From 6383064b9011bbb77f8ed8a6361d346876f73a3e Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Sun, 8 Dec 2024 00:34:09 +0200 Subject: [PATCH 1/2] Fix zizmor findings on CI --- .github/workflows/docs.yml | 2 ++ .github/workflows/labels.yml | 7 ++++--- .github/workflows/lint.yml | 10 +++++++--- .github/workflows/release-drafter.yml | 3 --- .github/workflows/release.yml | 4 +--- .github/workflows/test.yml | 5 ++--- 6 files changed, 16 insertions(+), 15 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index f686f3a..0ea35c4 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -8,6 +8,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index 859c948..75a47d2 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -1,8 +1,5 @@ name: Sync labels -permissions: - pull-requests: write - on: push: branches: @@ -13,9 +10,13 @@ on: jobs: sync: + permissions: + pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: micnncim/action-label-syncer@v1 with: prune: false diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 1d7c867..905b729 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -6,15 +6,14 @@ env: FORCE_COLOR: 1 PIP_DISABLE_PIP_VERSION_CHECK: 1 -permissions: - contents: read - jobs: lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: "3.x" @@ -26,6 +25,11 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false + - uses: actions/setup-python@v5 + with: + python-version: "3.x" - name: Install uv uses: hynek/setup-cached-uv@v2 - name: Mypy diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 137fa99..dee4d09 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -14,9 +14,6 @@ on: # types: [opened, reopened, synchronize] workflow_dispatch: -permissions: - contents: read - jobs: update_release_draft: if: github.repository_owner == 'python-humanize' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fdcf1f9..2576995 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,9 +11,6 @@ on: - published workflow_dispatch: -permissions: - contents: read - env: FORCE_COLOR: 1 @@ -27,6 +24,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: hynek/build-and-inspect-python-package@v2 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a246339..81b1fca 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,9 +2,6 @@ name: Test on: [push, pull_request, workflow_dispatch] -permissions: - contents: read - env: FORCE_COLOR: 1 @@ -19,6 +16,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 From 37971ed5efe68ea4d5e8a127dbf4a071386d0d73 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Sun, 8 Dec 2024 00:34:43 +0200 Subject: [PATCH 2/2] Replace pre-commit/action with faster tox-dev/action-pre-commit-uv --- .github/workflows/lint.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 905b729..d48e404 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -4,7 +4,6 @@ on: [push, pull_request, workflow_dispatch] env: FORCE_COLOR: 1 - PIP_DISABLE_PIP_VERSION_CHECK: 1 jobs: lint: @@ -17,8 +16,7 @@ jobs: - uses: actions/setup-python@v5 with: python-version: "3.x" - cache: pip - - uses: pre-commit/action@v3.0.1 + - uses: tox-dev/action-pre-commit-uv@v1 mypy: runs-on: ubuntu-latest