From db7e09e829f0d58c3864ec335cfe89aa4efe1cd3 Mon Sep 17 00:00:00 2001 From: Hynek Schlawack Date: Thu, 29 May 2025 12:28:38 +0200 Subject: [PATCH 1/4] ci: pin non-gh, non-hynek, non-pypa uses --- .github/workflows/ci.yml | 3 ++- .github/workflows/codspeed.yml | 3 ++- zizmor.yml | 9 +++++++++ 3 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 zizmor.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b3005b672..ee8706e97 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -228,6 +228,7 @@ jobs: steps: - name: Decide whether the needed jobs succeeded or failed - uses: re-actors/alls-green@release/v1 + # v1.2.2 + uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/codspeed.yml b/.github/workflows/codspeed.yml index 0fc5d59b2..43adc13b6 100644 --- a/.github/workflows/codspeed.yml +++ b/.github/workflows/codspeed.yml @@ -39,7 +39,8 @@ jobs: - uses: hynek/setup-cached-uv@v2 - name: Run CodSpeed benchmarks - uses: CodSpeedHQ/action@v3 + # v3.5.0 + uses: CodSpeedHQ/action@0010eb0ca6e89b80c88e8edaaa07cfe5f3e6664d with: token: ${{ secrets.CODSPEED_TOKEN }} run: uvx --with tox-uv tox run -e codspeed diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 000000000..7f60706d7 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,9 @@ +--- +rules: + unpinned-uses: + config: + policies: + "actions/*": ref-pin + "github/*": ref-pin + "hynek/*": ref-pin + "pypa/*": ref-pin From a9de1bbf62205e05ca6ecb8667ded384e05c9770 Mon Sep 17 00:00:00 2001 From: Hynek Schlawack Date: Thu, 29 May 2025 13:23:32 +0200 Subject: [PATCH 2/4] pin everything @tinche will keep them updated :P --- .github/workflows/build-docset.yml | 8 +++--- .github/workflows/ci.yml | 36 +++++++++++++-------------- .github/workflows/codeql-analysis.yml | 8 +++--- .github/workflows/codspeed.yml | 6 ++--- .github/workflows/pypi-package.yml | 12 ++++----- .github/workflows/zizmor.yml | 6 ++--- zizmor.yml | 9 ------- 7 files changed, 38 insertions(+), 47 deletions(-) delete mode 100644 zizmor.yml diff --git a/.github/workflows/build-docset.yml b/.github/workflows/build-docset.yml index 22e027510..7d97d43bd 100644 --- a/.github/workflows/build-docset.yml +++ b/.github/workflows/build-docset.yml @@ -17,18 +17,18 @@ jobs: docset: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.x" - - uses: hynek/setup-cached-uv@v2 + - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - run: uvx --with=tox-uv tox run -e docset - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: docset path: attrs.tgz diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee8706e97..fab1b37d1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,12 +23,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - - uses: hynek/build-and-inspect-python-package@v2 + - uses: hynek/build-and-inspect-python-package@b5076c307dc91924a82ad150cdd1533b444d3310 # v2.12.0 id: baipp outputs: @@ -49,16 +49,16 @@ jobs: steps: - name: Download pre-built packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Packages path: dist - run: tar xf dist/*.tar.gz --strip-components=1 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python-version }} allow-prereleases: true - - uses: hynek/setup-cached-uv@v2 + - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - name: Prepare tox env: @@ -89,7 +89,7 @@ jobs: -e $TOX_PYTHON-tests - name: Upload coverage data - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage-data-${{ matrix.python-version }} path: .coverage.* @@ -109,14 +109,14 @@ jobs: steps: - name: Download pre-built packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Packages path: dist - run: | tar xf dist/*.tar.gz --strip-components=1 rm -rf src # ensure tests run against wheel - - uses: hynek/setup-cached-uv@v2 + - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - run: > uvx --with=tox-uv @@ -131,15 +131,15 @@ jobs: steps: - name: Download pre-built packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Packages path: dist - run: tar xf dist/*.tar.gz --strip-components=1 - - uses: hynek/setup-cached-uv@v2 + - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - name: Download coverage data - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: coverage-data-* merge-multiple: true @@ -158,7 +158,7 @@ jobs: coverage report --fail-under=100 - name: Upload HTML report if check failed. - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: html-report path: htmlcov @@ -170,12 +170,12 @@ jobs: needs: build-package steps: - name: Download pre-built packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Packages path: dist - run: tar xf dist/*.tar.gz --strip-components=1 - - uses: hynek/setup-cached-uv@v2 + - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - run: uvx --with=tox-uv tox run -e docs-doctests,changelog @@ -183,10 +183,10 @@ jobs: name: Check types using pyright runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - uses: hynek/setup-cached-uv@v2 + - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - run: > uvx --with=tox-uv @@ -198,10 +198,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - uses: hynek/setup-cached-uv@v2 + - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - run: uv venv --python $(cat .python-version-default) - run: uv pip install -e .[dev] diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fd850571f..7467f2f05 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -24,17 +24,17 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 diff --git a/.github/workflows/codspeed.yml b/.github/workflows/codspeed.yml index 43adc13b6..7ce9973b1 100644 --- a/.github/workflows/codspeed.yml +++ b/.github/workflows/codspeed.yml @@ -30,13 +30,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version-file: .python-version-default - - uses: hynek/setup-cached-uv@v2 + - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - name: Run CodSpeed benchmarks # v3.5.0 diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index 48ac87ee7..c6b86caf8 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -21,12 +21,12 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - - uses: hynek/build-and-inspect-python-package@v2 + - uses: hynek/build-and-inspect-python-package@b5076c307dc91924a82ad150cdd1533b444d3310 # v2.12.0 with: attest-build-provenance-github: 'true' @@ -44,13 +44,13 @@ jobs: steps: - name: Download packages built by build-and-inspect-python-package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Packages path: dist - name: Upload package to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 with: attestations: true repository-url: https://test.pypi.org/legacy/ @@ -69,12 +69,12 @@ jobs: steps: - name: Download packages built by build-and-inspect-python-package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Packages path: dist - name: Upload package to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 with: attestations: true diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index cde16a0a4..f4eacab0b 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -19,10 +19,10 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - uses: hynek/setup-cached-uv@v2 + - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - name: Run zizmor 🌈 run: uvx zizmor --format sarif . > results.sarif @@ -30,7 +30,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif diff --git a/zizmor.yml b/zizmor.yml deleted file mode 100644 index 7f60706d7..000000000 --- a/zizmor.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -rules: - unpinned-uses: - config: - policies: - "actions/*": ref-pin - "github/*": ref-pin - "hynek/*": ref-pin - "pypa/*": ref-pin From 761a0dabfbc8f28495999e057e4cf298ad90c5b6 Mon Sep 17 00:00:00 2001 From: Hynek Schlawack Date: Thu, 29 May 2025 13:26:13 +0200 Subject: [PATCH 3/4] consistency --- .github/workflows/ci.yml | 3 +-- .github/workflows/codspeed.yml | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fab1b37d1..fa48543c9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -228,7 +228,6 @@ jobs: steps: - name: Decide whether the needed jobs succeeded or failed - # v1.2.2 - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe + uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/codspeed.yml b/.github/workflows/codspeed.yml index 7ce9973b1..28c9e8d43 100644 --- a/.github/workflows/codspeed.yml +++ b/.github/workflows/codspeed.yml @@ -39,8 +39,7 @@ jobs: - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - name: Run CodSpeed benchmarks - # v3.5.0 - uses: CodSpeedHQ/action@0010eb0ca6e89b80c88e8edaaa07cfe5f3e6664d + uses: CodSpeedHQ/action@0010eb0ca6e89b80c88e8edaaa07cfe5f3e6664d # v3.5.0 with: token: ${{ secrets.CODSPEED_TOKEN }} run: uvx --with tox-uv tox run -e codspeed From b8ed503aff3650dac0aeb5c0477521558a3f34de Mon Sep 17 00:00:00 2001 From: Hynek Schlawack Date: Thu, 29 May 2025 13:38:08 +0200 Subject: [PATCH 4/4] Add pinact workflow --- .github/workflows/pinact.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/pinact.yml diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml new file mode 100644 index 000000000..279cd0d03 --- /dev/null +++ b/.github/workflows/pinact.yml @@ -0,0 +1,22 @@ +--- +name: Pinact + +on: + schedule: + - cron: "30 22 * * 4" + workflow_dispatch: + +permissions: {} + +jobs: + pinact: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Pin actions + uses: suzuki-shunsuke/pinact-action@d735505f3decf76fca3fdbb4c952e5b3eba0ffdd # v0.1.2 + permissions: + contents: write