diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..3ff6052 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,26 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: pip + directory: /doc + schedule: + interval: daily + + - package-ecosystem: pip + directory: /example + schedule: + interval: daily + + - package-ecosystem: pip + directory: / + schedule: + interval: daily + + - package-ecosystem: pip + directory: /test + schedule: + interval: daily diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..799c486 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,43 @@ +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + + steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Initialize CodeQL + uses: github/codeql-action/init@d958b976dc5b990f802df244f2dc5d807113327f # v2.25.11 + with: + languages: python + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@d958b976dc5b990f802df244f2dc5d807113327f # v2.25.11 + with: + category: "/language:python" diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 892b25a..f59fac2 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -19,11 +19,16 @@ jobs: version: ["3.8", "3.9", "3.10", "3.11", "3.12"] steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: Check out the commit - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: ~${{ matrix.version }} @@ -42,7 +47,7 @@ jobs: run: python3 -m pytest --cov=reverse_argparse example/ test/ - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} @@ -55,7 +60,7 @@ jobs: working-directory: ./doc - name: Archive documentation coverage results - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: docs-coverage-report path: doc/build/coverage/python.txt @@ -66,8 +71,13 @@ jobs: commits: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: Conventional Commits - uses: taskmedia/action-conventional-commits@v1.1.3 + uses: taskmedia/action-conventional-commits@9148865058f63a6cb560ff4bfd7d534505f43646 # v1.1.3 with: types: > build|chore|ci|docs|feat|fix|minor|patch|perf|style|refactor|test diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..a85ccfb --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5394910..4ef06c0 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -23,13 +23,18 @@ jobs: id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@v2.3.1 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif @@ -41,13 +46,13 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: SARIF file path: results.sarif retention-days: 5 - name: "Upload to code-scanning dashboard" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: sarif_file: results.sarif diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml index 3e7003b..990ab56 100644 --- a/.github/workflows/semantic-release.yml +++ b/.github/workflows/semantic-release.yml @@ -5,6 +5,9 @@ on: branches: - master +permissions: + contents: read + jobs: release: runs-on: ubuntu-latest @@ -14,23 +17,28 @@ jobs: id-token: write steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: fetch-depth: 0 token: ${{ secrets.GH_TOKEN }} - name: Python Semantic Release id: release - uses: python-semantic-release/python-semantic-release@master + uses: python-semantic-release/python-semantic-release@adc0c15810c0b9ee22c43d85d1890b394d49a641 # master with: github_token: ${{ secrets.GH_TOKEN }} - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # release/v1 if: steps.release.outputs.released == 'true' - name: Publish to GitHub Releases - uses: python-semantic-release/upload-to-gh-release@main + uses: python-semantic-release/upload-to-gh-release@c7c3b69570cbd3011111d2673d8f07142473a871 # main if: steps.release.outputs.released == 'true' with: github_token: ${{ secrets.GH_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2cac329..3710360 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -12,6 +12,11 @@ repos: - id: ruff - id: ruff-format + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks + - repo: https://github.com/pre-commit/mirrors-mypy rev: v1.10.0 hooks: @@ -47,3 +52,8 @@ repos: hooks: - id: pyroma additional_dependencies: ["poetry"] + + - repo: https://github.com/shellcheck-py/shellcheck-py + rev: v0.10.0.1 + hooks: + - id: shellcheck