diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 7b9b072f..848e2a56 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -4,15 +4,25 @@ on: push: tags: ["*"] +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: build: name: Build wheel and sdist runs-on: ubuntu-24.04 + permissions: + contents: read # for checkout outputs: name: ${{ steps.baipp.outputs.package_name }} version: ${{ steps.baipp.outputs.package_version }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df # v2.18 id: baipp diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1827871c..43e03a4e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -17,10 +17,14 @@ concurrency: env: FORCE_COLOR: 1 +permissions: {} + jobs: build-package: name: Build & verify package runs-on: ubuntu-latest + permissions: + contents: read # for checkout outputs: supported-python-versions: ${{ steps.baipp.outputs.supported_python_classifiers_json_array }} steps: @@ -35,15 +39,24 @@ jobs: actionlint: name: Static analysis of GitHub Actions runs-on: ubuntu-latest + permissions: + contents: read # for checkout + checks: write # for reviewdog annotations steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0 lint: name: Static analysis of code runs-on: ubuntu-latest + permissions: + contents: read # for checkout steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Install tox run: uv tool install --with tox-uv tox @@ -56,6 +69,8 @@ jobs: name: Python ${{ matrix.python-version }} runs-on: ${{ matrix.os }} needs: build-package + permissions: + contents: read # for checkout strategy: fail-fast: false matrix: @@ -63,6 +78,8 @@ jobs: python-version: ${{ fromJson(needs.build-package.outputs.supported-python-versions) }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Run tests env: @@ -79,8 +96,12 @@ jobs: name: Coverage runs-on: ubuntu-latest needs: test + permissions: + contents: read # for checkout steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: coverage-data-* diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yaml similarity index 88% rename from .github/workflows/codeql-analysis.yml rename to .github/workflows/codeql-analysis.yaml index 6fa2b102..3bf1a103 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yaml @@ -15,14 +15,20 @@ on: - cron: '0 5 * * 6' permissions: - actions: read - contents: read - security-events: write + contents: read # for checkout + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + actions: read # for codeql-action to read workflow info + contents: read # for checkout + security-events: write # for codeql-action to upload SARIF results strategy: fail-fast: false @@ -40,6 +46,7 @@ jobs: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. fetch-depth: 2 + persist-credentials: false # If this run was triggered by a pull request event, then checkout # the head of the pull request instead of the merge commit. diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 626b1cc0..dfc9f5db 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -14,7 +14,11 @@ env: UV_NO_SYNC: 1 permissions: - contents: write + contents: read # for checkout + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build-docs: @@ -22,11 +26,15 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - name: Install uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + with: + enable-cache: false - name: Build documentation run: uvx --with tox-uv tox -e docs @@ -42,8 +50,8 @@ jobs: runs-on: ubuntu-24.04 needs: [ build-docs ] permissions: - pages: write # Required for GitHub Pages deployment - id-token: write # Required for GitHub Pages deployment + pages: write # for deploy-pages + id-token: write # for deploy-pages OIDC authentication environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} diff --git a/.github/workflows/run-zizmor.yaml b/.github/workflows/run-zizmor.yaml new file mode 100644 index 00000000..b826474c --- /dev/null +++ b/.github/workflows/run-zizmor.yaml @@ -0,0 +1,30 @@ +name: GitHub Actions security analysis + +on: + push: + branches: + - main + pull_request: + workflow_dispatch: + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + permissions: + contents: read # for checkout + security-events: write # for uploading SARIF results + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + persona: pedantic