diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 5634bee..69cda4b 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -18,7 +18,7 @@ jobs: environment: build steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # This fetch element is only important if you are use SCM based # versioning (that looks at git tags to gather the version) @@ -30,7 +30,7 @@ jobs: run: git fetch origin 'refs/tags/*:refs/tags/*' - name: Setup Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.10" - name: Install Hatch @@ -46,7 +46,7 @@ jobs: ls -lh dist/ # Store an artifact of the build to use in the publish step below - name: Store the distribution packages - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: python-package-distributions path: dist/ @@ -64,7 +64,7 @@ jobs: id-token: write # this permission is mandatory for PyPI publishing steps: - name: Download all the dists - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: python-package-distributions path: dist/ diff --git a/.github/workflows/run-script.yml b/.github/workflows/run-script.yml index 205eccc..3e3a043 100644 --- a/.github/workflows/run-script.yml +++ b/.github/workflows/run-script.yml @@ -11,7 +11,7 @@ jobs: steps: # TODO: consider replacing python/pip/update-web-metadata installs with docker image - name: Setup Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - name: Upgrade pip run: | # install pip=>20.1 to use "pip cache dir" @@ -20,7 +20,7 @@ jobs: run: python -m pip install git+https://github.com/pyopenSci/update-web-metadata - name: Check out the code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 938e07f..f8a95f5 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -15,12 +15,12 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: - python-version: "3.10" + python-version: "3.13" - name: Install Hatch run: pipx install hatch - name: Run tests diff --git a/.github/workflows/test-update-contribs.yml b/.github/workflows/test-update-contribs.yml index 59fa002..75d14ee 100644 --- a/.github/workflows/test-update-contribs.yml +++ b/.github/workflows/test-update-contribs.yml @@ -16,9 +16,9 @@ jobs: - name: Check out the code with: persist-credentials: false - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0 with: python-version: "3.10" - name: Upgrade pip diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..53aed93 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,6 @@ +rules: + secrets-outside-env: + ignore: + - add-help-wanted.yml:23:29 + - run-tests.yml:44:22 + - test-update-contribs.yml:43:22