diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b9d8176..d378f83 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -88,7 +88,7 @@ jobs: publish-docker: runs-on: ubuntu-24.04 - timeout-minutes: 30 + timeout-minutes: 45 needs: - tag diff --git a/.github/workflows/watch-dependencies.yaml b/.github/workflows/watch-dependencies.yaml index 4c12922..7758a59 100644 --- a/.github/workflows/watch-dependencies.yaml +++ b/.github/workflows/watch-dependencies.yaml @@ -68,7 +68,7 @@ jobs: # ref: https://github.com/peter-evans/create-pull-request - name: Create a PR - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: token: "${{ secrets.jupyterhub_bot_pat }}" author: JupyterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com> diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..48f7613 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,11 @@ +# Zizmor configuration file +rules: + unpinned-uses: + config: + policies: + # Zizmor defaults to requiring pinning by immutable hashes. + # Allow pinning by refs for trusted organisations. + # https://woodruffw.github.io/zizmor/audits/#rulesunpinned-usesconfigpolicies + actions/*: ref-pin + docker/*: ref-pin + jupyterhub/*: ref-pin diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 497b2f4..679f358 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -22,14 +22,15 @@ repos: # autoformat and lint Python code - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.11.4 + rev: v0.11.8 hooks: - id: ruff args: ["--select=I", "--fix", "--show-fixes"] - id: ruff-format # Static security analysis of GitHub actions https://github.com/woodruffw/zizmor + # Additional config is in .github/zizmor.yml - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: v1.5.2 + rev: v1.6.0 hooks: - id: zizmor