From f4f191c1281b4dbefddf7e825f7a536655d57d90 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 12 Feb 2025 23:32:51 +0200 Subject: [PATCH 1/3] Fix warning[excessive-permissions]: overly broad permissions https://woodruffw.github.io/zizmor/audits/#excessive-permissions --- .github/workflows/docs.yml | 5 +++++ .github/workflows/lint.yml | 3 +++ .github/workflows/release.yml | 2 ++ .github/workflows/test.yml | 2 ++ .pre-commit-config.yaml | 14 +++++++------- 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0ea35c4..fcd5b17 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -2,6 +2,11 @@ name: Docs on: [push, pull_request, workflow_dispatch] +permissions: {} + +env: + FORCE_COLOR: 1 + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d48e404..c2fdb98 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,8 +2,11 @@ name: Lint on: [push, pull_request, workflow_dispatch] +permissions: {} + env: FORCE_COLOR: 1 + RUFF_OUTPUT_FORMAT: github jobs: lint: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5b5071d..093784a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,8 @@ on: - published workflow_dispatch: +permissions: {} + env: FORCE_COLOR: 1 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d44a6e8..16c6d19 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,8 @@ name: Test on: [push, pull_request, workflow_dispatch] +permissions: {} + env: FORCE_COLOR: 1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5c7906b..c358c76 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,12 +1,12 @@ repos: - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.8.6 + rev: v0.9.6 hooks: - id: ruff args: [--exit-non-zero-on-fix] - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.10.0 + rev: 25.1.0 hooks: - id: black @@ -26,18 +26,18 @@ repos: exclude: \.github/ISSUE_TEMPLATE\.md|\.github/PULL_REQUEST_TEMPLATE\.md - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.30.0 + rev: 0.31.1 hooks: - id: check-github-workflows - id: check-renovate - repo: https://github.com/rhysd/actionlint - rev: v1.7.6 + rev: v1.7.7 hooks: - id: actionlint - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: v1.0.0 + rev: v1.3.1 hooks: - id: zizmor @@ -52,12 +52,12 @@ repos: - id: validate-pyproject - repo: https://github.com/tox-dev/tox-ini-fmt - rev: 1.4.1 + rev: 1.5.0 hooks: - id: tox-ini-fmt - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.4.2 + rev: v3.5.0 hooks: - id: prettier args: [--prose-wrap=always, --print-width=88] From 53f0f140a55e90a44e08f04c8082be92fb74b0cf Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 12 Feb 2025 23:38:01 +0200 Subject: [PATCH 2/3] Remove redundant config: attestations is now default --- .github/workflows/release.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 093784a..33a22fd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -61,7 +61,6 @@ jobs: - name: Upload package to Test PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: - attestations: true repository-url: https://test.pypi.org/legacy/ # Upload to real PyPI on GitHub Releases. @@ -85,5 +84,3 @@ jobs: - name: Upload package to PyPI uses: pypa/gh-action-pypi-publish@release/v1 - with: - attestations: true From f1bdbb6e825a71cc14836350d88233cfb8d479e3 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 12 Feb 2025 23:40:09 +0200 Subject: [PATCH 3/3] More testing with uv --- .github/workflows/docs.yml | 11 ++++------- .github/workflows/lint.yml | 2 +- .github/workflows/test.yml | 2 +- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index fcd5b17..49ee2c4 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -20,13 +20,10 @@ jobs: uses: actions/setup-python@v5 with: python-version: "3.x" - cache: pip - cache-dependency-path: tox.ini - - name: Install dependencies - run: | - python -m pip install -U pip - python -m pip install -U tox + - name: Install uv + uses: astral-sh/setup-uv@v5 - name: Docs - run: tox -e docs + run: | + uvx --with tox-uv tox -e docs diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index c2fdb98..7b9053a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -32,6 +32,6 @@ jobs: with: python-version: "3.x" - name: Install uv - uses: hynek/setup-cached-uv@v2 + uses: astral-sh/setup-uv@v5 - name: Mypy run: uvx --with tox-uv tox -e mypy diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 16c6d19..aaf45ac 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -38,7 +38,7 @@ jobs: brew install gettext - name: Install uv - uses: hynek/setup-cached-uv@v2 + uses: astral-sh/setup-uv@v5 - name: Generate translation binaries run: |