From 3051fc390bb5d49da3ef6eb0ebc928c281a991bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= Date: Sat, 13 Dec 2025 10:47:34 +0100 Subject: [PATCH 1/6] MNT/SEC: configure pre-commit + zizmor --- .pre-commit-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..3a17cb75b --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,5 @@ +repos: + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.18.0 + hooks: + - id: zizmor From acbd17f5a2c99959dfdfc007ad6540a29e2cea63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= Date: Sat, 13 Dec 2025 10:48:02 +0100 Subject: [PATCH 2/6] SEC: zizmor autofixes --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c068f3a07..24f2d5904 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,8 @@ jobs: - macos-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ./.github/bottleneck-action test-windows: @@ -47,6 +49,8 @@ jobs: python-version: "3.14t" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ./.github/bottleneck-action test-pyversions: @@ -64,6 +68,8 @@ jobs: - "3.14t" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ./.github/bottleneck-action check: @@ -97,6 +103,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Build wheels uses: pypa/cibuildwheel@v3.1.4 @@ -117,6 +124,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Build sdist run: pipx run build --sdist From 231f562e7d8c0b8b31cc6bb70f0cde7bf662c242 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= Date: Sat, 13 Dec 2025 10:51:06 +0100 Subject: [PATCH 3/6] SEC: pin GHA exactly --- .github/bottleneck-action/action.yml | 2 +- .github/workflows/ci.yml | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/bottleneck-action/action.yml b/.github/bottleneck-action/action.yml index 759de2644..3b14d93fc 100644 --- a/.github/bottleneck-action/action.yml +++ b/.github/bottleneck-action/action.yml @@ -4,7 +4,7 @@ runs: using: composite steps: - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python-version }} - name: Install diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 24f2d5904..2dad466e3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ jobs: - macos-15-intel - macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - uses: ./.github/bottleneck-action @@ -48,7 +48,7 @@ jobs: architecture: arm64 python-version: "3.14t" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - uses: ./.github/bottleneck-action @@ -67,7 +67,7 @@ jobs: - "3.14" - "3.14t" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - uses: ./.github/bottleneck-action @@ -100,16 +100,16 @@ jobs: - ubuntu-latest - ubuntu-24.04-arm steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 persist-credentials: false - name: Build wheels - uses: pypa/cibuildwheel@v3.1.4 + uses: pypa/cibuildwheel@63fd63b352a9a8bdcc24791c9dbee952ee9a8abc # v3.3.0 - name: Store wheel artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }} path: ./wheelhouse/*.whl @@ -121,7 +121,7 @@ jobs: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 persist-credentials: false @@ -129,7 +129,7 @@ jobs: - name: Build sdist run: pipx run build --sdist - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: path: dist/*.tar.gz @@ -140,12 +140,12 @@ jobs: if: github.event_name == 'push' runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: path: dist merge-multiple: true - - uses: pypa/gh-action-pypi-publish@release/v1 + - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: user: __token__ password: ${{ secrets.PYPI_API_TOKEN}} From 54a18ad6e2687fd2423c1f737eba2c7dafdf9e3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= Date: Sat, 13 Dec 2025 10:56:18 +0100 Subject: [PATCH 4/6] MNT: (temporarily ?) turn off zizmor's `use-trusted-publishing` lint rule --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2dad466e3..b93a90c3c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -145,7 +145,7 @@ jobs: path: dist merge-multiple: true - - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 + - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 # zizmor: ignore[use-trusted-publishing] with: user: __token__ password: ${{ secrets.PYPI_API_TOKEN}} From 6ed1bdc7885827d7ad6842502a50d4d47a76159d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= Date: Sat, 13 Dec 2025 10:56:35 +0100 Subject: [PATCH 5/6] SEC: turn off default GHA permissions --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b93a90c3c..dc3f990be 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,8 @@ name: Github Actions on: ["push", "pull_request"] +permissions: {} + jobs: test-linux-macos: runs-on: ${{ matrix.os }} From 7cb55cfe9194d2d5c0da789aa0ea3304a75888cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= Date: Sat, 13 Dec 2025 10:59:34 +0100 Subject: [PATCH 6/6] TST: add a CI job to run pre-commit --- .github/workflows/ci.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dc3f990be..b6c6737ea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,6 +5,16 @@ on: ["push", "pull_request"] permissions: {} jobs: + + pre-commit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 + test-linux-macos: runs-on: ${{ matrix.os }} strategy: