diff --git a/.github/workflows/downstream.yaml b/.github/workflows/downstream.yaml index 64b22a80..fc1979cf 100644 --- a/.github/workflows/downstream.yaml +++ b/.github/workflows/downstream.yaml @@ -23,10 +23,12 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false path: cleo - uses: actions/checkout@v4 with: + persist-credentials: false path: poetry repository: python-poetry/poetry ref: ${{ matrix.ref }} diff --git a/.github/workflows/news.yaml b/.github/workflows/news.yaml index ea7b7d65..944f2ea8 100644 --- a/.github/workflows/news.yaml +++ b/.github/workflows/news.yaml @@ -12,6 +12,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false # `towncrier check` runs `git diff --name-only origin/main...`, which # needs a non-shallow clone. fetch-depth: 0 @@ -19,4 +20,6 @@ jobs: - name: Check news entry if: "!contains(github.event.pull_request.labels.*.name, 'skip news')" run: | - pipx run towncrier check --compare-with origin/${{ github.base_ref }} + pipx run towncrier check --compare-with "origin/${BASE_REF}" + env: + BASE_REF: ${{ github.base_ref }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7f6a8aaf..8122df61 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -9,11 +9,13 @@ jobs: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - run: pipx run build - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: distfiles path: dist/ @@ -27,16 +29,19 @@ jobs: needs: build steps: # We need to be in a git repo for gh to work. - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: distfiles path: dist/ - - run: gh release upload ${{ github.event.release.tag_name }} dist/*.{tar.gz,whl} + - run: gh release upload "${TAG_NAME}" dist/*.{tar.gz,whl} env: GH_TOKEN: ${{ github.token }} + TAG_NAME: ${{ github.event.release.tag_name }} upload-pypi: name: Upload (PyPI) @@ -48,11 +53,11 @@ jobs: id-token: write needs: build steps: - - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: distfiles path: dist/ - - uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14 + - uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 with: print-hash: true diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 9cfc8805..16240d5a 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -29,6 +29,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Poetry run: pipx install poetry diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c3aa1d5b..5fb1564d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -26,3 +26,11 @@ repos: hooks: - id: ruff - id: ruff-format + + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v0.8.0 + hooks: + - id: zizmor + # types and files can be removed with https://github.com/woodruffw/zizmor-pre-commit/pull/2 + types: [yaml] + files: \.github/workflows/.*$