mirror of
https://github.com/coder/coder.git
synced 2026-06-03 21:18:24 +00:00
Dean Sheather
47 lines
1.1 KiB
Bash
Executable File
47 lines
1.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# Usage: ./zizmor.sh [args...]
|
|
#
|
|
# This script is a wrapper around the zizmor Docker image. Zizmor lints GitHub
|
|
# actions workflows.
|
|
#
|
|
# We use Docker to run zizmor since it's written in Rust and is difficult to
|
|
# install on Ubuntu runners without building it with a Rust toolchain, which
|
|
# takes a long time.
|
|
#
|
|
# The repo is mounted at /repo and the working directory is set to /repo.
|
|
|
|
set -euo pipefail
|
|
# shellcheck source=scripts/lib.sh
|
|
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
|
|
|
|
cdroot
|
|
|
|
image_tag="ghcr.io/zizmorcore/zizmor:1.11.0"
|
|
docker_args=(
|
|
"--rm"
|
|
"--volume" "$(pwd):/repo"
|
|
"--workdir" "/repo"
|
|
"--network" "host"
|
|
)
|
|
|
|
if [[ -t 0 ]]; then
|
|
docker_args+=("-it")
|
|
fi
|
|
|
|
# If no GH_TOKEN is set, try to get one from `gh auth token`.
|
|
if [[ "${GH_TOKEN:-}" == "" ]] && command -v gh &>/dev/null; then
|
|
set +e
|
|
GH_TOKEN="$(gh auth token)"
|
|
export GH_TOKEN
|
|
set -e
|
|
fi
|
|
|
|
# Pass through the GitHub token if it's set, which allows zizmor to scan
|
|
# imported workflows too.
|
|
if [[ "${GH_TOKEN:-}" != "" ]]; then
|
|
docker_args+=("--env" "GH_TOKEN")
|
|
fi
|
|
|
|
logrun exec docker run "${docker_args[@]}" "$image_tag" "$@"
|