From eac8ae44e06827496d070c34babfe4ed6ac37c65 Mon Sep 17 00:00:00 2001 From: Javier Buzzi Date: Sun, 6 Jul 2025 12:40:51 -0400 Subject: [PATCH 01/12] Update test.yml --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 59ba0693..9037c132 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -19,7 +19,7 @@ jobs: - name: Run linters run: | - python -m pip install --upgrade pip black + python -m pip install --upgrade pip black zizmor black . --check test: From 3f7c139bb813a13015b15ff443ed9a6403d95504 Mon Sep 17 00:00:00 2001 From: Javier Buzzi Date: Sun, 6 Jul 2025 12:42:36 -0400 Subject: [PATCH 02/12] Update test.yml --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9037c132..e952ff64 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,6 +21,7 @@ jobs: run: | python -m pip install --upgrade pip black zizmor black . --check + find .github/workflows -name '*.yaml' | xargs zizmor --config .github/zizmor.yaml test: name: ${{ matrix.os }} py${{ matrix.python-version }} ${{ matrix.use-docker && '(docker)' || '' }} From 51adf9f5c733483caa27f0cc1aebb0a7fcd8467c Mon Sep 17 00:00:00 2001 From: Javier Buzzi Date: Sun, 6 Jul 2025 12:43:25 -0400 Subject: [PATCH 03/12] Create zizmor.yaml --- .github/zizmor.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yaml diff --git a/.github/zizmor.yaml b/.github/zizmor.yaml new file mode 100644 index 00000000..34a4775a --- /dev/null +++ b/.github/zizmor.yaml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + actions/*: ref-pin From 74b1ac0f280a337ddc4bafe49004e33eb33ec472 Mon Sep 17 00:00:00 2001 From: Javier Buzzi Date: Sun, 6 Jul 2025 12:44:19 -0400 Subject: [PATCH 04/12] rename --- .github/{zizmor.yaml => zizmor.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{zizmor.yaml => zizmor.yml} (100%) diff --git a/.github/zizmor.yaml b/.github/zizmor.yml similarity index 100% rename from .github/zizmor.yaml rename to .github/zizmor.yml From d1d5801034a418f6edce128b589183c0b59d17dd Mon Sep 17 00:00:00 2001 From: Javier Buzzi Date: Sun, 6 Jul 2025 12:45:54 -0400 Subject: [PATCH 05/12] Update test.yml --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e952ff64..292f1104 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: run: | python -m pip install --upgrade pip black zizmor black . --check - find .github/workflows -name '*.yaml' | xargs zizmor --config .github/zizmor.yaml + find .github/workflows -name '*.yaml' | xargs zizmor --config .github/zizmor.yml test: name: ${{ matrix.os }} py${{ matrix.python-version }} ${{ matrix.use-docker && '(docker)' || '' }} From 6a60bc161e511c96c59685a050c8cd1c02e59dba Mon Sep 17 00:00:00 2001 From: Javier Buzzi Date: Sun, 6 Jul 2025 12:47:03 -0400 Subject: [PATCH 06/12] Update test.yml --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 292f1104..7473690a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: run: | python -m pip install --upgrade pip black zizmor black . --check - find .github/workflows -name '*.yaml' | xargs zizmor --config .github/zizmor.yml + find .github/workflows -name '*.yml' | xargs zizmor --config .github/zizmor.yml test: name: ${{ matrix.os }} py${{ matrix.python-version }} ${{ matrix.use-docker && '(docker)' || '' }} From 99a38c3ec98f75b5d5e23938b29775b5fbca5720 Mon Sep 17 00:00:00 2001 From: Javier Buzzi Date: Sun, 6 Jul 2025 12:48:19 -0400 Subject: [PATCH 07/12] Update zizmor.yml --- .github/zizmor.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 34a4775a..81149c91 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -3,3 +3,4 @@ rules: config: policies: actions/*: ref-pin + pypa/gh-action-pypi-publish: ref-pin From 56acaa8b881dd39ed499be74a7371872b2abd02f Mon Sep 17 00:00:00 2001 From: kingbuzzman Date: Sun, 6 Jul 2025 12:57:04 -0400 Subject: [PATCH 08/12] Fixes ci --- .github/workflows/test.yml | 11 +++++++++++ .github/zizmor.yml | 1 + 2 files changed, 12 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7473690a..718e10df 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,11 +7,16 @@ on: - '*' pull_request: +# Set minimal permissions by default +permissions: {} + jobs: lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: @@ -50,6 +55,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} if: ${{ !matrix.use-docker }} @@ -94,6 +101,8 @@ jobs: needs: test steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: @@ -140,6 +149,8 @@ jobs: id-token: write steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python 3.12 uses: actions/setup-python@v5 diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 81149c91..b84956de 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,5 +1,6 @@ rules: unpinned-uses: + ignore: [] config: policies: actions/*: ref-pin From 82ee3e4062b7697e4b684cd50196f889d23b72a0 Mon Sep 17 00:00:00 2001 From: kingbuzzman Date: Sun, 6 Jul 2025 13:04:32 -0400 Subject: [PATCH 09/12] More updates --- .github/workflows/apidocs.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/apidocs.yml b/.github/workflows/apidocs.yml index b8f6a04d..b4ca6729 100644 --- a/.github/workflows/apidocs.yml +++ b/.github/workflows/apidocs.yml @@ -6,12 +6,21 @@ on: tags: - '*' +# Set minimal permissions by default +permissions: {} + jobs: deploy: runs-on: macos-latest + permissions: + contents: read + pages: write + id-token: write steps: - - uses: actions/checkout@master + - uses: actions/checkout@4 + with: + persist-credentials: false - name: Set up Python 3.8 uses: actions/setup-python@v2 with: @@ -24,7 +33,7 @@ jobs: run: tox -e apidocs - name: Push API documentation to Github Pages - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./apidocs From 4f4af42f45a23f8623c5dc73ae971d24c7a22ec1 Mon Sep 17 00:00:00 2001 From: kingbuzzman Date: Sun, 6 Jul 2025 13:06:57 -0400 Subject: [PATCH 10/12] . --- .github/workflows/apidocs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/apidocs.yml b/.github/workflows/apidocs.yml index b4ca6729..aca5a827 100644 --- a/.github/workflows/apidocs.yml +++ b/.github/workflows/apidocs.yml @@ -15,7 +15,6 @@ jobs: permissions: contents: read pages: write - id-token: write steps: - uses: actions/checkout@4 From a6bc8e3ec4b00ec2e5762db69048bf78c7a68b74 Mon Sep 17 00:00:00 2001 From: kingbuzzman Date: Sun, 6 Jul 2025 13:13:36 -0400 Subject: [PATCH 11/12] . --- .github/workflows/apidocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/apidocs.yml b/.github/workflows/apidocs.yml index aca5a827..35f09537 100644 --- a/.github/workflows/apidocs.yml +++ b/.github/workflows/apidocs.yml @@ -17,7 +17,7 @@ jobs: pages: write steps: - - uses: actions/checkout@4 + - uses: actions/checkout@v4 with: persist-credentials: false - name: Set up Python 3.8 From 6168af00cf5d7613cdcc2973373eea3ea1fdd618 Mon Sep 17 00:00:00 2001 From: Javier Buzzi Date: Sun, 6 Jul 2025 14:07:26 -0400 Subject: [PATCH 12/12] Update test.yml --- .github/workflows/test.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 718e10df..320df123 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,11 +22,14 @@ jobs: with: python-version: 3.13 - - name: Run linters - run: | - python -m pip install --upgrade pip black zizmor - black . --check - find .github/workflows -name '*.yml' | xargs zizmor --config .github/zizmor.yml + - name: Install linters + run: python -m pip install --upgrade pip black zizmor + + - name: Black + run: black . --check + + - name: Zizmor + run: find .github/workflows -name '*.yml' | xargs zizmor --config .github/zizmor.yml test: name: ${{ matrix.os }} py${{ matrix.python-version }} ${{ matrix.use-docker && '(docker)' || '' }}