From 29bdbf0e3d619a7594ab156e8e60873f7771dc5a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 5 May 2025 20:17:38 +0000 Subject: [PATCH 1/3] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/astral-sh/ruff-pre-commit: v0.11.4 → v0.11.8](https://github.com/astral-sh/ruff-pre-commit/compare/v0.11.4...v0.11.8) - [github.com/woodruffw/zizmor-pre-commit: v1.5.2 → v1.6.0](https://github.com/woodruffw/zizmor-pre-commit/compare/v1.5.2...v1.6.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 497b2f4..f4c0ab0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -22,7 +22,7 @@ repos: # autoformat and lint Python code - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.11.4 + rev: v0.11.8 hooks: - id: ruff args: ["--select=I", "--fix", "--show-fixes"] @@ -30,6 +30,6 @@ repos: # Static security analysis of GitHub actions https://github.com/woodruffw/zizmor - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: v1.5.2 + rev: v1.6.0 hooks: - id: zizmor From bb6ddb3fb6d3a0b5bb1b282d6678cb66c4cdb7f7 Mon Sep 17 00:00:00 2001 From: Simon Li Date: Tue, 6 May 2025 22:53:53 +0100 Subject: [PATCH 2/3] zizmor: Allow unpinned actions for trusted orgs --- .github/workflows/watch-dependencies.yaml | 2 +- .github/zizmor.yml | 11 +++++++++++ .pre-commit-config.yaml | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/watch-dependencies.yaml b/.github/workflows/watch-dependencies.yaml index 4c12922..7758a59 100644 --- a/.github/workflows/watch-dependencies.yaml +++ b/.github/workflows/watch-dependencies.yaml @@ -68,7 +68,7 @@ jobs: # ref: https://github.com/peter-evans/create-pull-request - name: Create a PR - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: token: "${{ secrets.jupyterhub_bot_pat }}" author: JupyterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com> diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..48f7613 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,11 @@ +# Zizmor configuration file +rules: + unpinned-uses: + config: + policies: + # Zizmor defaults to requiring pinning by immutable hashes. + # Allow pinning by refs for trusted organisations. + # https://woodruffw.github.io/zizmor/audits/#rulesunpinned-usesconfigpolicies + actions/*: ref-pin + docker/*: ref-pin + jupyterhub/*: ref-pin diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f4c0ab0..679f358 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -29,6 +29,7 @@ repos: - id: ruff-format # Static security analysis of GitHub actions https://github.com/woodruffw/zizmor + # Additional config is in .github/zizmor.yml - repo: https://github.com/woodruffw/zizmor-pre-commit rev: v1.6.0 hooks: From 818ac66880db204ddaf451d0e322cd5bc119265f Mon Sep 17 00:00:00 2001 From: Simon Li Date: Tue, 6 May 2025 22:54:54 +0100 Subject: [PATCH 3/3] Increase build timeout to 45 mins --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b9d8176..d378f83 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -88,7 +88,7 @@ jobs: publish-docker: runs-on: ubuntu-24.04 - timeout-minutes: 30 + timeout-minutes: 45 needs: - tag