From 578e01b50ade34134e68fe74134a09bd74e5dd2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= Date: Wed, 8 Apr 2026 18:35:45 +0200 Subject: [PATCH] SEC: enable security audits with zizmor and fix existing insecure settings --- .github/workflows/bleeding-edge.yaml | 3 +++ .github/workflows/cd.yml | 8 ++++++++ .github/workflows/ci.yml | 6 ++++++ .pre-commit-config.yaml | 5 +++++ 4 files changed, 22 insertions(+) diff --git a/.github/workflows/bleeding-edge.yaml b/.github/workflows/bleeding-edge.yaml index 2d238d57..3c860ea0 100644 --- a/.github/workflows/bleeding-edge.yaml +++ b/.github/workflows/bleeding-edge.yaml @@ -13,6 +13,8 @@ on: - cron: 0 3 * * 3 workflow_dispatch: +permissions: {} + jobs: build: runs-on: ubuntu-latest @@ -27,6 +29,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6 with: diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 3c4d9928..5f72a787 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -1,10 +1,14 @@ name: CD + on: push: tags: v* pull_request: paths: - .github/workflows/cd.yml + +permissions: {} + jobs: pypi-publish: name: Upload release to PyPI @@ -17,7 +21,11 @@ jobs: steps: - name: Checkout Source uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6 + with: + enable-cache: false - name: Build distributions shell: bash -l {0} run: uv build diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ccdb06ff..dd590951 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,8 @@ on: - cron: 0 3 * * 3 workflow_dispatch: +permissions: {} + jobs: tests: strategy: @@ -33,6 +35,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6 with: python-version: ${{ matrix.python-version }} @@ -57,6 +61,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6 with: python-version: ${{ matrix.python-version }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index fe58eac3..7d626c57 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -15,6 +15,11 @@ repos: - id: check-executables-have-shebangs - id: check-toml +- repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.23.1 + hooks: + - id: zizmor + - repo: https://github.com/astral-sh/uv-pre-commit rev: 0.11.3 hooks: