From 79e6de0c555784ad44047d0d60eb1d7df799ce8b Mon Sep 17 00:00:00 2001 From: Appu Date: Mon, 9 Jun 2025 13:38:00 -0400 Subject: [PATCH 1/4] Remediate zizmor template injection issues (#278) This is not an exhaustive set of fixes for zizmor reported issues, just those related to github inputs/vars and template injection Signed-off-by: Appu Goundan --- .github/workflows/publish.yaml | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index b38c7d4..dd14d51 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -91,6 +91,11 @@ on: jobs: publish: runs-on: ubuntu-latest + env: + REGISTRY_BRANCH: ${{ inputs.registry_branch }} + REGISTRY: ${{ inputs.registry }} + REGISTRY_FORK: ${{ inputs.registry_fork }} + TAG_NAME: ${{ inputs.tag_name }} steps: - name: Checkout the module repository uses: actions/checkout@v4.2.2 @@ -229,6 +234,11 @@ jobs: - name: Push to fork id: push-to-fork working-directory: bazel-central-registry + env: + # Set the author to the actor of this workflow. Use the github-provided + # noreply email address: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address. + AUTHOR_NAME: ${{ github.actor }} + AUTHOR_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com run: | set -o errexit -o nounset -o pipefail @@ -237,15 +247,10 @@ jobs: COMMITTER_NAME="github-actions[bot]" COMMITTER_EMAIL="41898282+github-actions[bot]@users.noreply.github.com" - # Set the author to the actor of this workflow. Use the github-provided - # noreply email address: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address. - AUTHOR_NAME="${{ github.actor }}" - AUTHOR_EMAIL="${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - # Use an authorized remote url to push to the fork - git remote add authed-fork https://x-access-token:${{ secrets.publish_token }}@github.com/${{ inputs.registry_fork }}.git + git remote add authed-fork https://x-access-token:${{ secrets.publish_token }}@github.com/${REGISTRY_FORK}.git - BRANCH="${{ steps.create-final-entry.outputs.module-names }}-${{ inputs.tag_name }}" + BRANCH="${{ steps.create-final-entry.outputs.module-names }}-${TAG_NAME}" git checkout -b "${BRANCH}" git add . git -c "author.name=${AUTHOR_NAME}" \ @@ -260,6 +265,8 @@ jobs: - name: Prepare PR variables id: pr-vars + env: + REPOSITORY: ${{ inputs.repository }} run: | set -o errexit -o nounset -o pipefail @@ -267,27 +274,27 @@ jobs: echo "title=${TITLE}" >> $GITHUB_OUTPUT echo "body<> $GITHUB_OUTPUT - echo -e "Release: https://github.com/${{ inputs.repository }}/releases/tag/${{ inputs.tag_name }}\n" >> $GITHUB_OUTPUT + echo -e "Release: https://github.com/${REPOSITORY}/releases/tag/${TAG_NAME}\n" >> $GITHUB_OUTPUT echo "_Automated by [Publish to BCR](https://github.com/bazel-contrib/publish-to-bcr)_" >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT - name: Open pull request if: ${{ inputs.open_pull_request }} + env: + DRAFT: ${{ inputs.draft }} working-directory: bazel-central-registry run: | set -o errexit -o nounset -o pipefail - REGISTRY_FORK="${{ inputs.registry_fork }}" FORK_OWNER="${REGISTRY_FORK%%/*}" BRANCH="${{ steps.push-to-fork.outputs.branch }}" - DRAFT="${{ inputs.draft }}" MAINTAINER_CAN_MODIFY=true REQUEST_BODY=$(jq --null-input \ --arg title "${{ steps.pr-vars.outputs.title }}" \ --arg body "${{ steps.pr-vars.outputs.body }}" \ --arg head "${FORK_OWNER}:${BRANCH}" \ - --arg base ${{ inputs.registry_branch }} \ + --arg base ${REGISTRY_BRANCH} \ --argjson draft "${DRAFT}" \ --argjson maintainer_can_modify "${MAINTAINER_CAN_MODIFY}" \ '{title: $title, body: $body, head: $head, base: $base, maintainer_can_modify: $maintainer_can_modify, draft: $draft}') @@ -306,7 +313,7 @@ jobs: --header "Accept: application/vnd.github+json" \ --header "Authorization: Bearer ${{ secrets.publish_token }}" \ --header "X-GitHub-Api-Version: 2022-11-28" \ - https://api.github.com/repos/${{ inputs.registry }}/pulls \ + https://api.github.com/repos/${REGISTRY}/pulls \ --data "${REQUEST_BODY}" ) @@ -329,7 +336,6 @@ jobs: run: | set -o errexit -o nounset -o pipefail - REGISTRY_FORK="${{ inputs.registry_fork }}" FORK_OWNER="${REGISTRY_FORK%%/*}" FORK_REPO="${REGISTRY_FORK##*/}" TITLE=$(jq --raw-input --raw-output @uri <<<"${{ steps.pr-vars.outputs.title }}") @@ -339,4 +345,4 @@ jobs: echo -e "Create the pull request manually by visiting:" # https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/using-query-parameters-to-create-a-pull-request - echo "https://github.com/${{ inputs.registry }}/compare/${{ inputs.registry_branch }}...${FORK_OWNER}:${FORK_REPO}:${{ steps.push-to-fork.outputs.branch }}?title=${TITLE}&body=${BODY}&quick_pull=1" + echo "https://github.com/${REGISTRY}/compare/${REGISTRY_BRANCH}...${FORK_OWNER}:${FORK_REPO}:${{ steps.push-to-fork.outputs.branch }}?title=${TITLE}&body=${BODY}&quick_pull=1" From e8be494f88c7ec16d455db2016e935086cc5fb5b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Jun 2025 19:26:25 -0700 Subject: [PATCH 2/4] chore(deps): update toolchains_llvm (#181) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- MODULE.bazel | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/MODULE.bazel b/MODULE.bazel index cf5d43b..ecd151d 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -13,16 +13,9 @@ bazel_dep(name = "rules_multitool", version = "1.0.0") bazel_dep(name = "rules_nodejs", version = "6.3.3") bazel_dep(name = "rules_pkg", version = "1.0.1") bazel_dep(name = "rules_xz", version = "1.0.1") -bazel_dep(name = "toolchains_llvm", version = "1.2.0") +bazel_dep(name = "toolchains_llvm", version = "1.4.0") bazel_dep(name = "xz", version = "5.4.5.bcr.5") -# FIXME: Remove when a new `toolchains_llvm` has been released. -git_override( - module_name = "toolchains_llvm", - commit = "bda1c9fbf232b682c30d039f8e4a5e3cf3025d0f", - remote = "https://github.com/bazel-contrib/toolchains_llvm", -) - bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains") bazel_lib.bats() bazel_lib.jq() From e5482809f9b5d26fb22c8341055d4f2ddd1dec46 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 10 Jun 2025 08:51:51 -0700 Subject: [PATCH 3/4] chore(deps): update dependency typescript to v5.8.2 (#221) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- MODULE.bazel | 2 +- package.json | 2 +- pnpm-lock.yaml | 64 +++++++++++++++++++++++++------------------------- 3 files changed, 34 insertions(+), 34 deletions(-) diff --git a/MODULE.bazel b/MODULE.bazel index ecd151d..f96c996 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -3,7 +3,7 @@ bazel_dep(name = "aspect_rules_esbuild", version = "0.21.0") bazel_dep(name = "aspect_rules_jest", version = "0.22.0") bazel_dep(name = "aspect_rules_js", version = "2.1.2") bazel_dep(name = "aspect_rules_lint", version = "1.0.8") -bazel_dep(name = "aspect_rules_ts", version = "3.4.0") +bazel_dep(name = "aspect_rules_ts", version = "3.6.0") bazel_dep( name = "buildifier_prebuilt", version = "8.0.0", diff --git a/package.json b/package.json index 124499f..b09de95 100644 --- a/package.json +++ b/package.json @@ -81,7 +81,7 @@ "mockttp": "^3.10.0", "portfinder": "^1.0.32", "prettier": "3.4.2", - "typescript": "5.6.3", + "typescript": "5.8.2", "typescript-eslint": "^8.15.0" }, "pnpm": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 2f518dd..7cb39f4 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -201,11 +201,11 @@ devDependencies: specifier: 3.4.2 version: 3.4.2 typescript: - specifier: 5.6.3 - version: 5.6.3 + specifier: 5.8.2 + version: 5.8.2 typescript-eslint: specifier: ^8.15.0 - version: 8.20.0(eslint@9.18.0)(typescript@5.6.3) + version: 8.20.0(eslint@9.18.0)(typescript@5.8.2) packages: @@ -2681,7 +2681,7 @@ packages: dev: false optional: true - /@typescript-eslint/eslint-plugin@8.20.0(@typescript-eslint/parser@8.20.0)(eslint@9.18.0)(typescript@5.6.3): + /@typescript-eslint/eslint-plugin@8.20.0(@typescript-eslint/parser@8.20.0)(eslint@9.18.0)(typescript@5.8.2): resolution: {integrity: sha512-naduuphVw5StFfqp4Gq4WhIBE2gN1GEmMUExpJYknZJdRnc+2gDzB8Z3+5+/Kv33hPQRDGzQO/0opHE72lZZ6A==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} peerDependencies: @@ -2690,20 +2690,20 @@ packages: typescript: '>=4.8.4 <5.8.0' dependencies: '@eslint-community/regexpp': 4.12.1 - '@typescript-eslint/parser': 8.20.0(eslint@9.18.0)(typescript@5.6.3) + '@typescript-eslint/parser': 8.20.0(eslint@9.18.0)(typescript@5.8.2) '@typescript-eslint/scope-manager': 8.20.0 - '@typescript-eslint/type-utils': 8.20.0(eslint@9.18.0)(typescript@5.6.3) - '@typescript-eslint/utils': 8.20.0(eslint@9.18.0)(typescript@5.6.3) + '@typescript-eslint/type-utils': 8.20.0(eslint@9.18.0)(typescript@5.8.2) + '@typescript-eslint/utils': 8.20.0(eslint@9.18.0)(typescript@5.8.2) '@typescript-eslint/visitor-keys': 8.20.0 eslint: 9.18.0 graphemer: 1.4.0 ignore: 5.3.2 natural-compare: 1.4.0 - ts-api-utils: 2.0.0(typescript@5.6.3) - typescript: 5.6.3 + ts-api-utils: 2.0.0(typescript@5.8.2) + typescript: 5.8.2 dev: true - /@typescript-eslint/parser@8.20.0(eslint@9.18.0)(typescript@5.6.3): + /@typescript-eslint/parser@8.20.0(eslint@9.18.0)(typescript@5.8.2): resolution: {integrity: sha512-gKXG7A5HMyjDIedBi6bUrDcun8GIjnI8qOwVLiY3rx6T/sHP/19XLJOnIq/FgQvWLHja5JN/LSE7eklNBr612g==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} peerDependencies: @@ -2712,11 +2712,11 @@ packages: dependencies: '@typescript-eslint/scope-manager': 8.20.0 '@typescript-eslint/types': 8.20.0 - '@typescript-eslint/typescript-estree': 8.20.0(typescript@5.6.3) + '@typescript-eslint/typescript-estree': 8.20.0(typescript@5.8.2) '@typescript-eslint/visitor-keys': 8.20.0 debug: 4.4.0 eslint: 9.18.0 - typescript: 5.6.3 + typescript: 5.8.2 dev: true /@typescript-eslint/scope-manager@8.20.0: @@ -2727,19 +2727,19 @@ packages: '@typescript-eslint/visitor-keys': 8.20.0 dev: true - /@typescript-eslint/type-utils@8.20.0(eslint@9.18.0)(typescript@5.6.3): + /@typescript-eslint/type-utils@8.20.0(eslint@9.18.0)(typescript@5.8.2): resolution: {integrity: sha512-bPC+j71GGvA7rVNAHAtOjbVXbLN5PkwqMvy1cwGeaxUoRQXVuKCebRoLzm+IPW/NtFFpstn1ummSIasD5t60GA==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} peerDependencies: eslint: ^8.57.0 || ^9.0.0 typescript: '>=4.8.4 <5.8.0' dependencies: - '@typescript-eslint/typescript-estree': 8.20.0(typescript@5.6.3) - '@typescript-eslint/utils': 8.20.0(eslint@9.18.0)(typescript@5.6.3) + '@typescript-eslint/typescript-estree': 8.20.0(typescript@5.8.2) + '@typescript-eslint/utils': 8.20.0(eslint@9.18.0)(typescript@5.8.2) debug: 4.4.0 eslint: 9.18.0 - ts-api-utils: 2.0.0(typescript@5.6.3) - typescript: 5.6.3 + ts-api-utils: 2.0.0(typescript@5.8.2) + typescript: 5.8.2 dev: true /@typescript-eslint/types@8.20.0: @@ -2747,7 +2747,7 @@ packages: engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} dev: true - /@typescript-eslint/typescript-estree@8.20.0(typescript@5.6.3): + /@typescript-eslint/typescript-estree@8.20.0(typescript@5.8.2): resolution: {integrity: sha512-Y7ncuy78bJqHI35NwzWol8E0X7XkRVS4K4P4TCyzWkOJih5NDvtoRDW4Ba9YJJoB2igm9yXDdYI/+fkiiAxPzA==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} peerDependencies: @@ -2760,11 +2760,11 @@ packages: is-glob: 4.0.3 minimatch: 9.0.5 semver: 7.6.3 - ts-api-utils: 2.0.0(typescript@5.6.3) - typescript: 5.6.3 + ts-api-utils: 2.0.0(typescript@5.8.2) + typescript: 5.8.2 dev: true - /@typescript-eslint/utils@8.20.0(eslint@9.18.0)(typescript@5.6.3): + /@typescript-eslint/utils@8.20.0(eslint@9.18.0)(typescript@5.8.2): resolution: {integrity: sha512-dq70RUw6UK9ei7vxc4KQtBRk7qkHZv447OUZ6RPQMQl71I3NZxQJX/f32Smr+iqWrB02pHKn2yAdHBb0KNrRMA==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} peerDependencies: @@ -2774,9 +2774,9 @@ packages: '@eslint-community/eslint-utils': 4.4.1(eslint@9.18.0) '@typescript-eslint/scope-manager': 8.20.0 '@typescript-eslint/types': 8.20.0 - '@typescript-eslint/typescript-estree': 8.20.0(typescript@5.6.3) + '@typescript-eslint/typescript-estree': 8.20.0(typescript@5.8.2) eslint: 9.18.0 - typescript: 5.6.3 + typescript: 5.8.2 dev: true /@typescript-eslint/visitor-keys@8.20.0: @@ -6874,13 +6874,13 @@ packages: pretty-bytes: 5.6.0 dev: false - /ts-api-utils@2.0.0(typescript@5.6.3): + /ts-api-utils@2.0.0(typescript@5.8.2): resolution: {integrity: sha512-xCt/TOAc+EOHS1XPnijD3/yzpH6qg2xppZO1YDqGoVsNXfQfzHpOdNuXwrwOU8u4ITXJyDCTyt8w5g1sZv9ynQ==} engines: {node: '>=18.12'} peerDependencies: typescript: '>=4.8.4' dependencies: - typescript: 5.6.3 + typescript: 5.8.2 dev: true /tslib@2.8.1: @@ -6930,22 +6930,22 @@ packages: engines: {node: '>=6.0.0', npm: '>=3.0.0'} dev: true - /typescript-eslint@8.20.0(eslint@9.18.0)(typescript@5.6.3): + /typescript-eslint@8.20.0(eslint@9.18.0)(typescript@5.8.2): resolution: {integrity: sha512-Kxz2QRFsgbWj6Xcftlw3Dd154b3cEPFqQC+qMZrMypSijPd4UanKKvoKDrJ4o8AIfZFKAF+7sMaEIR8mTElozA==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} peerDependencies: eslint: ^8.57.0 || ^9.0.0 typescript: '>=4.8.4 <5.8.0' dependencies: - '@typescript-eslint/eslint-plugin': 8.20.0(@typescript-eslint/parser@8.20.0)(eslint@9.18.0)(typescript@5.6.3) - '@typescript-eslint/parser': 8.20.0(eslint@9.18.0)(typescript@5.6.3) - '@typescript-eslint/utils': 8.20.0(eslint@9.18.0)(typescript@5.6.3) + '@typescript-eslint/eslint-plugin': 8.20.0(@typescript-eslint/parser@8.20.0)(eslint@9.18.0)(typescript@5.8.2) + '@typescript-eslint/parser': 8.20.0(eslint@9.18.0)(typescript@5.8.2) + '@typescript-eslint/utils': 8.20.0(eslint@9.18.0)(typescript@5.8.2) eslint: 9.18.0 - typescript: 5.6.3 + typescript: 5.8.2 dev: true - /typescript@5.6.3: - resolution: {integrity: sha512-hjcS1mhfuyi4WW8IWtjP7brDrG2cuDZukyrYrSauoXGNgx0S7zceP07adYkJycEr56BOUTNPzbInooiN3fn1qw==} + /typescript@5.8.2: + resolution: {integrity: sha512-aJn6wq13/afZp/jT9QZmwEjDqqvSGp1VT5GVg+f/t6/oVyrgXM6BY1h9BRh/O5p3PlUPAe+WuiEZOmb/49RqoQ==} engines: {node: '>=14.17'} hasBin: true dev: true From 096e4724c760aa0024916fe772701c06926f4c49 Mon Sep 17 00:00:00 2001 From: Jayson Salazar Rodriguez <9462892+jdsalaro@users.noreply.github.com> Date: Wed, 25 Jun 2025 13:11:02 +0200 Subject: [PATCH 4/4] Add author_{name,email} and committer_{name,email} Inputs (#279) We recently needed to change the `AUTHOR_NAME` and `AUTHOR_EMAIL` with which an internal bot triggers a PR to our BCR fork and therefore the commit that eventually lands to https://github.com/bazelbuild/bazel-central-registry It probably makes sense to make these two inputs instead of hardcoded. --- .github/workflows/publish.yaml | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index dd14d51..bdce33c 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -84,6 +84,28 @@ on: See https://github.com/bazel-contrib/publish-to-bcr/issues/261. default: true type: boolean + author_name: + description: | + Commit author name for the BCR entry. Defaults to the actor running the GitHub Actions workflow. + default: ${{ github.actor }} + type: string + author_email: + description: | + Commit author email for the BCR entry. Defaults to the actor running the GitHub Actions workflow. + default: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com + type: string + # Default the committer to the GitHub Actions bot + # https://github.com/orgs/community/discussions/26560#discussioncomment-3531273 + committer_name: + description: | + Name of the git committer. Defaults to the GitHub Action bot's name. + default: "github-actions[bot]" + type: string + committer_email: + description: | + Email of the git committer. Defaults to the GitHub Action bot's email. + default: "41898282+github-actions[bot]@users.noreply.github.com" + type: string secrets: publish_token: required: true @@ -237,16 +259,13 @@ jobs: env: # Set the author to the actor of this workflow. Use the github-provided # noreply email address: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address. - AUTHOR_NAME: ${{ github.actor }} - AUTHOR_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com + AUTHOR_NAME: ${{ inputs.author_name }} + AUTHOR_EMAIL: ${{ inputs.author_email }} + COMMITTER_NAME: ${{ inputs.committer_name }} + COMMITTER_EMAIL: ${{ inputs.committer_email }} run: | set -o errexit -o nounset -o pipefail - # Set committer to the GitHub Actions bot - # https://github.com/orgs/community/discussions/26560#discussioncomment-3531273 - COMMITTER_NAME="github-actions[bot]" - COMMITTER_EMAIL="41898282+github-actions[bot]@users.noreply.github.com" - # Use an authorized remote url to push to the fork git remote add authed-fork https://x-access-token:${{ secrets.publish_token }}@github.com/${REGISTRY_FORK}.git