miscellaneous maintenance (mostly GHA) (#214)

- add zizmor GHA linter job.
- add ruff to GHA linter job.
- set `persist-credentials: false`.
- drop permissions where missing.
- set GHA concurrency where missing.
- suppress zizmor warning for `cancel-in-progress: false`.
  Though perhaps it could be set to `true`?
- pages: replace hard-coded string with GitHub variable.
- sync action version numbers in comments.
- use full version numbers in newly added actions.
- page: scope extra permissions to the deploy job.
- silence zizmor warning about unpinned oss-fuzz action.
- avoid GitHub macros in shell code. Replace by envs.
- add name to each job to make them easier to read, and
  to silence pedantic zizmor.
- say why a job needs extra permissions. For zizmor.
- shell: add missing double quotes, drop unused variables, fix printf
  format string to be constant, fix other misc shellcheck warnings.
- move 'just_dependencies', 'PythonTests', 'Mainline' (2x) jobs from
  `ci` to a new `local` workflow, to not get triggered by curl/curl PR
  and master commits. These jobs either do not use the curl source repo,
  or use its master branch.
  To save 5 minutes CI time per curl/curl PR push.
- test_corpus_decoder.py: fix to indent consistently.
- fix issues reported by yamllint. (indent mostly)
- sync ruff configuration with other curl repos. Fix minor fallouts.
  Credits-to: Dan Fandrich

curl/curl@57cc523
- make sure to always use `pyproject.toml` to install pip packages.
  To have all of them pinned.
- move `pyproject.toml` default packages to group to avoid installing
  them when unused.
- merge two pip invocations by adding a pinned `pytest_playwright` to
the group.
- drop `pip` upgrades, use the version preinstalled on the host, for
  determinism.
- tidy-up python shebangs and exec attributes.
- tidy-up shell script shebangs and sets.
- delete copyright years.
- drop step name from well-known actions like checkout and python,
  to sync with other curl repos and making it more readily apparent
  what they are.
- pyproject.toml: use a single style to specify dependency versions.
- cmake: drop redundant `DEFINED ENV` checks.
- cmake: drop appending `CFLAGS`, `CXXFLAGS` envs manually. CMake uses
  these automatically.
  https://cmake.org/cmake/help/latest/envvar/CFLAGS.html
  https://cmake.org/cmake/help/latest/envvar/CXXFLAGS.html
- cmake: check if empty is non-empty, vs. just defined.
- cmake: fold long lines.
- whitespace.

Author: vszakats

.github/workflows/build.yml

@@ -0,0 +1,78 @@
+name: Build
+
+'on':
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  Mainline:
+    name: 'Mainline'
+    strategy:
+      matrix:
+        sanitizer:
+          - address
+          - memory
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Install Dependencies
+        run: |
+          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
+          sudo apt-get -o Dpkg::Use-Pty=0 update
+          sudo rm -f /var/lib/man-db/auto-update
+          sudo apt-get -o Dpkg::Use-Pty=0 install -y cmake clang ninja-build
+
+      - name: Compile mainline
+        env:
+          SANITIZER: '${{ matrix.sanitizer }}'  # test with different "sanitizers"
+        run: ./mainline.sh
+
+  just_dependencies:
+    name: 'Just dependencies'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Install Dependencies
+        run: |
+          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
+          sudo apt-get -o Dpkg::Use-Pty=0 update
+          sudo rm -f /var/lib/man-db/auto-update
+          sudo apt-get -o Dpkg::Use-Pty=0 install -y cmake clang ninja-build
+
+      - name: Compile deps target
+        run: ./scripts/compile_target.sh deps
+
+  PythonTests:
+    name: 'Python tests'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
+        with:
+          python-version: '3.12'
+
+      - name: Install test dependencies
+        run: pip --disable-pip-version-check --no-input --no-cache-dir install --progress-bar off --prefer-binary '.[python-tests]'
+
+      - name: Run TLV constants sync test
+        run: pytest tests/test_tlv_constants_sync.py

.github/workflows/checksrc.yml

@@ -0,0 +1,50 @@
+# Copyright (C) Daniel Stenberg, <[email protected]>, et al.
+#
+# SPDX-License-Identifier: curl
+
+name: 'Source'
+
+'on':
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  linters:
+    name: 'linters'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
+        with:
+          python-version: '3.12'
+
+      - name: 'install prereqs'
+        run: |
+          /home/linuxbrew/.linuxbrew/bin/brew install zizmor
+          pip --disable-pip-version-check --no-input --no-cache-dir install --progress-bar off --prefer-binary '.[ci-tests]'
+
+      - name: 'zizmor GHA'
+        env:
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          zizmor --pedantic .github/workflows/*.yml
+
+      - name: 'ruff'
+        run: |
+          ruff --version
+          # shellcheck disable=SC2046
+          ruff check $(git ls-files '*.py')

.github/workflows/ci.yml

@@ -1,4 +1,7 @@
+# Workflow used by curl/curl
+
 name: CI
+
 'on':
   push:
     branches:
@@ -20,14 +23,16 @@ permissions: {}
 
 jobs:
   DetermineMatrix:
+    name: 'Determine matrix'
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           repository: curl/curl-fuzzer
+
       - name: Set matrix
         id: set-matrix
         run: |
@@ -36,29 +41,31 @@ jobs:
           python3 -m generate_matrix | tee $GITHUB_OUTPUT
 
   BuildFuzzers:
+    name: 'Build fuzzers'
     runs-on: ubuntu-latest
     steps:
-    # Use the CIFuzz job to test the repository.
-    - name: Build Fuzzers
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'curl'
-        dry-run: false
-        keep-unaffected-fuzz-targets: true
+      # Use the CIFuzz job to test the repository.
+      - name: Build Fuzzers
+        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master  # zizmor: ignore[unpinned-uses]
+        with:
+          oss-fuzz-project-name: 'curl'
+          dry-run: false
+          keep-unaffected-fuzz-targets: true
 
-    # Archive the fuzzer output (which maintains permissions)
-    - name: Create fuzz tar
-      run: tar cvf fuzz.tar build-out/
+      # Archive the fuzzer output (which maintains permissions)
+      - name: Create fuzz tar
+        run: tar cvf fuzz.tar build-out/
 
-    # Upload the fuzzer output
-    - name: Archive fuzz tar
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-      with:
-        name: fuzz_tar
-        path: fuzz.tar
+      # Upload the fuzzer output
+      - name: Archive fuzz tar
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: fuzz_tar
+          path: fuzz.tar
 
   RunFuzzers:
-    needs: [ BuildFuzzers, DetermineMatrix ]
+    name: 'Run fuzzers'
+    needs: [BuildFuzzers, DetermineMatrix]
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.DetermineMatrix.outputs.matrix) }}
@@ -67,89 +74,33 @@ jobs:
         with:
           name: fuzz_tar
       - name: Unpack fuzzer ${{ matrix.fuzzer }}
-        run: tar xvf fuzz.tar build-out/${{ matrix.fuzzer }} build-out/${{ matrix.fuzzer }}_seed_corpus.zip
+        env:
+          MATRIX_FUZZER: '${{ matrix.fuzzer }}'
+        run: tar xvf fuzz.tar build-out/"${MATRIX_FUZZER}" build-out/"${MATRIX_FUZZER}"_seed_corpus.zip
       - name: Display extracted files
         run: ls -laR build-out/
       - name: Run Fuzzer ${{ matrix.fuzzer }}
-        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master  # zizmor: ignore[unpinned-uses]
         with:
           oss-fuzz-project-name: 'curl'
           fuzz-seconds: 120
           dry-run: false
       - name: Upload Crash
         uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        if: failure()
+        if: ${{ failure() }}
         with:
           name: artifacts
           path: ./out/artifacts
 
-  Mainline:
-    strategy:
-      matrix:
-        sanitizer:
-          - address
-          - memory
-
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          repository: curl/curl-fuzzer
-      - name: Install Dependencies
-        run: |
-          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
-          sudo apt-get -o Dpkg::Use-Pty=0 update
-          sudo rm -f /var/lib/man-db/auto-update
-          sudo apt-get -o Dpkg::Use-Pty=0 install -y cmake clang ninja-build
-      - name: Compile mainline
-        env:
-          # test with different "sanitizers"
-          SANITIZER: ${{ matrix.sanitizer }}
-        run: ./mainline.sh
-
-  just_dependencies:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          repository: curl/curl-fuzzer
-      - name: Install Dependencies
-        run: |
-          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
-          sudo apt-get -o Dpkg::Use-Pty=0 update
-          sudo rm -f /var/lib/man-db/auto-update
-          sudo apt-get -o Dpkg::Use-Pty=0 install -y cmake clang ninja-build
-      - name: Compile deps target
-        run: ./scripts/compile_target.sh deps
-
-  PythonTests:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          repository: curl/curl-fuzzer
-      - name: Set up Python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
-        with:
-          python-version: '3.12'
-      - name: Install test dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install pytest
-      - name: Run TLV constants sync test
-        run: pytest tests/test_tlv_constants_sync.py
-
   # Ensure that the repository can be built for i386
   Testi386:
+    name: 'Test i386'
     runs-on: ubuntu-latest
     steps:
-    - name: Build Fuzzers
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'curl'
-        dry-run: false
-        keep-unaffected-fuzz-targets: true
-        architecture: 'i386'
+      - name: Build Fuzzers
+        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master  # zizmor: ignore[unpinned-uses]
+        with:
+          oss-fuzz-project-name: 'curl'
+          dry-run: false
+          keep-unaffected-fuzz-targets: true
+          architecture: 'i386'

.github/workflows/codeql.yml

@@ -11,7 +11,8 @@ name: 'CodeQL'
     - cron: '0 0 * * 4'
 
 concurrency:
-  group: ${{ github.workflow }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
 
 permissions: {}
 

.github/workflows/pages-ci.yml

@@ -1,36 +1,42 @@
 name: Playwright browser test for corpus decoder
 
-on:
+'on':
   push:
-    branches: [master]
+    branches:
+      - master
   pull_request:
-    branches: [master]
+    branches:
+      - master
   workflow_dispatch:
 
-permissions:
-  contents: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+permissions: {}
 
 jobs:
   test:
+    name: 'Test pages'
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
-      - name: Set up Python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
         with:
-          python-version: "3.12"
+          python-version: '3.12'
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install .[browser-tests]
-          pip install pytest pytest-playwright
+          pip --disable-pip-version-check --no-input --no-cache-dir install --progress-bar off --prefer-binary '.[page-gen,browser-tests]'
           python -m playwright install
 
       - name: Install Playwright system dependencies
         run: |
+          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
+          sudo rm -f /var/lib/man-db/auto-update
           playwright install-deps
 
       - name: Run Playwright browser test