diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8c1dfd39b82c..028c0b2b74eb 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,3 +16,48 @@ updates: llvm-docs-requirements: patterns: - "*" + + - package-ecosystem: docker + directory: /.github/workflows/containers/github-action-ci + schedule: + interval: daily + + - package-ecosystem: docker + directory: /bolt/utils/docker + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /clang/tools/clang-format-vs/ClangFormat + schedule: + interval: daily + + - package-ecosystem: docker + directory: /clang/tools/clang-fuzzer + schedule: + interval: daily + + - package-ecosystem: docker + directory: /clang/utils/analyzer + schedule: + interval: daily + + - package-ecosystem: pip + directory: /clang/utils/analyzer + schedule: + interval: daily + + - package-ecosystem: pip + directory: /flang/examples/FlangOmpReport + schedule: + interval: daily + + - package-ecosystem: docker + directory: /libc/utils/buildbot + schedule: + interval: daily + + - package-ecosystem: docker + directory: /libcxx/utils/ci + schedule: + interval: daily diff --git a/.github/workflows/build-ci-container.yml b/.github/workflows/build-ci-container.yml index 109115f3a7b7..398a83027e13 100644 --- a/.github/workflows/build-ci-container.yml +++ b/.github/workflows/build-ci-container.yml @@ -25,6 +25,11 @@ jobs: permissions: packages: write steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Write Variables id: vars run: | @@ -34,7 +39,7 @@ jobs: echo "container-name-tag=$container_name:$tag" >> $GITHUB_OUTPUT - name: Checkout LLVM - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: sparse-checkout: .github/workflows/containers/github-action-ci/ diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000000..a6de1da963c7 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,78 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["npu/release/18.x"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["npu/release/18.x"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["cpp", "csharp", "javascript", "python", "typescript"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/containers/github-action-ci/Dockerfile b/.github/workflows/containers/github-action-ci/Dockerfile index d91a7ad3a9d0..dc80159443d5 100644 --- a/.github/workflows/containers/github-action-ci/Dockerfile +++ b/.github/workflows/containers/github-action-ci/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/ubuntu:22.04 as base +FROM docker.io/library/ubuntu:22.04@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 as base ENV LLVM_SYSROOT=/opt/llvm/ FROM base as toolchain diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000000..955b3b3fb2d0 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 893ba8fea994..b90262fe491f 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -56,14 +56,19 @@ jobs: # action to use the Github API in pull requests. If it's a push to a # branch we can't use the Github API to get the diff, so we need to have # a local checkout beforehand. + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Fetch LLVM sources (Push) if: ${{ github.event_name == 'push' }} - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 - name: Get subprojects that have doc changes id: docs-changed-subprojects - uses: tj-actions/changed-files@v45 + uses: tj-actions/changed-files@c3a1bb2c992d77180ae65be6ae6c166cf40f857c # v45.0.3 with: files_yaml: | llvm: @@ -94,11 +99,11 @@ jobs: - 'flang/include/flang/Optimizer/Dialect/FIROps.td' - name: Fetch LLVM sources (PR) if: ${{ github.event_name == 'pull_request' }} - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 - name: Setup Python env - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.11' cache: 'pip' diff --git a/.github/workflows/issue-release-workflow.yml b/.github/workflows/issue-release-workflow.yml index 95a41bbbee47..87706f30bea9 100644 --- a/.github/workflows/issue-release-workflow.yml +++ b/.github/workflows/issue-release-workflow.yml @@ -38,8 +38,13 @@ jobs: !startswith(github.event.comment.body, '') && contains(github.event.action == 'opened' && github.event.issue.body || github.event.comment.body, '/cherry-pick') steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Fetch LLVM sources - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: llvm/llvm-project # GitHub stores the token used for checkout and uses it for pushes @@ -73,8 +78,13 @@ jobs: contains(github.event.comment.body, '/branch ') steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Fetch LLVM sources - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/issue-subscriber.yml b/.github/workflows/issue-subscriber.yml index fd8ef5ba6c6f..806576ccfb3d 100644 --- a/.github/workflows/issue-subscriber.yml +++ b/.github/workflows/issue-subscriber.yml @@ -13,8 +13,13 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'llvm/llvm-project' steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Automation Script - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: sparse-checkout: llvm/utils/git/ ref: main diff --git a/.github/workflows/libclang-abi-tests.yml b/.github/workflows/libclang-abi-tests.yml index 0d7ccd1ebf72..acc711a6568f 100644 --- a/.github/workflows/libclang-abi-tests.yml +++ b/.github/workflows/libclang-abi-tests.yml @@ -37,14 +37,19 @@ jobs: LLVM_VERSION_MINOR: ${{ steps.version.outputs.LLVM_VERSION_MINOR }} LLVM_VERSION_PATCH: ${{ steps.version.outputs.LLVM_VERSION_PATCH }} steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout source - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 250 - name: Get LLVM version id: version - uses: llvm/actions/get-llvm-version@main + uses: llvm/actions/get-llvm-version@a1ea791b03c8e61f53a0e66f2f73db283aa0f01e # main - name: Setup Variables id: vars @@ -99,8 +104,13 @@ jobs: ref: ${{ github.sha }} repo: ${{ github.repository }} steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Install Ninja - uses: llvm/actions/install-ninja@main + uses: llvm/actions/install-ninja@a1ea791b03c8e61f53a0e66f2f73db283aa0f01e # main - name: Install abi-compliance-checker run: | sudo apt-get install abi-dumper autoconf pkg-config @@ -112,7 +122,7 @@ jobs: ./configure sudo make install - name: Download source code - uses: llvm/actions/get-llvm-project-src@main + uses: llvm/actions/get-llvm-project-src@a1ea791b03c8e61f53a0e66f2f73db283aa0f01e # main with: ref: ${{ matrix.ref }} repo: ${{ matrix.repo }} @@ -130,7 +140,7 @@ jobs: sed -i 's/LLVM_[0-9]\+/LLVM_NOVERSION/' $lib-${{ matrix.ref }}.abi done - name: Upload ABI file - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ matrix.name }} path: '*${{ matrix.ref }}.abi' @@ -142,13 +152,18 @@ jobs: - abi-dump-setup - abi-dump steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Download baseline - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: build-baseline path: build-baseline - name: Download latest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: build-latest path: build-latest @@ -162,7 +177,7 @@ jobs: done - name: Upload ABI Comparison if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: compat-report-${{ github.sha }} path: compat_reports/ diff --git a/.github/workflows/libcxx-build-and-test.yaml b/.github/workflows/libcxx-build-and-test.yaml index 2c5fa44f0e96..0ee3dcfcc40f 100644 --- a/.github/workflows/libcxx-build-and-test.yaml +++ b/.github/workflows/libcxx-build-and-test.yaml @@ -68,14 +68,19 @@ jobs: cxx: 'g++-13' clang_tidy: 'OFF' steps: - - uses: actions/checkout@v4.2.2 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: ${{ matrix.config }}.${{ matrix.cxx }} run: libcxx/utils/ci/run-buildbot ${{ matrix.config }} env: CC: ${{ matrix.cc }} CXX: ${{ matrix.cxx }} ENABLE_CLANG_TIDY: ${{ matrix.clang_tidy }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: always() with: name: ${{ matrix.config }}-${{ matrix.cxx }}-results @@ -117,14 +122,19 @@ jobs: cxx: 'clang++-17' clang_tidy: 'OFF' steps: - - uses: actions/checkout@v4.2.2 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: ${{ matrix.config }} run: libcxx/utils/ci/run-buildbot ${{ matrix.config }} env: CC: ${{ matrix.cc }} CXX: ${{ matrix.cxx }} ENABLE_CLANG_TIDY: ${{ matrix.clang_tidy }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: always() # Upload artifacts even if the build or test suite fails with: name: ${{ matrix.config }}-results @@ -182,14 +192,19 @@ jobs: machine: libcxx-runners-8-set runs-on: ${{ matrix.machine }} steps: - - uses: actions/checkout@v4.2.2 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: ${{ matrix.config }} run: libcxx/utils/ci/run-buildbot ${{ matrix.config }} env: CC: clang-18 CXX: clang++-18 ENABLE_CLANG_TIDY: "OFF" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: always() with: name: ${{ matrix.config }}-results diff --git a/.github/workflows/libcxx-check-generated-files.yml b/.github/workflows/libcxx-check-generated-files.yml index 86743a87f2b2..9e07ae4fe430 100644 --- a/.github/workflows/libcxx-check-generated-files.yml +++ b/.github/workflows/libcxx-check-generated-files.yml @@ -11,11 +11,16 @@ jobs: check_generated_files: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Fetch LLVM sources - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install dependencies - uses: aminya/setup-cpp@v1 + uses: aminya/setup-cpp@d485b24c1283deafc12b4b8ae90ff09c0d1eb972 # v1 with: clangformat: 17.0.1 ninja: true diff --git a/.github/workflows/llvm-bugs.yml b/.github/workflows/llvm-bugs.yml index 4797eea4e3d3..e8d1fd29a9a4 100644 --- a/.github/workflows/llvm-bugs.yml +++ b/.github/workflows/llvm-bugs.yml @@ -14,13 +14,18 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'llvm/llvm-project' steps: - - uses: actions/setup-node@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 18 check-latest: true - run: npm install mailgun.js form-data - name: Send notification - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: MAILGUN_API_KEY: ${{ secrets.LLVM_BUGS_KEY }} with: diff --git a/.github/workflows/llvm-project-tests.yml b/.github/workflows/llvm-project-tests.yml index 889983fc0832..7bd241998476 100644 --- a/.github/workflows/llvm-project-tests.yml +++ b/.github/workflows/llvm-project-tests.yml @@ -67,9 +67,14 @@ jobs: matrix: os: ${{ fromJSON(inputs.os_list) }} steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Setup Windows if: startsWith(matrix.os, 'windows') - uses: llvm/actions/setup-windows@main + uses: llvm/actions/setup-windows@a1ea791b03c8e61f53a0e66f2f73db283aa0f01e # main with: arch: amd64 # On Windows, starting with win19/20220814.1, cmake choose the 32-bit @@ -77,20 +82,20 @@ jobs: # lldb. Using this setup-python action to make 3.10 the default # python fixes this. - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ inputs.python_version }} - name: Install Ninja if: runner.os != 'Linux' - uses: llvm/actions/install-ninja@main + uses: llvm/actions/install-ninja@a1ea791b03c8e61f53a0e66f2f73db283aa0f01e # main # actions/checkout deletes any existing files in the new git directory, # so this needs to either run before ccache-action or it has to use # clean: false. - - uses: actions/checkout@v4.2.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 250 - name: Setup ccache - uses: hendrikmuhs/ccache-action@v1 + uses: hendrikmuhs/ccache-action@ed74d11c0b343532753ecead8a951bb09bb34bc9 # v1.2.14 with: # A full build of llvm, clang, lld, and lldb takes about 250MB # of ccache space. There's not much reason to have more than this, diff --git a/.github/workflows/llvm-tests.yml b/.github/workflows/llvm-tests.yml index 0de4c1d47917..d0f3e89dfbfe 100644 --- a/.github/workflows/llvm-tests.yml +++ b/.github/workflows/llvm-tests.yml @@ -47,14 +47,19 @@ jobs: LLVM_VERSION_MINOR: ${{ steps.version.outputs.LLVM_VERSION_MINOR }} LLVM_VERSION_PATCH: ${{ steps.version.outputs.LLVM_VERSION_PATCH }} steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout source - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 250 - name: Get LLVM version id: version - uses: llvm/actions/get-llvm-version@main + uses: llvm/actions/get-llvm-version@a1ea791b03c8e61f53a0e66f2f73db283aa0f01e # main - name: Setup Variables id: vars @@ -97,8 +102,13 @@ jobs: ref: ${{ github.sha }} repo: ${{ github.repository }} steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Install Ninja - uses: llvm/actions/install-ninja@main + uses: llvm/actions/install-ninja@a1ea791b03c8e61f53a0e66f2f73db283aa0f01e # main - name: Install abi-compliance-checker run: | sudo apt-get install abi-dumper autoconf pkg-config @@ -110,7 +120,7 @@ jobs: ./configure sudo make install - name: Download source code - uses: llvm/actions/get-llvm-project-src@main + uses: llvm/actions/get-llvm-project-src@a1ea791b03c8e61f53a0e66f2f73db283aa0f01e # main with: ref: ${{ matrix.ref }} repo: ${{ matrix.repo }} @@ -137,14 +147,14 @@ jobs: # Remove symbol versioning from dumps, so we can compare across major versions. sed -i 's/LLVM_${{ matrix.llvm_version_major }}/LLVM_NOVERSION/' ${{ matrix.ref }}.abi - name: Upload ABI file - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ matrix.name }} path: ${{ matrix.ref }}.abi - name: Upload symbol list file if: matrix.name == 'build-baseline' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: symbol-list path: llvm.symbols @@ -156,18 +166,23 @@ jobs: - abi-dump-setup - abi-dump steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Download baseline - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: build-baseline path: build-baseline - name: Download latest - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: build-latest path: build-latest - name: Download symbol list - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: symbol-list path: symbol-list @@ -186,7 +201,7 @@ jobs: abi-compliance-checker $EXTRA_ARGS -l libLLVM.so -old build-baseline/*.abi -new build-latest/*.abi || test "${{ needs.abi-dump-setup.outputs.ABI_HEADERS }}" = "llvm-c" - name: Upload ABI Comparison if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: compat-report-${{ github.sha }} path: compat_reports/ diff --git a/.github/workflows/new-issues.yml b/.github/workflows/new-issues.yml index ed15fdb9fba6..727a9a9616d5 100644 --- a/.github/workflows/new-issues.yml +++ b/.github/workflows/new-issues.yml @@ -13,7 +13,12 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'llvm/llvm-project' steps: - - uses: llvm/actions/issue-labeler@main + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: llvm/actions/issue-labeler@a1ea791b03c8e61f53a0e66f2f73db283aa0f01e # main with: repo-token: ${{ secrets.GITHUB_TOKEN }} configuration-path: .github/new-issues-labeler.yml diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml index faaa8cf44a67..e9902afcb10e 100644 --- a/.github/workflows/new-prs.yml +++ b/.github/workflows/new-prs.yml @@ -34,8 +34,13 @@ jobs: (github.event.pull_request.author_association != 'MEMBER') && (github.event.pull_request.author_association != 'OWNER') steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Automation Script - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: sparse-checkout: llvm/utils/git/ ref: main @@ -67,7 +72,12 @@ jobs: github.event.pull_request.draft == false && github.event.pull_request.commits < 10 steps: - - uses: actions/labeler@v5 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: configuration-path: .github/new-prs-labeler.yml # workaround for https://github.com/actions/labeler/issues/112 diff --git a/.github/workflows/pr-code-format.yml b/.github/workflows/pr-code-format.yml index cac6ecb14acd..845922aed764 100644 --- a/.github/workflows/pr-code-format.yml +++ b/.github/workflows/pr-code-format.yml @@ -12,13 +12,18 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'llvm/llvm-project' steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Fetch LLVM sources - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} - name: Checkout through merge base - uses: rmacklin/fetch-through-merge-base@v0 + uses: rmacklin/fetch-through-merge-base@bfe4d03a86f9afa52bc1a70e9814fc92a07f7b75 # v0.3.0 with: base_ref: ${{ github.event.pull_request.base.ref }} head_ref: ${{ github.event.pull_request.head.sha }} @@ -26,7 +31,7 @@ jobs: - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v45 + uses: tj-actions/changed-files@c3a1bb2c992d77180ae65be6ae6c166cf40f857c # v45.0.3 with: separator: "," skip_initial_fetch: true @@ -35,7 +40,7 @@ jobs: # PR for security reasons as we're using pull_request_target. Checkout # the target branch with the necessary files. - name: Fetch code formatting utils - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: sparse-checkout: | llvm/utils/git/requirements_formatting.txt @@ -51,12 +56,12 @@ jobs: echo "$CHANGED_FILES" - name: Install clang-format - uses: aminya/setup-cpp@v1 + uses: aminya/setup-cpp@d485b24c1283deafc12b4b8ae90ff09c0d1eb972 # v1 with: clangformat: 17.0.1 - name: Setup Python env - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.11' cache: 'pip' diff --git a/.github/workflows/pr-request-release-note.yml b/.github/workflows/pr-request-release-note.yml index 1051d6395c21..8ef2bc9b34f2 100644 --- a/.github/workflows/pr-request-release-note.yml +++ b/.github/workflows/pr-request-release-note.yml @@ -19,6 +19,11 @@ jobs: steps: # We need to pull the script from the main branch, so that we ensure # we get the latest version of this script. + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Scripts uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/pr-subscriber.yml b/.github/workflows/pr-subscriber.yml index b41166c6e50b..59193327b481 100644 --- a/.github/workflows/pr-subscriber.yml +++ b/.github/workflows/pr-subscriber.yml @@ -13,8 +13,13 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'llvm/llvm-project' steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Automation Script - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: sparse-checkout: llvm/utils/git/ ref: main diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 6001560b3bbe..f1b163021023 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -42,6 +42,11 @@ jobs: upload: ${{ steps.vars.outputs.upload }} steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout LLVM uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -88,6 +93,11 @@ jobs: runs-on: ubuntu-22.04 if: github.repository == 'llvm/llvm-project' steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout LLVM uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -138,6 +148,11 @@ jobs: runs-on: ubuntu-22.04 if: github.repository == 'llvm/llvm-project' steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Install Ninja uses: llvm/actions/install-ninja@22e9f909d35b50bd1181709564bfe816eaeaae81 # main @@ -191,6 +206,11 @@ jobs: runs-on: ubuntu-22.04-16x64 if: github.repository == 'llvm/llvm-project' steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Install Ninja uses: llvm/actions/install-ninja@22e9f909d35b50bd1181709564bfe816eaeaae81 # main @@ -261,6 +281,11 @@ jobs: contents: write # For release uploads steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: 'Download artifact' uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: @@ -284,6 +309,11 @@ jobs: runs-on: ubuntu-22.04 if: github.repository == 'llvm/llvm-project' steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Install Ninja uses: llvm/actions/install-ninja@22e9f909d35b50bd1181709564bfe816eaeaae81 # main diff --git a/.github/workflows/release-documentation.yml b/.github/workflows/release-documentation.yml index c719e1afb79b..6c16e4ac8e20 100644 --- a/.github/workflows/release-documentation.yml +++ b/.github/workflows/release-documentation.yml @@ -33,11 +33,16 @@ jobs: env: upload: ${{ inputs.upload && !contains(inputs.release-version, 'rc') }} steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout LLVM uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Python env - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: cache: 'pip' cache-dependency-path: './llvm/docs/requirements.txt' @@ -59,7 +64,7 @@ jobs: ./llvm/utils/release/build-docs.sh -release "${{ inputs.release-version }}" -no-doxygen - name: Create Release Notes Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: release-notes path: docs-build/html-export/ diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml index b0c1243f4a4f..88210e2bd8e5 100644 --- a/.github/workflows/release-doxygen.yml +++ b/.github/workflows/release-doxygen.yml @@ -35,11 +35,16 @@ jobs: env: upload: ${{ inputs.upload && !contains(inputs.release-version, 'rc') }} steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout LLVM uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Python env - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: cache: 'pip' cache-dependency-path: './llvm/docs/requirements.txt' diff --git a/.github/workflows/release-lit.yml b/.github/workflows/release-lit.yml index 81b326774e47..fd3cfdab9567 100644 --- a/.github/workflows/release-lit.yml +++ b/.github/workflows/release-lit.yml @@ -23,6 +23,11 @@ jobs: name: Release Lit runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout LLVM uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -40,7 +45,7 @@ jobs: ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} check-permissions - name: Setup Cpp - uses: aminya/setup-cpp@v1 + uses: aminya/setup-cpp@d485b24c1283deafc12b4b8ae90ff09c0d1eb972 # v1 with: compiler: llvm-16.0.6 cmake: true @@ -61,14 +66,14 @@ jobs: python3 setup.py sdist bdist_wheel - name: Upload lit to test.pypi.org - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@fb13cb306901256ace3dab689990e13a5550ffaa # release/v1 with: password: ${{ secrets.LLVM_LIT_TEST_PYPI_API_TOKEN }} repository-url: https://test.pypi.org/legacy/ packages-dir: llvm/utils/lit/dist/ - name: Upload lit to pypi.org - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@fb13cb306901256ace3dab689990e13a5550ffaa # release/v1 with: password: ${{ secrets.LLVM_LIT_PYPI_API_TOKEN }} packages-dir: llvm/utils/lit/dist/ diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml index af51763e248f..4f1f8b91d779 100644 --- a/.github/workflows/release-tasks.yml +++ b/.github/workflows/release-tasks.yml @@ -17,6 +17,11 @@ jobs: outputs: release-version: ${{ steps.validate-tag.outputs.release-version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Validate Tag id: validate-tag run: | @@ -30,6 +35,11 @@ jobs: needs: validate-tag steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Install Dependencies run: | sudo apt-get update diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2cef019ec4cb..99e970a36a15 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -30,6 +30,11 @@ jobs: id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index 2ac4b18a8f6b..b8e737b476aa 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -16,8 +16,13 @@ jobs: if: github.repository_owner == 'llvm' runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Fetch LLVM sources - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000000..ef2c0ad5cf8d --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,30 @@ +repos: +- repo: https://github.com/digitalpulp/pre-commit-php + rev: 1.4.0 + hooks: + - id: php-lint-all +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pocc/pre-commit-hooks + rev: v1.3.5 + hooks: + - id: cpplint +- repo: https://github.com/pre-commit/mirrors-eslint + rev: v8.38.0 + hooks: + - id: eslint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace +- repo: https://github.com/pylint-dev/pylint + rev: v2.17.2 + hooks: + - id: pylint diff --git a/bolt/utils/docker/Dockerfile b/bolt/utils/docker/Dockerfile index 722a07e46f9e..5d919d357ebe 100644 --- a/bolt/utils/docker/Dockerfile +++ b/bolt/utils/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 AS builder +FROM ubuntu:20.04@sha256:8e5c4f0285ecbb4ead070431d29b576a530d3166df73ec44affc1cd27555141b AS builder ARG DEBIAN_FRONTEND=noninteractive ENV TZ=UTC @@ -26,6 +26,6 @@ RUN mkdir build && \ ninja install-llvm-bolt install-perf2bolt install-merge-fdata \ install-llvm-boltdiff install-bolt_rt -FROM ubuntu:20.04 +FROM ubuntu:20.04@sha256:8e5c4f0285ecbb4ead070431d29b576a530d3166df73ec44affc1cd27555141b COPY --from=builder /home/bolt/install /usr/local diff --git a/clang/tools/clang-fuzzer/Dockerfile b/clang/tools/clang-fuzzer/Dockerfile index 1ddf82954e21..fd2e35a8a949 100644 --- a/clang/tools/clang-fuzzer/Dockerfile +++ b/clang/tools/clang-fuzzer/Dockerfile @@ -6,7 +6,7 @@ # #===----------------------------------------------------------------------===// # Produces an image that builds clang-proto-fuzzer -FROM ubuntu:16.04 +FROM ubuntu:16.04@sha256:1f1a2d56de1d604801a9671f301190704c25d604a416f59e03c04f5c6ffee0d6 RUN apt-get update -y RUN apt-get install -y autoconf automake libtool curl make g++ unzip wget git \ binutils liblzma-dev libz-dev python-all cmake ninja-build subversion \ diff --git a/clang/utils/analyzer/Dockerfile b/clang/utils/analyzer/Dockerfile index cc73ed973b81..39ff29cd4211 100644 --- a/clang/utils/analyzer/Dockerfile +++ b/clang/utils/analyzer/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:bionic +FROM ubuntu:bionic@sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98 RUN apt-get update && apt-get install -y \ apt-transport-https \ diff --git a/libc/utils/buildbot/Dockerfile b/libc/utils/buildbot/Dockerfile index 8c497be6db0c..5afd9181d33f 100644 --- a/libc/utils/buildbot/Dockerfile +++ b/libc/utils/buildbot/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:10 +FROM debian:10@sha256:58ce6f1271ae1c8a2006ff7d3e54e9874d839f573d8009c20154ad0f2fb0a225 # Installing dependencies. RUN dpkg --add-architecture i386 diff --git a/libcxx/utils/ci/Dockerfile b/libcxx/utils/ci/Dockerfile index 225de937cc86..e932eab61670 100644 --- a/libcxx/utils/ci/Dockerfile +++ b/libcxx/utils/ci/Dockerfile @@ -158,7 +158,7 @@ EOF # Android Buildkite Image # ===----------------------------------------------------------------------===## -FROM ubuntu:jammy AS android-builder-base +FROM ubuntu:jammy@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 AS android-builder-base ARG ANDROID_CLANG_VERSION ARG ANDROID_CLANG_PREBUILTS_COMMIT