diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 73e6ce82..ca86af4b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,4 @@ --- - name: Test on: @@ -12,9 +11,10 @@ on: # Run at 1:00 every day - cron: 0 1 * * * +permissions: {} + jobs: build: - strategy: matrix: python-version: ['3.13'] @@ -24,6 +24,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v7 diff --git a/.github/workflows/dependabot-merge.yml b/.github/workflows/dependabot-merge.yml index 5238c9f6..4932493c 100644 --- a/.github/workflows/dependabot-merge.yml +++ b/.github/workflows/dependabot-merge.yml @@ -1,5 +1,4 @@ --- - name: Dependabot auto-merge on: pull_request diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index fbdc4c6c..4c01f743 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,5 +1,4 @@ --- - name: Lint on: @@ -12,9 +11,10 @@ on: # Run at 1:00 every day - cron: 0 1 * * * +permissions: {} + jobs: build: - strategy: matrix: python-version: ['3.13'] @@ -24,6 +24,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v7 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 60b4f939..8bbb38a0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,4 @@ --- - name: Release on: workflow_dispatch @@ -22,7 +21,7 @@ jobs: steps: - uses: actions/checkout@v6 - with: + with: # zizmor: ignore[artipacked] git-auto-commit-action requires credentials # See # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#push-to-protected-branches token: ${{ secrets.RELEASE_PAT }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 90934191..f80c2aa4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,6 +40,7 @@ ci: - vulture - vulture-docs - yamlfix + - zizmor - pyrefly - pyrefly-docs @@ -371,6 +372,15 @@ repos: additional_dependencies: [uv==0.9.5] stages: [pre-commit] + - id: zizmor + name: zizmor + entry: uv run --extra=dev zizmor .github + language: python + pass_filenames: false + types_or: [yaml] + additional_dependencies: [uv==0.9.5] + stages: [pre-commit] + - id: sphinx-lint name: sphinx-lint entry: uv run --extra=dev sphinx-lint --enable=all --disable=line-too-long diff --git a/pyproject.toml b/pyproject.toml index fffc77ad..d1c81f7e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -79,6 +79,7 @@ optional-dependencies.dev = [ "vws-python-mock==2025.3.10.1", "vws-test-fixtures==2023.3.5", "yamlfix==1.19.1", + "zizmor==1.19.0", ] optional-dependencies.release = [ "check-wheel-contents==0.6.3" ] urls.Documentation = "https://vws-python.github.io/vws-python/" @@ -301,6 +302,7 @@ ignore = [ "tests/**", "vuforia_secrets.env.example", "lint.mk", + "zizmor.yml", ] [tool.deptry] diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 00000000..f63e179d --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,12 @@ +--- +rules: + unpinned-uses: + disable: true + cache-poisoning: + disable: true + bot-conditions: + disable: true + dependabot-cooldown: + disable: true + template-injection: + disable: true