diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 64284b9..4ead15f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,3 +5,11 @@ updates: directory: "/" schedule: interval: "monthly" + cooldown: + default-days: 7 + groups: + actions: + patterns: ["*"] + update-types: + - "minor" + - "patch" diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index cb42246..3b49235 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -4,11 +4,16 @@ name: pre-commit "on": pull_request: push: - branches: [main] + branches: [ main ] + +permissions: + contents: read jobs: pre-commit: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: j178/prek-action@cbc2f23eb5539cf20d82d1aabd0d0ecbcc56f4e3 # v2.0.2 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 61031ab..97871c7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,6 +5,9 @@ name: Upload Python Package release: types: [ created ] +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest @@ -14,6 +17,9 @@ jobs: id-token: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: @@ -22,6 +28,7 @@ jobs: uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: activate-environment: "true" + enable-cache: "false" - name: Install dependencies run: | uv sync --all-extras --dev diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index 094cb64..c43f50d 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -5,6 +5,9 @@ name: Test Upload Python Package to Test PyPI push: branches: [ main ] +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest @@ -18,6 +21,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: @@ -26,6 +30,7 @@ jobs: uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: activate-environment: "true" + enable-cache: "false" - name: Install dependencies run: | uv sync --all-extras --dev diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..65c9be4 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,26 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "**" ] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + contents: read # Only needed for private repos. Needed to clone the repo. + actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3