Skip to content

Add zizmor pre-commit configuration#71

Open
ROHITCRAFTSYT wants to merge 1 commit into
beeware:mainfrom
ROHITCRAFTSYT:zizmor-pre-commit
Open

Add zizmor pre-commit configuration#71
ROHITCRAFTSYT wants to merge 1 commit into
beeware:mainfrom
ROHITCRAFTSYT:zizmor-pre-commit

Conversation

@ROHITCRAFTSYT

Copy link
Copy Markdown

Adds zizmor to the pre-commit pipeline, as requested in #70, and fixes every finding it reports on the existing GitHub Actions configuration. Follows the approach of beeware/.github#378.

Changes

  • .pre-commit-config.yaml: add the zizmor hook (v1.27.0).
  • unpinned-uses: every action and reusable-workflow reference is pinned to a full commit hash (checkout v7.0.0, setup-python v6.3.0, download-artifact v8.0.1, add-to-project v2.0.0, fetch-gh-release-asset 1.1.2, gh-action-pypi-publish release/v1 head, and beeware/.github pinned to current main, 741cc5a).
  • excessive-permissions: explicit least-privilege permissions: on every workflow/job; release.yml's ci job explicitly forwards id-token: write + attestations: write so package attestation keeps working; new-issue.yml gets permissions: {} since it authenticates with BRUTUS_PAT_TOKEN.
  • artipacked: the CI checkout sets persist-credentials: false; nothing in that job pushes.
  • superfluous-actions: release creation now uses the runner's gh CLI (gh release create --draft --verify-tag dist/*) instead of ncipollo/release-action — same draft release with artifacts, and the step still fails if an artifact upload fails. Happy to revert this piece if you'd rather keep the action.
  • dependabot-cooldown: 7-day cooldown on all three ecosystems, matching Audit permissions and add zizmor configuration .github#378.

zizmor .github/ now reports no findings, and pre-commit run --all-files passes with the new hook.

Fixes #70

PR Checklist:

  • I will abide by the BeeWare Code of Conduct
  • I have read and have followed the CONTRIBUTING.md file
  • This PR was generated or assisted using an AI tool
    Assisted-by: Claude Fable 5 (Claude Code)

Adds the zizmor hook to pre-commit and resolves every finding it
reports on the existing workflows: hash-pin all action and
reusable-workflow references (beeware/.github pinned to current
main), explicit least-privilege permissions on every workflow/job
(release.yml's ci job forwards id-token/attestations for package
attestation), persist-credentials: false on the CI checkout, release
creation via the runner's gh CLI instead of ncipollo/release-action,
and a 7-day dependabot cooldown on all three ecosystems.

Refs beeware#70

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add zizmor pre-commit configuration

1 participant