From b86ba1bcb23cfe409dedeca003e37579464b5f5d Mon Sep 17 00:00:00 2001 From: Rogdham Date: Sun, 10 May 2026 17:47:04 +0200 Subject: [PATCH] chore: add zizmor ci check --- .github/workflows/build.yml | 33 +++++++++++++++++++++------------ .github/workflows/check.yml | 22 ++++++++++++++++++++++ 2 files changed, 43 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/check.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fb02560..b0a1a23 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,6 +10,8 @@ on: pull_request: workflow_dispatch: +permissions: {} + env: PY_COLORS: 1 @@ -18,12 +20,13 @@ jobs: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # fetch all commits for version computation fetch-depth: 0 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14" - name: Install dependencies @@ -33,7 +36,7 @@ jobs: - name: List distributions run: ls -lR dist - name: Save build artifacts - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: build path: dist @@ -58,14 +61,16 @@ jobs: - "pypy-3.10" - "pypy-3.11" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Restore build artifacts - uses: actions/download-artifact@v6 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: build path: dist - name: Setup Python ${{ matrix.python }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python }} - name: Install wheel @@ -77,9 +82,11 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.14 - name: Install dependencies @@ -93,9 +100,11 @@ jobs: name: Type runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.14 - name: Install dependencies @@ -117,14 +126,14 @@ jobs: id-token: write # This permission is mandatory for trusted publishing steps: - name: Restore build artifacts - uses: actions/download-artifact@v6 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: build path: dist - name: List distributions run: ls -lR dist - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: verbose: true print-hash: true diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml new file mode 100644 index 0000000..253be74 --- /dev/null +++ b/.github/workflows/check.yml @@ -0,0 +1,22 @@ +name: check + +on: + push: + branches: + - "ci-*" + pull_request: + workflow_dispatch: + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false