Skip to content

Commit a9e62f5

Browse files
authored
add zizmor to scan workflows (#3304)
2 parents e4dbb3e + 97b300c commit a9e62f5

6 files changed

Lines changed: 62 additions & 64 deletions

File tree

.github/workflows/lock.yaml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,15 +7,17 @@ name: Lock inactive closed issues
77
on:
88
schedule:
99
- cron: '0 0 * * *'
10-
permissions:
11-
issues: write
12-
pull-requests: write
13-
discussions: write
10+
permissions: {}
1411
concurrency:
1512
group: lock
13+
cancel-in-progress: true
1614
jobs:
1715
lock:
1816
runs-on: ubuntu-latest
17+
permissions:
18+
issues: write
19+
pull-requests: write
20+
discussions: write
1921
steps:
2022
- uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
2123
with:

.github/workflows/pre-commit.yaml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,18 @@ on:
33
pull_request:
44
push:
55
branches: [main, stable]
6+
permissions: {}
7+
concurrency:
8+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
9+
cancel-in-progress: true
610
jobs:
711
main:
812
runs-on: ubuntu-latest
913
steps:
1014
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
11-
- uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0
15+
with:
16+
persist-credentials: false
17+
- uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
1218
with:
1319
enable-cache: true
1420
prune-cache: false
@@ -20,6 +26,4 @@ jobs:
2026
with:
2127
path: ~/.cache/pre-commit
2228
key: pre-commit|${{ hashFiles('pyproject.toml', '.pre-commit-config.yaml') }}
23-
- run: uv run --locked --group pre-commit pre-commit run --show-diff-on-failure --color=always --all-files
24-
- uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0
25-
if: ${{ !cancelled() }}
29+
- run: uv run --locked --no-default-groups --group pre-commit pre-commit run --show-diff-on-failure --color=always --all-files

.github/workflows/publish.yaml

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,10 @@ name: Publish
22
on:
33
push:
44
tags: ['*']
5+
permissions: {}
6+
concurrency:
7+
group: publish-${{ github.event.push.ref }}
8+
cancel-in-progress: true
59
jobs:
610
build:
711
runs-on: ubuntu-latest
@@ -11,16 +15,16 @@ jobs:
1115
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1216
with:
1317
persist-credentials: false
14-
- uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
18+
- uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
1519
with:
16-
enable-cache: true
20+
enable-cache: false
1721
prune-cache: false
1822
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
1923
with:
2024
python-version-file: pyproject.toml
2125
- run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
2226
- run: uv build
23-
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
27+
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
2428
id: upload-artifact
2529
with:
2630
name: dist
@@ -32,12 +36,12 @@ jobs:
3236
permissions:
3337
contents: write
3438
steps:
35-
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
39+
- uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
3640
with:
3741
artifact-ids: ${{ needs.build.outputs.artifact-id }}
3842
path: dist/
3943
- name: create release
40-
run: gh release create --draft --repo ${{ github.repository }} ${{ github.ref_name }} dist/*
44+
run: gh release create --draft --repo ${GITHUB_REPOSITORY} ${GITHUB_REF_NAME} dist/*
4145
env:
4246
GH_TOKEN: ${{ github.token }}
4347
publish-pypi:
@@ -49,7 +53,7 @@ jobs:
4953
permissions:
5054
id-token: write
5155
steps:
52-
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
56+
- uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
5357
with:
5458
artifact-ids: ${{ needs.build.outputs.artifact-id }}
5559
path: dist/

.github/workflows/test-flask.yaml

Lines changed: 0 additions & 25 deletions
This file was deleted.

.github/workflows/tests.yaml

Lines changed: 16 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ on:
55
push:
66
branches: [main, stable]
77
paths-ignore: ['docs/**', 'README.md']
8+
permissions: {}
9+
concurrency:
10+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
11+
cancel-in-progress: true
812
jobs:
913
tests:
1014
name: ${{ matrix.name || matrix.python }}
@@ -14,48 +18,35 @@ jobs:
1418
matrix:
1519
include:
1620
- {python: '3.14'}
17-
- {name: free-threaded-latest, python: '3.14t'}
21+
- {python: '3.14t'}
22+
- {name: Windows, python: '3.14', os: windows-latest}
23+
- {name: Mac, python: '3.14', os: macos-latest}
1824
- {python: '3.13'}
19-
- {name: Windows, python: '3.13', os: windows-latest}
20-
- {name: Mac, python: '3.13', os: macos-latest}
2125
- {python: '3.12'}
2226
- {python: '3.11'}
2327
- {python: '3.10'}
2428
- {name: PyPy, python: 'pypy-3.11', tox: pypy3.11}
2529
steps:
2630
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
27-
- uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0
2831
with:
29-
enable-cache: true
30-
prune-cache: false
31-
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
32-
with:
33-
python-version: ${{ matrix.python }}
34-
- run: uv run --locked tox run -e ${{ matrix.tox || format('py{0}', matrix.python) }}
35-
stress:
36-
name: stress (${{ matrix.name || matrix.python }})
37-
runs-on: ${{ matrix.os || 'ubuntu-latest' }}
38-
strategy:
39-
fail-fast: false
40-
matrix:
41-
include:
42-
- {python: '3.14'}
43-
- {name: free-threaded, python: '3.14t', tox: stress-py3.14t}
44-
steps:
45-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
46-
- uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0
32+
persist-credentials: false
33+
- uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
4734
with:
4835
enable-cache: true
4936
prune-cache: false
5037
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
5138
with:
5239
python-version: ${{ matrix.python }}
53-
- run: uv run --locked tox run -e ${{ matrix.tox || format('stress-py{0}', matrix.python) }}
40+
- run: uv run --locked --no-default-groups --group dev tox run
41+
env:
42+
TOX_ENV: ${{ matrix.tox || format('py{0}', matrix.python) }}
5443
typing:
5544
runs-on: ubuntu-latest
5645
steps:
5746
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
58-
- uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0
47+
with:
48+
persist-credentials: false
49+
- uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
5950
with:
6051
enable-cache: true
6152
prune-cache: false
@@ -67,4 +58,4 @@ jobs:
6758
with:
6859
path: ./.mypy_cache
6960
key: mypy|${{ hashFiles('pyproject.toml') }}
70-
- run: uv run --locked tox run -e typing
61+
- run: uv run --locked --no-default-groups --group dev tox run -e typing

.github/workflows/zizmor.yaml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
name: GitHub Actions security analysis with zizmor
2+
on:
3+
pull_request:
4+
paths: ["**/*.yaml?"]
5+
push:
6+
branches: [main, stable]
7+
paths: ["**/*.yaml?"]
8+
permissions: {}
9+
concurrency:
10+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
11+
cancel-in-progress: true
12+
jobs:
13+
zizmor:
14+
runs-on: ubuntu-latest
15+
steps:
16+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
17+
with:
18+
persist-credentials: false
19+
- uses: zizmorcore/zizmor-action@195d10ad90f31d8cd6ea1efd6ecc12969ddbe73f # v0.5.1
20+
with:
21+
advanced-security: false
22+
annotations: true

0 commit comments

Comments
 (0)