extern/nix-config
1
0
Fork 1
mirror of https://github.com/donovanglover/nix-config.git synced 2025-06-19 17:28:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

ci: harden with zizmor

Browse Source 
See https://woodruffw.github.io/zizmor/audits/
This commit is contained in:
Donovan Glover 2025-03-31 00:15:28 -04:00
parent b2448aa62b
commit 5f55ae956e
No known key found for this signature in database
GPG Key ID: EA7408A77AE1BE65
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/ci.yml vendored
View File

@ -6,12 +6,16 @@ on:
pull_request: pull_request:
branches: [ master ] branches: [ master ]
permissions: {}
jobs: jobs:
build: build:
name: nix build packages/*.nix name: nix build packages/*.nix
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: cachix/install-nix-action@v27 - uses: cachix/install-nix-action@v27
- run: basename -s .nix packages/* | sed 's/.*/.#&/' | xargs nix build - run: basename -s .nix packages/* | sed 's/.*/.#&/' | xargs nix build
test: test:
@ -19,6 +23,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: cachix/install-nix-action@v27 - uses: cachix/install-nix-action@v27
with: with:
extra_nix_config: "extra-platforms = aarch64-linux" extra_nix_config: "extra-platforms = aarch64-linux"
@ -28,6 +34,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: cachix/install-nix-action@v27 - uses: cachix/install-nix-action@v27
- run: nix fmt -- --check **/*.nix - run: nix fmt -- --check **/*.nix
example: example:
@ -35,6 +43,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: cachix/install-nix-action@v27 - uses: cachix/install-nix-action@v27
- run: cp ./hosts/laptop/hardware-configuration.nix ./example/hardware-configuration.nix - run: cp ./hosts/laptop/hardware-configuration.nix ./example/hardware-configuration.nix
- run: git add . - run: git add .
@ -44,6 +54,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: cachix/install-nix-action@v27 - uses: cachix/install-nix-action@v27
- run: nix run nixpkgs#statix check - run: nix run nixpkgs#statix check
nixd: nixd:
@ -51,5 +63,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
persist-credentials: false
- uses: cachix/install-nix-action@v27 - uses: cachix/install-nix-action@v27
- run: nix run .#nixf-tidy - run: nix run .#nixf-tidy