diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml index 32fd5ebfea..ff85db3abe 100644 --- a/.github/workflows/mypy.yml +++ b/.github/workflows/mypy.yml @@ -13,6 +13,8 @@ jobs: shell: bash -leo pipefail {0} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: mamba-org/setup-micromamba@v2 with: micromamba-version: "1.5.10-0" # until https://github.com/mamba-org/setup-micromamba/issues/225 is resolved diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 4d5fda17f2..b19429e7ba 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -26,6 +26,7 @@ jobs: with: fetch-depth: 0 submodules: true + persist-credentials: false - name: Build SDist run: pipx run build --sdist @@ -45,6 +46,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: hynek/build-and-inspect-python-package@v2 build_wheels: @@ -60,6 +62,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Build wheels uses: pypa/cibuildwheel@v2.22.0 @@ -76,6 +79,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 diff --git a/.github/workflows/rtd-link-preview.yml b/.github/workflows/rtd-link-preview.yml index 23a967e123..0eb2acd377 100644 --- a/.github/workflows/rtd-link-preview.yml +++ b/.github/workflows/rtd-link-preview.yml @@ -1,15 +1,15 @@ name: Read the Docs Pull Request Preview on: - pull_request_target: + # See + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - opened -permissions: - pull-requests: write - jobs: documentation-links: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: readthedocs/actions/preview@v1 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a319e23acc..53f1e16606 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: dorny/paths-filter@v3 id: changes with: @@ -56,6 +57,8 @@ jobs: python-version: ["3.10", "3.12"] steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} @@ -146,6 +149,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: mamba-org/setup-micromamba@v2 with: @@ -229,6 +233,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python 3.10 uses: mamba-org/setup-micromamba@v2 with: @@ -286,6 +291,8 @@ jobs: if: ${{ needs.changes.outputs.changes == 'true' && needs.all-checks.result == 'success' }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..b747897eb8 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +# https://github.com/woodruffw/zizmor +name: zizmor GHA analysis + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - uses: hynek/setup-cached-uv@v2 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: results.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: zizmor