Merge pull request #5955 from kmk3/build-codespell-improvements

build: codespell improvements

Author: kmk3

.github/workflows/build-extra.yml

@@ -13,6 +13,7 @@ on:
       - .github/pull_request_template.md
       - .github/workflows/build.yml
       - .github/workflows/codeql-analysis.yml
+      - .github/workflows/codespell.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
       - .gitlab-ci.yml
@@ -35,6 +36,7 @@ on:
       - .github/pull_request_template.md
       - .github/workflows/build.yml
       - .github/workflows/codeql-analysis.yml
+      - .github/workflows/codespell.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
       - .gitlab-ci.yml
@@ -163,25 +165,3 @@ jobs:
     - run: cppcheck --version
     - name: cppcheck
       run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
-  codespell:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          archive.ubuntu.com:80
-          azure.archive.ubuntu.com:80
-          github.com:443
-          packages.microsoft.com:443
-          ppa.launchpadcontent.net:443
-          security.ubuntu.com:80
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install dependencies
-      run: sudo apt-get install -qy codespell
-    - run: codespell --version
-    - name: codespell
-      run: make codespell

.github/workflows/build.yml

@@ -9,6 +9,7 @@ on:
       - .github/pull_request_template.md
       - .github/workflows/build-extra.yml
       - .github/workflows/codeql-analysis.yml
+      - .github/workflows/codespell.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
       - .gitlab-ci.yml
@@ -26,6 +27,7 @@ on:
       - .github/pull_request_template.md
       - .github/workflows/build-extra.yml
       - .github/workflows/codeql-analysis.yml
+      - .github/workflows/codespell.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
       - .gitlab-ci.yml

.github/workflows/codeql-analysis.yml

@@ -18,6 +18,7 @@ on:
       - .github/pull_request_template.md
       - .github/workflows/build-extra.yml
       - .github/workflows/build.yml
+      - .github/workflows/codespell.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
       - .gitlab-ci.yml
@@ -40,6 +41,7 @@ on:
       - .github/pull_request_template.md
       - .github/workflows/build-extra.yml
       - .github/workflows/build.yml
+      - .github/workflows/codespell.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
       - .gitlab-ci.yml

.github/workflows/codespell.yml

@@ -0,0 +1,40 @@
+name: Codespell
+
+on:
+  push:
+    paths-ignore:
+      - 'm4/**'
+      - COPYING
+  pull_request:
+    paths-ignore:
+      - 'm4/**'
+      - COPYING
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  codespell:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: sudo apt-get install -qy codespell
+    - name: configure
+      run: ./configure || (cat config.log; exit 1)
+    - run: codespell --version
+    - name: codespell
+      run: make codespell

Makefile

@@ -366,9 +366,16 @@ cppcheck: clean
 scan-build: clean
 	scan-build $(MAKE)
 
+# TODO: Old codespell versions (such as v2.1.0 in CI) have issues with
+# contrib/syscalls.sh
 .PHONY: codespell
-codespell: clean
-	codespell --ignore-regex "UE|creat|doas|ether|isplay|shotcut" src test
+codespell:
+	@printf 'Running %s...\n' $@
+	@codespell --ignore-regex 'UE|als|chage|creat|doas|ether|isplay|readby|[Ss]hotcut' \
+	  -S *.gz,*.o,*.so \
+	  -S COPYING,m4 \
+	  -S ./contrib/syscalls.sh \
+	  .
 
 .PHONY: print-env
 print-env:

RELNOTES

@@ -363,7 +363,7 @@ firejail (0.9.62) baseline; urgency=low
   * whitelisting /usr/share in a large number of profiles
   * new scripts in contrib: gdb-firejail.sh and sort.py
   * enhancement: whitelist /usr/share in some profiles
-  * added signal mediation ot apparmor profile
+  * added signal mediation to apparmor profile
   * new conditions: HAS_X11, HAS_NET
   * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
   * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
@@ -758,7 +758,7 @@ firejail (0.9.44.4) baseline; urgency=low
 
 firejail (0.9.44.2) baseline; urgency=low
   * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
-  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
+  * security: TOCTOU exploit for --get and --put found by Daniel Hodson
   * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
   * security: several security enhancements
   * bugfix: crashing VLC by pressing Ctrl-O

contrib/jail_prober.py

@@ -151,8 +151,8 @@ def run_firejail(program, all_args):
         if arg:
             myargs.insert(-1, arg)
         subprocess.call(myargs)
-        ans = input('Did %s run correctly? [y]/n ' % program)
-        if ans in ['n', 'N']:
+        answer = input('Did %s run correctly? [y]/n ' % program)
+        if answer in ['n', 'N']:
             bad_args.append(arg)
         elif arg:
             good_args.insert(-1, arg)

etc/profile-a-l/kwin_x11.profile

@@ -5,7 +5,7 @@ include kwin_x11.local
 # Persistent global definitions
 include globals.local
 
-# fix automatical kwin_x11 sandboxing:
+# fix automatic kwin_x11 sandboxing:
 # echo KDEWM=kwin_x11 >> ~/.pam_environment
 
 noblacklist ${HOME}/.cache/kwin

etc/profile-m-z/tvbrowser.profile

@@ -1,5 +1,5 @@
 # Firejail profile for tvbrowser
-# Description: java tv programm form tvbrowser.org
+# Description: java tv program form tvbrowser.org
 # This file is overwritten after every install/update
 # Persistent local customizations
 include tvbrowser.local

etc/profile-m-z/twitch.profile

@@ -1,5 +1,5 @@
 # Firejail profile for twitch
-# Description: Unofficial electron based desktop warpper for Twitch
+# Description: Unofficial electron based desktop wrapper for Twitch
 # This file is overwritten after every install/update
 # Persistent local customizations
 include twitch.local

etc/profile-m-z/youtube.profile

@@ -1,5 +1,5 @@
 # Firejail profile for youtube
-# Description: Unofficial electron based desktop warpper for YouTube
+# Description: Unofficial electron based desktop wrapper for YouTube
 # This file is overwritten after every install/update
 # Persistent local customizations
 include youtube.local

etc/profile-m-z/youtubemusic-nativefier.profile

@@ -1,5 +1,5 @@
 # Firejail profile for youtubemusic-nativefier
-# Description: Unofficial electron based desktop warpper for YouTube Music
+# Description: Unofficial electron based desktop wrapper for YouTube Music
 # This file is overwritten after every install/update
 # Persistent local customizations
 include youtube.local