From f98e219bd065ba5348b33fff5bd26d7186ad3281 Mon Sep 17 00:00:00 2001 From: Stein Magnus Jodal Date: Thu, 28 May 2026 23:00:00 +0200 Subject: [PATCH 1/6] chore: Reduce Dependabot noise with monthly schedule and grouping Switch pip and github-actions updates from daily to monthly, and group pip dev-dependency updates into docs, tests, and linters PRs so frequent type-checker releases no longer open a PR each. --- .github/dependabot.yml | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3009b92..11c108b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,9 +4,28 @@ updates: - package-ecosystem: pip directory: "/" schedule: - interval: daily + interval: monthly + groups: + docs: + patterns: + - "sphinx*" + tests: + patterns: + - "pytest*" + - "coverage" + linters: + patterns: + - "mypy" + - "basedpyright" + - "ruff" + - "ty" + - "tox*" - package-ecosystem: github-actions directory: "/" schedule: - interval: daily + interval: monthly + groups: + actions: + patterns: + - "*" From d1fde30ad2f944ab34237f76b88e1d01ce84e78d Mon Sep 17 00:00:00 2001 From: Stein Magnus Jodal Date: Thu, 28 May 2026 23:10:45 +0200 Subject: [PATCH 2/6] chore: Add zizmor GitHub Actions linter --- .github/dependabot.yml | 1 + .github/workflows/ci.yml | 3 +++ pyproject.toml | 8 ++++++++ 3 files changed, 12 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 11c108b..1bdbcc9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -20,6 +20,7 @@ updates: - "ruff" - "ty" - "tox*" + - "zizmor" - package-ecosystem: github-actions directory: "/" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1d491f9..eec7345 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -53,6 +53,9 @@ jobs: - name: "ty" python: "3.14" tox: ty + - name: "zizmor" + python: "3.14" + tox: zizmor name: ${{ matrix.name }} runs-on: ubuntu-24.04 diff --git a/pyproject.toml b/pyproject.toml index 04b9c3a..1d1f6a5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -29,6 +29,7 @@ dev = [ { include-group = "ruff" }, { include-group = "tests" }, { include-group = "ty" }, + { include-group = "zizmor" }, ] docs = [ "sphinx>=5.3", @@ -46,6 +47,7 @@ tests = [ "pytest-watcher>=0.4.3", ] ty = ["ty==0.0.37"] +zizmor = ["zizmor==1.25.2"] [tool.coverage.paths] @@ -125,6 +127,7 @@ env_list = [ "ruff-format", "ruff-lint", "ty", + "zizmor", ] [tool.tox.env_run_base] @@ -202,6 +205,11 @@ commands = [ ], ] +[tool.tox.env.zizmor] +skip_install = true +dependency_groups = ["zizmor"] +commands = [["zizmor", "{posargs:.}"]] + [build-system] requires = ["hatchling"] From c0543cc88334fcd87261b093abfb94b74cca3f79 Mon Sep 17 00:00:00 2001 From: Stein Magnus Jodal Date: Thu, 28 May 2026 23:15:20 +0200 Subject: [PATCH 3/6] chore: Pin GitHub Actions to commits --- .github/workflows/ci.yml | 10 +++++----- .github/workflows/release.yml | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eec7345..4df9d67 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,8 +11,8 @@ jobs: name: Build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 - - uses: hynek/build-and-inspect-python-package@v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df # v2 tests: strategy: @@ -61,8 +61,8 @@ jobs: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 - - uses: astral-sh/setup-uv@v7 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: python-version: ${{ matrix.python }} - run: uv tool install tox --with tox-uv @@ -70,7 +70,7 @@ jobs: if: ${{ ! matrix.coverage }} - run: tox -e ${{ matrix.tox }} -- --cov-report=xml if: ${{ matrix.coverage }} - - uses: codecov/codecov-action@v6 + - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6 if: ${{ matrix.coverage }} with: token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 69221c3..8ac35b6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,11 +13,11 @@ jobs: permissions: id-token: write steps: - - uses: actions/checkout@v6 - - uses: hynek/build-and-inspect-python-package@v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df # v2 id: build - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ${{ steps.build.outputs.artifact-name }} path: dist - - uses: pypa/gh-action-pypi-publish@release/v1 + - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 From 8f5ed4778395c50de5ab78258e052579fe240ccf Mon Sep 17 00:00:00 2001 From: Stein Magnus Jodal Date: Thu, 28 May 2026 23:02:55 +0200 Subject: [PATCH 4/6] chore: Add Dependabot cooldown to mitigate supply chain attacks --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1bdbcc9..a8107bd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,6 +5,8 @@ updates: directory: "/" schedule: interval: monthly + cooldown: + default-days: 7 groups: docs: patterns: @@ -26,6 +28,8 @@ updates: directory: "/" schedule: interval: monthly + cooldown: + default-days: 7 groups: actions: patterns: From 41aeeec9ce1de07cc1dab74033abcac47769523b Mon Sep 17 00:00:00 2001 From: Stein Magnus Jodal Date: Thu, 28 May 2026 23:21:09 +0200 Subject: [PATCH 5/6] chore: Disable credentials persistence in actions/checkout --- .github/workflows/ci.yml | 4 ++++ .github/workflows/release.yml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4df9d67..18174e4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df # v2 tests: @@ -62,6 +64,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: python-version: ${{ matrix.python }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8ac35b6..d27b85e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,8 @@ jobs: id-token: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df # v2 id: build - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 From 2d3a17bf111af1488d7ceacf93aa795c226ea313 Mon Sep 17 00:00:00 2001 From: Stein Magnus Jodal Date: Thu, 28 May 2026 23:24:36 +0200 Subject: [PATCH 6/6] chore: Restrict CI workflow to read-only on the repo --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 18174e4..00910ab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: branches: - main +permissions: + contents: read + jobs: build: name: Build