Skip to content

Commit 9b62ea0

Browse files
committed
Add zizmor checks.
1 parent 0383e41 commit 9b62ea0

7 files changed

Lines changed: 64 additions & 31 deletions

File tree

.github/dependabot.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,19 @@ updates:
1212
directory: "/"
1313
patterns: ["*"]
1414
multi-ecosystem-group: "dependencies"
15+
cooldown:
16+
default-days: 7
1517

1618
- package-ecosystem: "pip"
1719
directory: "/"
1820
patterns: ["*"]
1921
multi-ecosystem-group: "dependencies"
22+
cooldown:
23+
default-days: 7
2024

2125
- package-ecosystem: "pre-commit"
2226
directory: "/"
2327
patterns: ["*"]
2428
multi-ecosystem-group: "dependencies"
29+
cooldown:
30+
default-days: 7

.github/workflows/check-pr-template.yml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,11 @@ on:
44
pull_request:
55
types: [opened, edited, reopened, synchronize]
66

7+
permissions: {}
8+
79
jobs:
810
check-pr-template:
911
name: Check PR template
10-
uses: beeware/.github/.github/workflows/pr-checklist.yml@main
12+
permissions:
13+
pull-requests: read
14+
uses: beeware/.github/.github/workflows/pr-checklist.yml@66283ddb9e206f93b423118deecf1caf516078c1 # main

.github/workflows/ci.yml

Lines changed: 23 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -22,13 +22,18 @@ defaults:
2222
run:
2323
shell: bash
2424

25+
# Default to no permissions; each job opts in to exactly what it needs.
26+
permissions: {}
27+
2528
env:
2629
FORCE_COLOR: "1"
2730

2831
jobs:
2932
pre-commit:
3033
name: Pre-commit checks
31-
uses: beeware/.github/.github/workflows/pre-commit-run.yml@main
34+
permissions:
35+
contents: read
36+
uses: beeware/.github/.github/workflows/pre-commit-run.yml@66283ddb9e206f93b423118deecf1caf516078c1 # main
3237
with:
3338
pre-commit-source: "pre-commit"
3439

@@ -37,35 +42,34 @@ jobs:
3742
name: Build wheels
3843
runs-on: macos-latest
3944
permissions:
40-
# Required by attest-build-provenance to mint a Sigstore signing
41-
# certificate via OIDC; only granted to this job, not the workflow.
4245
id-token: write
4346
attestations: write
4447
contents: read
4548
steps:
4649
- name: Checkout
47-
uses: actions/checkout@v6.0.2
50+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
4851
with:
4952
fetch-depth: 0
53+
persist-credentials: false
5054

5155
- name: Set up Python
52-
uses: actions/setup-python@v6.2.0
56+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
5357
with:
5458
python-version: "3.x"
5559

5660
- name: Build wheels
57-
uses: pypa/cibuildwheel@v3.4.1
61+
uses: pypa/cibuildwheel@8d2b08b68458a16aeb24b64e68a09ab1c8e82084 # v3.4.1
5862
with:
5963
output-dir: dist
6064

6165
- name: Generate build provenance attestation for wheels
6266
if: inputs.attest-package == 'true'
63-
uses: actions/attest-build-provenance@v4
67+
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4
6468
with:
6569
subject-path: "dist/*.whl"
6670

6771
- name: Upload artefacts
68-
uses: actions/upload-artifact@v4
72+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
6973
with:
7074
name: dist-wheels
7175
path: ./dist/*.whl
@@ -81,12 +85,13 @@ jobs:
8185
contents: read
8286
steps:
8387
- name: Checkout
84-
uses: actions/checkout@v6.0.2
88+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
8589
with:
8690
fetch-depth: 0
91+
persist-credentials: false
8792

8893
- name: Set up Python
89-
uses: actions/setup-python@v6.2.0
94+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
9095
with:
9196
python-version: "3.x"
9297

@@ -97,12 +102,12 @@ jobs:
97102
98103
- name: Generate build provenance attestation for sdist
99104
if: inputs.attest-package == 'true'
100-
uses: actions/attest-build-provenance@v4
105+
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4
101106
with:
102107
subject-path: "dist/*.tar.gz"
103108

104109
- name: Upload artefacts
105-
uses: actions/upload-artifact@v4
110+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
106111
with:
107112
name: dist-sdist
108113
path: ./dist/*.tar.gz
@@ -112,23 +117,26 @@ jobs:
112117
name: Test (${{ matrix.python-version }})
113118
needs: build-wheels
114119
runs-on: macos-latest
120+
permissions:
121+
contents: read
115122
strategy:
116123
fail-fast: false
117124
matrix:
118125
python-version: ["3.10", "3.11", "3.12", "3.13", "3.14", "3.15"]
119126
steps:
120127
- name: Checkout
121-
uses: actions/checkout@v6.0.2
128+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
122129
with:
123130
fetch-depth: 0
131+
persist-credentials: false
124132

125133
- name: Set up Python
126-
uses: actions/setup-python@v6.2.0
134+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
127135
with:
128136
python-version: ${{ matrix.python-version }}
129137
allow-prereleases: true
130138

131-
- uses: actions/download-artifact@v4
139+
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
132140
with:
133141
name: dist-wheels
134142
path: wheelhouse

.github/workflows/new-issue.yml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,16 @@ on:
77
- reopened
88
- transferred
99

10+
permissions: {}
11+
1012
jobs:
1113
add-to-project:
1214
name: Add issue to BeeWare project
1315
runs-on: ubuntu-latest
16+
permissions:
17+
contents: read
1418
steps:
15-
- uses: actions/add-to-project@v2.0.0
19+
- uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
1620
with:
1721
project-url: https://github.com/orgs/beeware/projects/1
1822
github-token: ${{ secrets.BRUTUS_PAT_TOKEN }}

.github/workflows/publish.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,22 +4,24 @@ on:
44
release:
55
types: published
66

7+
permissions: {}
8+
79
jobs:
810
deploy:
911
runs-on: ubuntu-latest
1012
permissions:
1113
# This permission is required for trusted publishing.
1214
id-token: write
1315
steps:
14-
- uses: dsaltares/fetch-gh-release-asset@1.1.2
16+
- uses: dsaltares/fetch-gh-release-asset@aa2ab1243d6e0d5b405b973c89fa4d06a2d0fff7 # 1.1.2
1517
with:
1618
version: tags/${{ github.event.release.tag_name }}
1719
# This next line is *not* a bash filename expansion - it's a regex.
18-
# We need to match all files that start with rubicon-objc or
19-
# rubicon_objc, but not the "Source code" zip and tarball.
20-
file: std-nslog.*
20+
# We need to match all files that start with std-nslog or
21+
# std_nslog, but not the "Source code" zip and tarball.
22+
file: std.*
2123
regex: true
2224
target: dist/
2325

2426
- name: Publish release to production PyPI
25-
uses: pypa/gh-action-pypi-publish@release/v1
27+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1

.github/workflows/release.yml

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,15 @@ on:
55
tags:
66
- "v*"
77

8+
permissions: {}
9+
810
jobs:
911
ci:
1012
name: CI
13+
permissions:
14+
contents: read
15+
id-token: write
16+
attestations: write
1117
uses: ./.github/workflows/ci.yml
1218
with:
1319
attest-package: "true"
@@ -25,19 +31,18 @@ jobs:
2531
echo "VERSION=${GITHUB_REF_NAME#v}" | tee -a $GITHUB_ENV
2632
2733
- name: Get packages
28-
uses: actions/download-artifact@v8.0.1
34+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
2935
with:
3036
name: dist-*
3137
merge-multiple: true
3238
path: dist
3339

3440
- name: Create Release
35-
uses: ncipollo/release-action@v1.21.0
36-
with:
37-
name: ${{ env.VERSION }}
38-
draft: true
39-
artifacts: dist/*
40-
artifactErrorsFailBuild: true
41+
env:
42+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
43+
GH_REPO: ${{ github.repository }}
44+
shell: bash
45+
run: gh release create "$GITHUB_REF_NAME" --draft --title "$VERSION" dist/*
4146

4247
test-publish:
4348
name: Publish test package
@@ -49,12 +54,12 @@ jobs:
4954
id-token: write
5055
steps:
5156
- name: Get packages
52-
uses: actions/download-artifact@v8.0.1
57+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
5358
with:
5459
name: ${{ needs.ci.outputs.artifact-name }}
5560
path: dist
5661

5762
- name: Publish release to Test PyPI
58-
uses: pypa/gh-action-pypi-publish@release/v1
63+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
5964
with:
6065
repository-url: https://test.pypi.org/legacy/

.pre-commit-config.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,3 +18,7 @@ repos:
1818
rev: v0.1.87
1919
hooks:
2020
- id: rumdl
21+
- repo: https://github.com/zizmorcore/zizmor-pre-commit
22+
rev: v1.25.2
23+
hooks:
24+
- id: zizmor

0 commit comments

Comments
 (0)