eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions

openssf scorecard suggested improvements

Browse source
This commit is contained in:
Mick Grove 2026-03-20 08:41:37 -07:00
commit db97997521
5 changed files with 30 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.clusterfuzzlite/Dockerfile
View file

@ -1,4 +1,4 @@
FROM gcr.io/oss-fuzz-base/base-builder-rust
FROM gcr.io/oss-fuzz-base/base-builder-rust@sha256:c0f40c4bfbcdfff147e0b8b6f1b1026d5d5144865e514261ad05560b38e6270e
COPY . $SRC/kingfisher
COPY .clusterfuzzlite/build.sh $SRC/build.sh

7
.github/requirements/pypi-build.txt vendored Normal file
View file

@ -0,0 +1,7 @@
build==1.4.0 \
--hash=sha256:6a07c1b8eb6f2b311b96fcbdbce5dab5fe637ffda0fd83c9cac622e927501596 \
--hash=sha256:f1b91b925aa322be454f8330c6fb48b465da993d1e7e7e6fa35027ec49f3c936
packaging==26.0 \
--hash=sha256:b36f1fef9334a5588b4166f8bcd26a14e521f2b55e6b9de3aaa80d3ff7a37529
pyproject_hooks==1.2.0 \
--hash=sha256:9e5c6bfa8dcc30091c74b0cf803c81fdd29d94f01992a7707bc97babb1141913

30
.github/workflows/pypi.yml vendored
View file

@ -1,13 +1,12 @@
name: pypi-wheels
on:
workflow_run:
workflows: ["Publish Docker image"]
types: [completed]
release:
types: [published]
workflow_dispatch:
inputs:
tag:
description: "Release tag to package (e.g., v1.2.3). Leave blank to use Cargo.toml."
description: "Release tag to package (e.g., v1.2.3). Leave blank to use the latest release."
required: false
type: string
@ -16,31 +15,26 @@ permissions: {}
jobs:
build-wheels:
name: Build PyPI wheels
if: >
github.event_name != 'workflow_run' ||
github.event.workflow_run.conclusion == 'success' ||
github.run_attempt > 1
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
- name: Determine version/tag
id: version
shell: bash
env:
INPUT_TAG: ${{ github.event.inputs.tag || '' }}
RELEASE_TAG_NAME: ${{ github.event.release.tag_name || '' }}
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
if [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
TAG="${RELEASE_TAG_NAME}"
elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
TAG="${INPUT_TAG}"
else
VERSION=$(grep -m1 '^version\s*=' Cargo.toml | cut -d '"' -f2)
TAG="v${VERSION}"
TAG=$(gh release view --json tagName --jq .tagName)
fi
if [[ ! "${TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
echo "Invalid tag format: ${TAG}" >&2
@ -50,6 +44,10 @@ jobs:
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ steps.version.outputs.tag }}
- name: Download release assets
env:
GH_TOKEN: ${{ github.token }}
@ -89,7 +87,7 @@ jobs:
done
- name: Install build tooling
run: python -m pip install --upgrade build
run: python -m pip install --upgrade --require-hashes -r .github/requirements/pypi-build.txt
- name: Build wheels
shell: bash

33
.github/workflows/release-docker.yml vendored
View file

@ -9,14 +9,7 @@ on:
release:
types: [published]
# 2⃣ Option 2: run every time the build-and-release workflow
# completes successfully on the main branch
workflow_run:
workflows: ["build-and-release"]
types: [completed]
branches: [main]
# 3⃣ Manual: “Run workflow” button or `gh workflow run`
# 2⃣ Manual: “Run workflow” button or `gh workflow run`
workflow_dispatch:
inputs:
tag:
@ -32,25 +25,9 @@ permissions:
###############################################################################
jobs:
build-and-push:
# Run if:
# - event is NOT workflow_run (release, workflow_dispatch)
# - OR workflow_run completed successfully
# - OR this is a re-run (run_attempt > 1) so we force it to run
if: >
github.event_name != 'workflow_run' ||
github.event.workflow_run.conclusion == 'success' ||
github.run_attempt > 1
runs-on: ubuntu-latest
steps:
# -----------------------------------------------------------------------
# Check out the exact commit that produced the artifacts (workflow_run),
# otherwise just use the SHA tied to the release / manual dispatch.
# -----------------------------------------------------------------------
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
# -----------------------------------------------------------------------
# Decide which tag were going to publish
# -----------------------------------------------------------------------
@ -66,10 +43,10 @@ jobs:
set -euo pipefail
if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
RAW_TAG="${RELEASE_TAG_NAME}"
elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${MANUAL_TAG}" ]]; then
elif [[ -n "${MANUAL_TAG}" ]]; then
RAW_TAG="${MANUAL_TAG}"
else
# workflow_run (or manual w/o tag) → ask GitHub API for latest release tag
# manual w/o tag → ask GitHub API for latest release tag
RAW_TAG=$(curl -sSL -H "Authorization: Bearer ${GH_TOKEN}" \
"https://api.github.com/repos/${{ github.repository }}/releases/latest" \
| jq -r .tag_name)
@ -80,6 +57,10 @@ jobs:
echo "Selected tag: ${TAG}"
echo "tag=${TAG}" >> "${GITHUB_OUTPUT}"
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: v${{ steps.tag.outputs.tag }}
# -----------------------------------------------------------------------
# Build & push
# -----------------------------------------------------------------------

2
docker/Dockerfile
View file

@ -1,5 +1,5 @@
# syntax=docker/dockerfile:1
FROM alpine:latest
FROM alpine:latest@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
RUN apk add --no-cache curl tar git