Skip to content

Commit c473aa9

Browse files
Lash-LLash-L
committed
fix: improve supply chain protections
1 parent 7a61bfa commit c473aa9

3 files changed

Lines changed: 28 additions & 7 deletions

File tree

.github/workflows/ci.yml

Lines changed: 21 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -16,19 +16,29 @@ jobs:
1616
commitlint:
1717
name: Lint Commit Messages
1818
runs-on: ubuntu-latest
19+
permissions:
20+
contents: read
21+
pull-requests: read
1922
steps:
2023
- uses: actions/checkout@v6
2124
with:
2225
fetch-depth: 0
2326
- uses: wagoid/commitlint-github-action@v6.2.1
2427
lint:
2528
runs-on: ubuntu-latest
29+
permissions:
30+
contents: read
2631
steps:
2732
- uses: actions/checkout@v6
28-
- uses: actions/setup-python@v6
33+
with:
34+
persist-credentials: false
35+
- name: Set up uv
36+
uses: astral-sh/setup-uv@v8.0.0
2937
with:
3038
python-version: "3.11"
31-
- uses: pre-commit/action@v3.0.1
39+
activate-environment: true
40+
- name: Run pre-commit
41+
run: uv run --frozen pre-commit run --all-files
3242

3343
test:
3444
strategy:
@@ -38,33 +48,33 @@ jobs:
3848
- "3.11"
3949
- "3.14"
4050
runs-on: ubuntu-latest
51+
permissions:
52+
contents: read
4153
steps:
4254
- uses: actions/checkout@v6
4355
- name: Set up uv
44-
uses: astral-sh/setup-uv@v7
56+
uses: astral-sh/setup-uv@v8.0.0
4557
with:
4658
python-version: ${{ matrix.python-version }}
4759
activate-environment: true
4860
- run: uv pip install pip
4961
- name: Test with Pytest
50-
run: uv run pytest --log-cli-level=DEBUG -vv -s --cov --cov-branch --cov-report=xml
62+
run: uv run --frozen pytest --log-cli-level=DEBUG -vv -s --cov --cov-branch --cov-report=xml
5163
shell: bash
5264
- name: Upload results to Codecov
5365
uses: codecov/codecov-action@v5
5466
with:
5567
token: ${{ secrets.CODECOV_TOKEN }}
5668
slug: Python-roborock/python-roborock
5769

58-
59-
6070
build:
6171
name: Build Package
6272
runs-on: ubuntu-latest
6373
if: github.ref != 'refs/heads/main'
6474
steps:
6575
- uses: actions/checkout@v6
6676
- name: Set up uv
67-
uses: astral-sh/setup-uv@v7
77+
uses: astral-sh/setup-uv@v8.0.0
6878
with:
6979
python-version: "3.11"
7080
activate-environment: true
@@ -76,6 +86,10 @@ jobs:
7686
name: Test Semantic Release
7787
runs-on: ubuntu-latest
7888
if: github.event_name == 'pull_request'
89+
permissions:
90+
contents: write
91+
issues: write
92+
pull-requests: write
7993
steps:
8094
- uses: actions/checkout@v6
8195
with:

pyproject.toml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,9 @@ include = ["roborock"]
6767
requires = ["hatchling"]
6868
build-backend = "hatchling.build"
6969

70+
[tool.uv]
71+
exclude-newer = "3 days"
72+
7073
[tool.semantic_release]
7174
branch = "main"
7275
version_toml = ["pyproject.toml:project.version"]

uv.lock

Lines changed: 4 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)