$GITHUB_ENV" - echo "BUILD_RESULT=$BUILD_RESULT" | tee -a "$GITHUB_ENV" + echo "PUBLISH_MANIFESTS_RESULT=$PUBLISH_MANIFESTS_RESULT" | tee -a "$GITHUB_OUTPUT" + echo "PUBLISH_HELM_CHART_RESULT=$PUBLISH_HELM_CHART_RESULT" | tee -a "$GITHUB_OUTPUT" + echo "BUILD_RESULT=$BUILD_RESULT" | tee -a "$GITHUB_OUTPUT" elif [ "$NOTIFICATION_TYPE" == "integration-test" ]; then [ -z "${TEST_RESULT:-}" ] && echo "The test-result input must be provided" && exit 1 [ -z "${TEST_HEALTH:-}" ] && echo "The test-health input must be provided" && exit 1 - echo "FAILED_TESTS=${FAILED_TESTS:-No failed tests}" | tee -a "$GITHUB_ENV" - echo "TEST_RESULT=$TEST_RESULT" | tee -a "$GITHUB_ENV" - echo "TEST_HEALTH=$TEST_HEALTH" | tee -a "$GITHUB_ENV" + echo "FAILED_TESTS=${FAILED_TESTS:-No failed tests}" | tee -a "$GITHUB_OUTPUT" + echo "TEST_RESULT=$TEST_RESULT" | tee -a "$GITHUB_OUTPUT" + echo "TEST_HEALTH=$TEST_HEALTH" | tee -a "$GITHUB_OUTPUT" else echo "Supported notification types are: 'container-image-build' and 'integration-test'" exit 1 fi - echo "NOTIFICATION_TYPE=$NOTIFICATION_TYPE" | tee -a "$GITHUB_ENV" + echo "NOTIFICATION_TYPE=$NOTIFICATION_TYPE" | tee -a "$GITHUB_OUTPUT" - name: Retrieve Slack Thread ID id: retrieve-slack-thread-id @@ -77,20 +78,28 @@ runs: name: slack-thread-id-${{ github.run_id }} - name: Extract Slack Thread ID into Environment Variable + id: extract if: steps.retrieve-slack-thread-id.outcome == 'success' shell: bash run: | - echo "SLACK_THREAD_ID=$(cat slack-thread-id)" | tee -a "$GITHUB_ENV" + echo "SLACK_THREAD_ID=$(cat slack-thread-id)" | tee -a "$GITHUB_OUTPUT" - name: Provide message template variables + id: template_variables env: + PUBLISH_MANIFESTS_RESULT: ${{ steps.valid_inputs.outputs.PUBLISH_MANIFESTS_RESULT }} + PUBLISH_HELM_CHART_RESULT: ${{ steps.valid_inputs.outputs.PUBLISH_HELM_CHART_RESULT }} + BUILD_RESULT: ${{ steps.valid_inputs.outputs.BUILD_RESULT }} + FAILED_TESTS: ${{ steps.valid_inputs.outputs.FAILED_TESTS }} + TEST_HEALTH: ${{ steps.valid_inputs.outputs.TEST_HEALTH }} + NOTIFICATION_TYPE: ${{ steps.valid_inputs.outputs.NOTIFICATION_TYPE }} GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }} GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_REPOSITORY: ${{ github.repository }} GITHUB_WORKFLOW: ${{ github.workflow }} GITHUB_RUN_ID: ${{ github.run_id }} SLACK_THREAD_YAML: | - ${{ steps.retrieve-slack-thread-id.outcome == 'success' && format('thread_ts: "{0}"', env.SLACK_THREAD_ID) || '' }} + ${{ steps.retrieve-slack-thread-id.outcome == 'success' && format('thread_ts: "{0}"', steps.extract.outputs.SLACK_THREAD_ID) || '' }} CHANNEL_ID: ${{ inputs.channel-id }} MESSAGE_SUBJECT: ${{ inputs.message-subject }} shell: bash @@ -114,7 +123,7 @@ runs: export MESSAGE_TEXT="*$MESSAGE_SUBJECT* $MESSAGE_VERB (attempt $GITHUB_RUN_ATTEMPT)" PAYLOAD=$(envsubst < "${GITHUB_ACTION_PATH}/templates/container-image-build/failure.tpl") - echo -e "PAYLOAD<