Skip to content

ci: build and test with pixi instead of CVMFS #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
olantwin merged 1 commit into from
Jun 5, 2026
Merged

ci: build and test with pixi instead of CVMFS #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 7 additions & 31 deletions .github/workflows/build-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,37 +12,13 @@ on:

jobs:
build-and-test:
runs-on: self-hosted
container:
image: registry.cern.ch/ship/gha-runner:latest
volumes:
- /cvmfs/sft.cern.ch:/cvmfs/sft.cern.ch
- /cvmfs/ship-nightlies.cern.ch:/cvmfs/ship-nightlies.cern.ch
- /cvmfs/geant4.cern.ch:/cvmfs/geant4.cern.ch

env:
WORK_DIR: /cvmfs/ship-nightlies.cern.ch/GeoModel/sw/

runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Configure
run: |
source /cvmfs/sft.cern.ch/lcg/views/LCG_109/x86_64-el9-gcc15-opt/setup.sh
source /cvmfs/ship-nightlies.cern.ch/GeoModel/sw/slc9_x86-64/GeoModel/6.24.0-local2/etc/profile.d/init.sh
cmake -S . -B build \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DCMAKE_PREFIX_PATH="/cvmfs/ship-nightlies.cern.ch/GeoModel/sw/slc9_x86-64/GeoModel/6.24.0-local2;/cvmfs/sft.cern.ch/lcg/releases/qt6/6.8.3-4d4f0/x86_64-el9-gcc15-opt"
- uses: actions/checkout@v6

- name: Build
run: |
source /cvmfs/sft.cern.ch/lcg/views/LCG_109/x86_64-el9-gcc15-opt/setup.sh
source /cvmfs/ship-nightlies.cern.ch/GeoModel/sw/slc9_x86-64/GeoModel/6.24.0-local2/etc/profile.d/init.sh
cmake --build build -j$(nproc)
- uses: prefix-dev/setup-pixi@v0.9.6
with:
cache: true
Comment on lines +17 to +21
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/build-test.yml"
echo "=== File: $FILE ==="
if [ ! -f "$FILE" ]; then
  echo "Missing $FILE" >&2
  exit 1
fi

nl -ba "$FILE" | sed -n '1,120p'
echo "=== Search for checkout options ==="
rg -n "actions/checkout@|persist-credentials|token|GITHUB_TOKEN" .github/workflows/build-test.yml || true
echo "=== Search for other checkout usages in workflows ==="
rg -n "uses:\s*actions/checkout@|persist-credentials" .github/workflows || true

Repository: ShipSoft/Geometry

Length of output: 170

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/build-test.yml"
echo "=== File: $FILE ==="
if [ ! -f "$FILE" ]; then
  echo "Missing $FILE" >&2
  exit 1
fi

echo "=== Showing first 140 lines (for context) ==="
awk 'NR>=1 && NR<=140 {printf "%5d: %s\n", NR, $0}' "$FILE"

echo "=== Search within $FILE for checkout/setup-pixi usage and credential settings ==="
rg -n "uses:\s*actions/checkout@|uses:\s*prefix-dev/setup-pixi@|persist-credentials|GITHUB_TOKEN|token:" "$FILE" || true

echo "=== Search across workflows for checkout with persist-credentials ==="
rg -n "uses:\s*actions/checkout@|persist-credentials" .github/workflows || true

Repository: ShipSoft/Geometry

Length of output: 1110

🌐 Web query:

actions/checkout persist-credentials default value token in git config

💡 Result:

The default value for the persist-credentials input in actions/checkout is true [1][2]. When enabled (default), the action configures the GitHub Actions authentication token (or SSH key) to allow subsequent git commands in your workflow to run authenticated [1][3]. Recent versions of actions/checkout have improved security by storing these credentials in a separate file under $RUNNER_TEMP and using git includeIf directives, rather than writing the credentials directly into the local.git/config file as was done in earlier implementations [1][4]. This token or credential configuration is automatically cleaned up by the action during the post-job step [1][3]. If you wish to prevent this behavior, you can explicitly set persist-credentials: false in your workflow step [1][2].

Citations:

Pin action references to full SHAs and disable checkout credential persistence.

In .github/workflows/build-test.yml (Lines 17-21), actions/checkout@v6 (Line 17) and prefix-dev/setup-pixi@v0.9.6 (Line 19) are using mutable tags. actions/checkout defaults persist-credentials to true, so the GitHub token/credentials are configured for subsequent git commands; for repo-controlled build/test steps, set persist-credentials: false and pin both actions to full commit SHAs.

Proposed hardening 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA>
+        with:
+          persist-credentials: false

-      - uses: prefix-dev/setup-pixi@v0.9.6
+      - uses: prefix-dev/setup-pixi@<FULL_LENGTH_COMMIT_SHA>
         with:
           cache: true
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-test.yml around lines 17 - 21, Replace the mutable
action tags with their full commit SHAs and disable credential persistence for
checkout: update the actions referenced as actions/checkout (change tag to the
full SHA) and prefix-dev/setup-pixi (change tag to the full SHA) and add
persist-credentials: false to the actions/checkout step; ensure you reference
the checkout step by name/actions/checkout and the pixi setup step by
prefix-dev/setup-pixi when making these edits.


- name: Test
run: |
source /cvmfs/sft.cern.ch/lcg/views/LCG_109/x86_64-el9-gcc15-opt/setup.sh
source /cvmfs/ship-nightlies.cern.ch/GeoModel/sw/slc9_x86-64/GeoModel/6.24.0-local2/etc/profile.d/init.sh
ctest --test-dir build --output-on-failure
- name: Build and test
run: pixi run test
Loading