From 9202a617253d2c03a65f3c3cf4ff4f7d10256dd8 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 25 Feb 2026 10:59:37 +0200 Subject: [PATCH 1/9] Run zizmor on GitHub Actions via prek --- .github/workflows/lint.yml | 18 ++++++++++++++++++ .github/zizmor.yml | 7 +++++++ .pre-commit-config.yaml | 10 ++++++++++ 3 files changed, 35 insertions(+) create mode 100644 .github/workflows/lint.yml create mode 100644 .github/zizmor.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..efe6e27 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,18 @@ +name: Lint + +on: [push, pull_request, workflow_dispatch] + +permissions: {} + +env: + FORCE_COLOR: 1 + +jobs: + lint: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: j178/prek-action@v1 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..76557a7 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,7 @@ +# Configuration for the zizmor static analysis tool, run via prek in CI +# https://woodruffw.github.io/zizmor/configuration/ +rules: + unpinned-uses: + config: + policies: + "*": ref-pin diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..a7ce138 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,10 @@ +repos: + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.22.0 + hooks: + - id: zizmor + + - repo: meta + hooks: + - id: check-hooks-apply + - id: check-useless-excludes From b43976ac9a691db4cb41bedacb5e95c18f311ad0 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 25 Feb 2026 11:11:36 +0200 Subject: [PATCH 2/9] Fix error[unsound-contains]: unsound contains condition --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9018abb..78301f6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ run-name: "Release: ${{ inputs.container }}${{ inputs.container == 'devcontainer jobs: authorize: runs-on: ubuntu-latest - if: contains('["brettcannon", "corona10", "erlend-aasland"]', github.actor) + if: contains(fromJSON('["brettcannon", "corona10", "erlend-aasland"]'), github.actor) steps: - run: echo "Authorized" From ed9b825d80dbe1dc7b623d2111f3e4e0f33870ab Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 25 Feb 2026 11:15:43 +0200 Subject: [PATCH 3/9] Fix error[template-injection]: code injection via template expansion --- .github/workflows/build-and-push.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 48b1e99..e22195b 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -17,6 +17,8 @@ jobs: permissions: contents: read packages: write + env: + CONTAINER: ${{ inputs.container }} steps: - name: Set Calver Date run: | @@ -49,7 +51,7 @@ jobs: set -euo pipefail # Extract labels from the Dockerfile. - DOCKERFILE=./${{ inputs.container }}/Dockerfile + DOCKERFILE="./${CONTAINER}/Dockerfile" # Function to extract a label value. extract_label() { @@ -101,7 +103,7 @@ jobs: - name: Build and push uses: docker/build-push-action@v6 with: - context: ./${{ inputs.container }} + context: ./${{ env.CONTAINER }} platforms: linux/amd64,linux/arm64 push: true tags: | From 1cea91a0bac8528cb90604833826dae6905fa63f Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 25 Feb 2026 11:18:14 +0200 Subject: [PATCH 4/9] Fix warning[excessive-permissions]: overly broad permissions --- .github/workflows/ci.yml | 2 ++ .github/workflows/release.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dd248ea..7b06309 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,8 @@ on: pull_request: branches: [main] +permissions: {} + jobs: build_dev_container: name: Build and test (Dev container) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 78301f6..405ad83 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,6 +15,8 @@ on: run-name: "Release: ${{ inputs.container }}${{ inputs.container == 'devcontainer' && ' + wasicontainer' || '' }}" +permissions: {} + jobs: authorize: runs-on: ubuntu-latest From 833d7b5b1d5458b43947093f46e3dd28d283bd29 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 25 Feb 2026 11:19:41 +0200 Subject: [PATCH 5/9] Fix help[artipacked]: credential persistence through GitHub Actions artifacts --- .github/workflows/build-and-push.yml | 2 ++ .github/workflows/ci.yml | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index e22195b..bf57e67 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -27,6 +27,8 @@ jobs: id: version - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7b06309..94bbd49 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,6 +23,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build Dockerfile @@ -46,6 +48,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build Dockerfile @@ -72,6 +76,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build Dockerfile From 5623a04d6903844994bf365089fca0dd01af150e Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 25 Feb 2026 11:23:50 +0200 Subject: [PATCH 6/9] Fix warning[dependabot-cooldown]: insufficient cooldown in Dependabot updates --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 54db000..febda00 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,4 +5,9 @@ updates: directory: "/" schedule: interval: monthly + cooldown: + # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns + # Cooldowns protect against supply chain attacks by avoiding the + # highest-risk window immediately after new releases. + default-days: 14 open-pull-requests-limit: 10 From 0095248b9243b624abe8583be52f572491015142 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 25 Feb 2026 11:25:55 +0200 Subject: [PATCH 7/9] Fix help[template-injection]: code injection via template expansion --- .github/workflows/build-and-push.yml | 6 ++++-- .github/workflows/ci.yml | 6 +++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index bf57e67..1d5c6bf 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -49,6 +49,8 @@ jobs: # https://specs.opencontainers.org/image-spec/annotations/#pre-defined-annotation-keys - name: Extract labels from Dockerfile id: labels + env: + CREATED: ${{ steps.version.outputs.created }} run: | set -euo pipefail @@ -84,8 +86,8 @@ jobs: documentation=$(extract_label "documentation") # Get dynamic values from earlier steps. - created="${{ steps.version.outputs.created }}" - revision="${{ github.sha }}" + created="$CREATED" + revision="$GITHUB_SHA" # Build annotations string. annotations="" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 94bbd49..183debb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: load: true tags: ${{ env.TAG }} - name: Test clang - run: docker run --rm ${{ env.TAG }} clang --version + run: docker run --rm "$TAG" clang --version build_wasi_container: name: Build and test (WASI container) @@ -59,9 +59,9 @@ jobs: load: true tags: ${{ env.TAG }} - name: Test WASI SDK - run: docker run --rm ${{ env.TAG }} /opt/wasi-sdk/bin/clang --version + run: docker run --rm "$TAG" /opt/wasi-sdk/bin/clang --version - name: Test Wasmtime - run: docker run --rm ${{ env.TAG }} wasmtime --version + run: docker run --rm "$TAG" wasmtime --version build_autoconf: name: Build and test (Autoconf) From 8b6854cb7ea66be12e2dc323b235e96dd2fc9105 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 25 Feb 2026 11:27:50 +0200 Subject: [PATCH 8/9] Ignore env.CONTAINER in 'with', cannot use shell variable here --- .github/zizmor.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 76557a7..50a0673 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,6 +1,9 @@ # Configuration for the zizmor static analysis tool, run via prek in CI # https://woodruffw.github.io/zizmor/configuration/ rules: + template-injection: + ignore: + - build-and-push.yml:108 unpinned-uses: config: policies: From 8a46abcb93d26e9b44921e93584e035570db8050 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 25 Feb 2026 11:37:53 +0200 Subject: [PATCH 9/9] Add and fix more linting --- .github/workflows/build-and-push.yml | 6 +++--- .github/workflows/ci.yml | 2 +- .pre-commit-config.yaml | 22 ++++++++++++++++++++++ autoconf/ax_c_float_words_bigendian.diff | 12 ++++++------ autoconf/config.sub.patch | 11 +++++------ 5 files changed, 37 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 1d5c6bf..29ccb71 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -22,8 +22,8 @@ jobs: steps: - name: Set Calver Date run: | - echo "builddate=$(date +'%Y.%m.%d')" >> $GITHUB_OUTPUT - echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT + echo "builddate=$(date +'%Y.%m.%d')" >> "$GITHUB_OUTPUT" + echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT" id: version - name: Checkout uses: actions/checkout@v6 @@ -103,7 +103,7 @@ jobs: add_annotation "revision" "$revision" # Output the complete annotations string. - echo "annotations=$annotations" >> $GITHUB_OUTPUT + echo "annotations=$annotations" >> "$GITHUB_OUTPUT" - name: Build and push uses: docker/build-push-action@v6 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 183debb..1fb7f6d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -88,4 +88,4 @@ jobs: load: true tags: ${{ env.TAG }} - name: Test - run: docker run --rm $TAG autoconf --version | grep ${{ matrix.autoconf_version }} + run: docker run --rm "$TAG" autoconf --version | grep ${{ matrix.autoconf_version }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a7ce138..e5e5921 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,26 @@ repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v6.0.0 + hooks: + - id: check-added-large-files + - id: check-case-conflict + - id: check-merge-conflict + - id: check-yaml + - id: end-of-file-fixer + - id: forbid-submodules + - id: trailing-whitespace + + - repo: https://github.com/python-jsonschema/check-jsonschema + rev: 0.36.2 + hooks: + - id: check-dependabot + - id: check-github-workflows + + - repo: https://github.com/rhysd/actionlint + rev: v1.7.11 + hooks: + - id: actionlint + - repo: https://github.com/woodruffw/zizmor-pre-commit rev: v1.22.0 hooks: diff --git a/autoconf/ax_c_float_words_bigendian.diff b/autoconf/ax_c_float_words_bigendian.diff index 409f1ee..b1f11fa 100644 --- a/autoconf/ax_c_float_words_bigendian.diff +++ b/autoconf/ax_c_float_words_bigendian.diff @@ -56,14 +56,14 @@ index 216b90d8..52036844 100644 # permitted in any medium without royalty provided the copyright notice # and this notice are preserved. This file is offered as-is, without any # warranty. - + -#serial 11 +#serial 14 - + AC_DEFUN([AX_C_FLOAT_WORDS_BIGENDIAN], [AC_CACHE_CHECK(whether float word ordering is bigendian, ax_cv_c_float_words_bigendian, [ - + ax_cv_c_float_words_bigendian=unknown -AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ +AC_LINK_IFELSE([AC_LANG_SOURCE([[ @@ -71,16 +71,16 @@ index 216b90d8..52036844 100644 +#include + +static double m[] = {9.090423496703681e+223, 0.0}; - + -double d = 90904234967036810337470478905505011476211692735615632014797120844053488865816695273723469097858056257517020191247487429516932130503560650002327564517570778480236724525140520121371739201496540132640109977779420565776568942592.0; +int main (int argc, char *argv[]) +{ + m[atoi (argv[1])] += atof (argv[2]); + return m[atoi (argv[3])] > 0.0; +} - + ]])], [ - + -if grep noonsees conftest.$ac_objext >/dev/null ; then +if grep noonsees conftest* > /dev/null ; then ax_cv_c_float_words_bigendian=yes diff --git a/autoconf/config.sub.patch b/autoconf/config.sub.patch index 3cbd448..cfea997 100644 --- a/autoconf/config.sub.patch +++ b/autoconf/config.sub.patch @@ -33,12 +33,12 @@ index 4aaae46..335706d 100755 --- a/config.sub +++ b/config.sub @@ -4,7 +4,7 @@ - + # shellcheck disable=SC2006,SC2268,SC2162 # see below for rationale - + -timestamp='2024-05-27' +timestamp='2025-01-06' - + # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -1194,7 +1194,7 @@ case $cpu-$vendor in @@ -49,7 +49,7 @@ index 4aaae46..335706d 100755 + arm64-* | aarch64le-* | arm64_32-*) cpu=aarch64 ;; - + @@ -2249,6 +2249,8 @@ case $kernel-$os-$obj in ;; *-eabi*- | *-gnueabi*-) @@ -59,6 +59,5 @@ index 4aaae46..335706d 100755 none--*) # None (no kernel, i.e. freestanding / bare metal), # can be paired with an machine code file format --- +-- 2.47.1 -