From e360b86a9a8110f0eac8a906570d4451d8e7e319 Mon Sep 17 00:00:00 2001 From: Ilia Kats Date: Tue, 30 Jun 2026 17:58:05 +0200 Subject: [PATCH] harden GH actions and enable dependabot --- .github/dependabot.yml | 8 ++++++++ .github/workflows/build.yaml | 7 +++++-- .github/workflows/release.yaml | 9 ++++++--- .github/workflows/test.yaml | 17 +++++++++++------ .pre-commit-config.yaml | 5 +++++ 5 files changed, 35 insertions(+), 11 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..9cbb9b7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + cooldown: + default-days: 7 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f2887ce..36ec38e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -17,13 +17,16 @@ concurrency: jobs: package: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: filter: blob:none fetch-depth: 0 + persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Build package run: uv build - name: Check package diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ebc5428..63494bc 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,13 +17,16 @@ jobs: permissions: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: filter: blob:none fetch-depth: 0 + persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: false - name: Build package run: uv build - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 18a3ce1..1b66251 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -16,6 +16,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: # Get the test environment from hatch as defined in pyproject.toml. # This ensures that the pyproject.toml is the single point of truth for test definitions and the same tests are @@ -27,12 +30,13 @@ jobs: outputs: envs: ${{ steps.get-envs.outputs.envs }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: filter: blob:none fetch-depth: 0 + persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Get test environments id: get-envs run: | @@ -64,12 +68,13 @@ jobs: continue-on-error: ${{ contains(matrix.env.name, 'pre') }} # make "all-green" pass even if pre-release job fails steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: filter: blob:none fetch-depth: 0 + persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: ${{ matrix.env.python }} - name: create hatch environment @@ -87,7 +92,7 @@ jobs: uvx hatch run ${{ matrix.env.name }}:cov-report # report visibly uvx hatch run ${{ matrix.env.name }}:coverage xml # create report for upload - name: Upload coverage - uses: codecov/codecov-action@v7 + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 with: fail_ci_if_error: true use_oidc: true @@ -102,6 +107,6 @@ jobs: - test runs-on: ubuntu-latest steps: - - uses: re-actors/alls-green@release/v1 + - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 with: jobs: ${{ toJSON(needs) }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index eda29b6..bd43391 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,3 +36,8 @@ repos: # Check that there are no merge conflicts (could be generated by template sync) - id: check-merge-conflict args: [--assume-in-merge] + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.26.1 + hooks: + - id: zizmor + args: [--no-progress, --fix]