diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f1bae9502..3f3562ec5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,3 +7,5 @@ updates: labels: - no milestone - skip-gpu-ci + cooldown: + default-days: 7 diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 66c4ada30..80bcf5f68 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -18,6 +18,7 @@ defaults: jobs: benchmark: + permissions: {} runs-on: ${{ matrix.os }} strategy: @@ -32,16 +33,17 @@ jobs: ASV_DIR: "./benchmarks" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false # no blob filter so asv can checkout other commits - run: git fetch origin main:main if: ${{ github.ref_name != 'main' }} # Errors on main branch - - uses: mamba-org/setup-micromamba@v2 + - uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7 with: environment-name: asv cache-environment: true @@ -54,7 +56,7 @@ jobs: conda-build - name: Cache datasets - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml index 17f79942c..d778dd4ea 100644 --- a/.github/workflows/check-pr.yml +++ b/.github/workflows/check-pr.yml @@ -27,15 +27,17 @@ jobs: # This job verifies that the milestone is present or not necessary # and determines if “check-relnotes” needs to be run. check-milestone: + permissions: + pull-requests: read name: "Triage: Check PR title, milestone, and labels" runs-on: ubuntu-latest steps: - name: Check if a milestone is necessary and exists - uses: flying-sheep/check@v1 + uses: flying-sheep/check@6162e3da6b50abdfe00c3233e6f0ce2d1bdcf69c # v1.0.4 with: success: ${{ github.event.pull_request.user.login == 'pre-commit-ci[bot]' || github.event.pull_request.milestone != null || contains(env.LABELS, 'no milestone') }} - name: Check if release notes are necessary - uses: kaisugi/action-regex-match@v1.0.2 + uses: kaisugi/action-regex-match@d67cd689755dc47c5362609e0a6e2e1c93fa721b # v1.0.2 id: checked-relnotes with: text: ${{ github.event.pull_request.body }} @@ -43,7 +45,7 @@ jobs: flags: m - name: Check if PR title is valid id: check-title - uses: amannn/action-semantic-pull-request@v6 + uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 env: # Needs repo options: “Squash and merge” with commit message set to “PR title” GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} outputs: @@ -51,20 +53,21 @@ jobs: type: ${{ steps.check-title.outputs.type }} # This job verifies that the relevant release notes file has been modified. check-relnotes: + permissions: {} name: Check for release notes runs-on: ubuntu-latest needs: check-milestone if: github.event.pull_request.user.login != 'pre-commit-ci[bot]' && needs.check-milestone.outputs.no-relnotes-reason == '' && !contains(fromJSON('["style","refactor","test","build","ci"]'), needs.check-milestone.outputs.type) steps: - - uses: actions/checkout@v6 - with: { filter: 'blob:none', fetch-depth: 0 } + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: { filter: "blob:none", fetch-depth: 0, persist-credentials: false } - name: Find out if a relevant release fragment is added - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3.0.3 id: changes with: filters: | # this is intentionally a string relnotes: 'docs/release-notes/${{ github.event.pull_request.number }}.${{ (contains(github.event.pull_request.title, '!') && 'breaking') || needs.check-milestone.outputs.type }}.md' - name: Check if a relevant release fragment is added - uses: flying-sheep/check@v1 + uses: flying-sheep/check@6162e3da6b50abdfe00c3233e6f0ce2d1bdcf69c # v1.0.4 with: success: ${{ steps.changes.outputs.relnotes }} diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index c13950b2f..971db9790 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -7,8 +7,7 @@ on: pull_request: branches: [main] -permissions: - contents: read +permissions: {} jobs: codespell: @@ -16,8 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 filter: blob:none - - uses: codespell-project/actions-codespell@v2 + persist-credentials: false + - uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2.1 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index fde7261a5..0a39dd5e4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -11,14 +11,14 @@ jobs: permissions: id-token: write # to authenticate as Trusted Publisher to pypi.org steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 filter: blob:none - - uses: actions/setup-python@v6 + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" - cache: "pip" - run: pip install build - run: python -m build - - uses: pypa/gh-action-pypi-publish@release/v1 + - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index d3ac044ed..1302a4121 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,9 +7,11 @@ on: jobs: stale: runs-on: ubuntu-latest + permissions: + issues: write steps: - name: Label stale issues - uses: actions/stale@v10 + uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: days-before-issue-stale: 60 days-before-pr-stale: -1 # We don't want to mark PRs as stale @@ -22,7 +24,7 @@ jobs: Please add a comment if you want to keep the issue open. Thank you for your contributions! debug-only: false # set to `true` to enable dry-run - name: Close stale issues - uses: actions/stale@v10 + uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: days-before-issue-stale: -1 # We don't want to mark issues as stale in this action days-before-issue-close: 14 diff --git a/.github/workflows/test-cpu.yml b/.github/workflows/test-cpu.yml index f1bff064b..d8ce01f6c 100644 --- a/.github/workflows/test-cpu.yml +++ b/.github/workflows/test-cpu.yml @@ -18,14 +18,16 @@ concurrency: jobs: get-environments: runs-on: ubuntu-latest + permissions: {} outputs: envs: ${{ steps.get-envs.outputs.envs }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: filter: blob:none fetch-depth: 0 - - uses: astral-sh/setup-uv@v7 + persist-credentials: false + - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: false - id: get-envs @@ -54,16 +56,17 @@ jobs: ENV_NAME: ${{ matrix.env.name }} IO_MARK: ${{ matrix.io_mark }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 filter: blob:none + persist-credentials: false - name: Install system dependencies run: sudo apt install -y hdf5-tools - name: Install UV - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true python-version: ${{ matrix.env.python }} @@ -82,7 +85,7 @@ jobs: - name: Upload test results if: ${{ !cancelled() }} - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4 with: report_type: test_results env_vars: ENV_NAME,IO_MARK @@ -91,7 +94,7 @@ jobs: fail_ci_if_error: true - name: Upload coverage data - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4 with: env_vars: ENV_NAME,IO_MARK files: test-data/coverage.xml @@ -100,14 +103,16 @@ jobs: build: runs-on: ubuntu-24.04 + permissions: {} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 filter: blob:none + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' cache: pip @@ -131,8 +136,10 @@ jobs: - get-environments - test - build + permissions: + actions: read runs-on: ubuntu-latest steps: - - uses: re-actors/alls-green@release/v1 + - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/test-gpu.yml b/.github/workflows/test-gpu.yml index c475b1098..a8f83318b 100644 --- a/.github/workflows/test-gpu.yml +++ b/.github/workflows/test-gpu.yml @@ -13,6 +13,8 @@ env: PYTEST_ADDOPTS: "-v --color=yes" FORCE_COLOR: "1" +permissions: {} + # Cancel the job if new commits are pushed # https://stackoverflow.com/questions/66335225/how-to-cancel-previous-runs-in-the-pr-when-you-push-new-commitsupdate-the-curre concurrency: @@ -30,8 +32,9 @@ jobs: name: "Triage: Check if GPU tests are allowed to run" if: ${{ !(github.event.pull_request.user.login == 'pre-commit-ci[bot]' || contains(github.event.pull_request.labels.*.name, 'skip-gpu-ci')) }} runs-on: ubuntu-latest + permissions: {} steps: - - uses: flying-sheep/check@v1 + - uses: flying-sheep/check@6162e3da6b50abdfe00c3233e6f0ce2d1bdcf69c # v1.0.4 with: success: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run-gpu-ci') }} # If `check` wasn’t skipped or failed, start an AWS runner and run the GPU tests on it. @@ -42,18 +45,23 @@ jobs: # Setting a timeout of 30 minutes, as the AWS costs money # At time of writing, a typical run takes about 5 minutes timeout-minutes: 30 + permissions: + pull-requests: write steps: - - uses: actions/checkout@v4 # TODO: upgrade once cirun image supports node 24 + # TODO: upgrade once cirun image supports node 24 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 filter: blob:none + persist-credentials: false - name: Nvidia SMI sanity check run: nvidia-smi - name: Install UV - uses: astral-sh/setup-uv@v6 # TODO: upgrade once cirun image supports node 24 + # TODO: upgrade once cirun image supports node 24 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: enable-cache: true @@ -80,7 +88,7 @@ jobs: uv run coverage combine uv run coverage xml - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4 with: token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true @@ -88,7 +96,7 @@ jobs: - name: Remove 'run-gpu-ci' Label if: always() - uses: actions-ecosystem/action-remove-labels@v1 + uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0 with: labels: "run-gpu-ci" github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index add5d2993..534ee2236 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,3 +39,7 @@ repos: - id: codespell additional_dependencies: - tomli + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor