From 8253353d5496684d961fc33ea31f1da139be373f Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 26 Nov 2025 12:48:31 +0200 Subject: [PATCH 1/4] Add zizmor to CI and fix findings --- .github/dependabot.yml | 2 ++ .github/workflows/lint.yml | 7 ++++--- .github/workflows/pypi-package.yml | 5 +++-- .github/workflows/tests.yml | 6 ++++++ .github/zizmor.yml | 10 ++++++++++ .pre-commit-config.yaml | 5 +++++ 6 files changed, 30 insertions(+), 5 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8452ef07..6ff04680 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,3 +10,5 @@ updates: actions: patterns: - "*" + cooldown: + default-days: 14 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 088871c4..4249b627 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,18 +2,19 @@ name: Lint on: [push, pull_request, workflow_dispatch] +permissions: {} + env: FORCE_COLOR: 1 -permissions: - contents: read - jobs: lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: actions/setup-python@v6 with: python-version: "3.x" diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index ed0ec1d7..99f02b0c 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -8,8 +8,7 @@ on: - published workflow_dispatch: -permissions: - contents: read +permissions: {} env: FORCE_COLOR: 1 @@ -22,6 +21,8 @@ jobs: steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: actions/setup-python@v6 - name: Compile translations diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index a970872e..47d40d0f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -2,6 +2,8 @@ name: Tests on: [push, pull_request, workflow_dispatch] +permissions: {} + env: FORCE_COLOR: 1 @@ -15,6 +17,8 @@ jobs: branch: ["3.14", "3.13", "3.12"] steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: actions/setup-python@v6 with: python-version: ${{ matrix.branch }} @@ -60,6 +64,8 @@ jobs: python-version: ["3.12", "3"] steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..9b42b47c --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,10 @@ +# Configuration for the zizmor static analysis tool, run via pre-commit in CI +# https://woodruffw.github.io/zizmor/configuration/ +rules: + dangerous-triggers: + ignore: + - documentation-links.yml + unpinned-uses: + config: + policies: + "*": ref-pin diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9a7e83b3..af1d14d3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -32,6 +32,11 @@ repos: hooks: - id: actionlint + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.17.0 + hooks: + - id: zizmor + - repo: https://github.com/tox-dev/pyproject-fmt rev: v2.5.0 hooks: From aef1c32cad8fb63b56fab9b810829bfeff4c3c2e Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 26 Nov 2025 12:48:50 +0200 Subject: [PATCH 2/4] Use Ruff's GitHub output format --- .github/workflows/lint.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4249b627..67437f9c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -6,6 +6,7 @@ permissions: {} env: FORCE_COLOR: 1 + RUFF_OUTPUT_FORMAT: github jobs: lint: From 3aed0002be2ba795a8c73cc70e4fcc695818ecc4 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 26 Nov 2025 12:49:00 +0200 Subject: [PATCH 3/4] attestations: true is the default --- .github/workflows/pypi-package.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index 99f02b0c..48f36efd 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -56,5 +56,3 @@ jobs: - name: Upload package to PyPI uses: pypa/gh-action-pypi-publish@release/v1 - with: - attestations: true From 7980b49133080c1146f0d9128b09f4e7f9b0c5a8 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Mon, 8 Dec 2025 19:30:01 +0200 Subject: [PATCH 4/4] default-days: 7 Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6ff04680..5621e4b7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,4 +11,4 @@ updates: patterns: - "*" cooldown: - default-days: 14 + default-days: 7