Skip to content

Commit 10972dd

Browse files
JulianJulian
committed
zizmor + fixes.
1 parent 1cd02da commit 10972dd

File tree

3 files changed

+62
-11
lines changed

3 files changed

+62
-11
lines changed

.github/dependabot.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,18 +4,26 @@ updates:
44
directory: "/"
55
schedule:
66
interval: "weekly"
7+
cooldown:
8+
default-days: 7
79

810
- package-ecosystem: "gitsubmodule"
911
directory: "/"
1012
schedule:
1113
interval: "daily"
14+
cooldown:
15+
default-days: 7
1216

1317
- package-ecosystem: "pip"
1418
directory: "/"
1519
schedule:
1620
interval: "weekly"
21+
cooldown:
22+
default-days: 7
1723

1824
- package-ecosystem: "pip"
1925
directory: "/docs"
2026
schedule:
2127
interval: "weekly"
28+
cooldown:
29+
default-days: 7

.github/workflows/ci.yml

Lines changed: 19 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,17 +12,21 @@ on:
1212
- cron: "33 8 * * *"
1313
workflow_dispatch:
1414

15+
permissions: {}
16+
1517
jobs:
1618
list:
1719
runs-on: ubuntu-latest
1820
outputs:
1921
noxenvs: ${{ steps.noxenvs-matrix.outputs.noxenvs }}
2022
steps:
2123
- uses: actions/checkout@v5
24+
with:
25+
persist-credentials: false
2226
- name: Set up uv
23-
uses: astral-sh/setup-uv@v7
27+
uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d
2428
with:
25-
enable-cache: true
29+
enable-cache: ${{ github.ref_type != 'tag' }} # zizmor: ignore[cache-poisoning]
2630
- id: noxenvs-matrix
2731
run: |
2832
echo >>$GITHUB_OUTPUT noxenvs=$(
@@ -45,7 +49,7 @@ jobs:
4549
steps:
4650
- uses: actions/checkout@v5
4751
with:
48-
submodules: "recursive"
52+
persist-credentials: false
4953
- name: Install dependencies
5054
run: sudo apt-get update && sudo apt-get install -y libenchant-2-dev
5155
if: runner.os == 'Linux' && startsWith(matrix.noxenv, 'docs')
@@ -64,14 +68,17 @@ jobs:
6468
3.14t
6569
pypy3.11
6670
allow-prereleases: true
71+
- name: Enable UTF-8 on Windows
72+
run: echo "PYTHONUTF8=1" >> $env:GITHUB_ENV
73+
if: runner.os == 'Windows' && startsWith(matrix.noxenv, 'tests')
6774

6875
- name: Set up uv
69-
uses: astral-sh/setup-uv@v7
76+
uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d
7077
with:
71-
enable-cache: true
78+
enable-cache: ${{ github.ref_type != 'tag' }} # zizmor: ignore[cache-poisoning]
7279

7380
- name: Run nox
74-
run: uvx nox -s "${{ matrix.noxenv }}" -- ${{ matrix.posargs }}
81+
run: uvx nox -s "${{ matrix.noxenv }}" -- ${{ matrix.posargs }} # zizmor: ignore[template-injection]
7582

7683
packaging:
7784
needs: ci
@@ -87,21 +94,22 @@ jobs:
8794
steps:
8895
- uses: actions/checkout@v5
8996
with:
97+
persist-credentials: false
9098
submodules: "recursive"
9199
- name: Set up uv
92-
uses: astral-sh/setup-uv@v7
100+
uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d
93101
with:
94-
enable-cache: true
102+
enable-cache: ${{ github.ref_type != 'tag' }} # zizmor: ignore[cache-poisoning]
95103

96104
- name: Build our distributions
97105
run: uv run --frozen --with 'build[uv]' -m build --installer=uv
98106

99107
- name: Publish to PyPI
100108
if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
101-
uses: pypa/gh-action-pypi-publish@release/v1
102-
- name: Create a Release
109+
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
110+
- name: Create a GitHub Release
103111
if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
104-
uses: softprops/action-gh-release@v2
112+
uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090
105113
with:
106114
files: |
107115
dist/*

.github/workflows/zizmor.yml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
name: GitHub Actions Security Analysis with zizmor 🌈
2+
3+
on:
4+
push:
5+
branches: ["main"]
6+
pull_request:
7+
branches: ["**"]
8+
9+
jobs:
10+
zizmor:
11+
name: Run zizmor
12+
runs-on: ubuntu-latest
13+
permissions:
14+
security-events: write
15+
16+
steps:
17+
- name: Checkout repository
18+
uses: actions/checkout@v5
19+
with:
20+
persist-credentials: false
21+
22+
- name: Install uv
23+
uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d
24+
25+
- name: Run zizmor 🌈
26+
run: uvx zizmor --format=sarif .github > results.sarif
27+
28+
env:
29+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
30+
31+
- name: Upload SARIF file
32+
uses: github/codeql-action/upload-sarif@v4
33+
with:
34+
sarif_file: results.sarif
35+
category: zizmor

0 commit comments

Comments
 (0)