Skip to content

MNT/SEC: setup pre-commit + zizmor and address for security-related lints#494

Merged
neutrinoceros merged 6 commits intopydata:masterfrom
neutrinoceros:zizmor
Jan 19, 2026
Merged

MNT/SEC: setup pre-commit + zizmor and address for security-related lints#494
neutrinoceros merged 6 commits intopydata:masterfrom
neutrinoceros:zizmor

Conversation

@neutrinoceros
Copy link
Copy Markdown
Collaborator

  • MNT/SEC: configure pre-commit + zizmor
  • SEC: zizmor autofixes
  • SEC: pin GHA exactly
  • MNT: (temporarily ?) turn off zizmor's use-trusted-publishing lint rule
  • SEC: turn off default GHA permissions
  • TST: add a CI job to run pre-commit

This will also set a fundation for migrating from flake8+black to ruff for Python linting and formatting through pre-commit.
Ideally I would like to set up pre-commit.ci as an external service, though I don't have sufficient permissions to do it on my own so I sent a request (but I'm unsure who's going to receive it). In the mean time I set up a GHA-based job to ensure it's run in CI.

Comment thread .github/workflows/ci.yml
merge-multiple: true

- uses: pypa/gh-action-pypi-publish@release/v1
- uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 # zizmor: ignore[use-trusted-publishing]
Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally we would also setup trusted publishing, but this requires clearance on the PyPI side, which I do not have, so I'm ignoring the rule for now.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be useful as a follow-up indeed. Although given the current CI trouble, perhaps best to wait until everything is green again.

@neutrinoceros
Copy link
Copy Markdown
Collaborator Author

Since I last visited this PR, pre-commit.ci was enabled (presumably by @rgommers ?) but we haven't added a .pre-commit-config.yaml file yet. I'm happy to do it when this one is merged !

@neutrinoceros
Copy link
Copy Markdown
Collaborator Author

Whoops, looks like I already added it actually. Let's rebase to make sure it passes then.

Copy link
Copy Markdown
Collaborator

@rgommers rgommers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs another rebase and accumulated a small merge conflict. Other than that, LGTM!

@neutrinoceros neutrinoceros merged commit e979059 into pydata:master Jan 19, 2026
35 of 36 checks passed
@neutrinoceros neutrinoceros deleted the zizmor branch January 19, 2026 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants