From b8997282d11d1ea746502db540e16a203046e8e3 Mon Sep 17 00:00:00 2001 From: Vecko <36369090+VeckoTheGecko@users.noreply.github.com> Date: Fri, 10 Apr 2026 09:23:30 +0200 Subject: [PATCH 1/5] Zizmor pre-commit config --- .pre-commit-config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 22529947..cc5bb3c0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,6 +10,10 @@ repos: - id: check-json types: [text] files: \.(json|ipynb)$ + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.23.1 + hooks: + - id: zizmor - repo: https://github.com/astral-sh/ruff-pre-commit rev: v0.15.9 hooks: From 683591d9bba237089fd9f1c896695531ecda1860 Mon Sep 17 00:00:00 2001 From: Vecko <36369090+VeckoTheGecko@users.noreply.github.com> Date: Fri, 10 Apr 2026 09:48:27 +0200 Subject: [PATCH 2/5] Pin actions --- .github/workflows/cd.yml | 11 ++++++----- .github/workflows/ci.yml | 13 ++++++++----- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index feb9cb73..57968035 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -25,11 +25,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - - uses: hynek/build-and-inspect-python-package@v2 + - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2 publish: needs: [dist] @@ -43,15 +44,15 @@ jobs: if: github.event_name == 'release' && github.event.action == 'published' steps: - - uses: actions/download-artifact@v7 + - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: name: Packages path: dist - name: Generate artifact attestation for sdist and wheel - uses: actions/attest-build-provenance@v3.2.0 + uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 with: subject-path: "dist/*" - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f13256cd..c9de0820 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,10 +27,12 @@ jobs: cache-key: ${{ steps.pixi-lock.outputs.cache-key }} pixi-version: ${{ steps.pixi-lock.outputs.pixi-version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: Parcels-code/pixi-lock/create-and-cache@38495788b79a5ff26009aecc15daa9a8310b8832 # v0.1.0 id: pixi-lock - - uses: actions/upload-artifact@v6 # make available as an artifact for local testing + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: pixi-lock path: pixi.lock @@ -48,13 +50,14 @@ jobs: - pixi-environment: "test-py310" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - uses: Parcels-code/pixi-lock/restore@38495788b79a5ff26009aecc15daa9a8310b8832 # v0.1.0 with: cache-key: ${{ needs.cache-pixi-lock.outputs.cache-key }} - - uses: prefix-dev/setup-pixi@v0.9.4 + - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: cache: true cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }} @@ -66,7 +69,7 @@ jobs: --durations=20 - name: Upload coverage report - uses: codecov/codecov-action@v5.5.2 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: token: ${{ secrets.CODECOV_TOKEN }} # typechecking: From 7f0d721dba54e1ccf43cfe999d96aefbe482eea2 Mon Sep 17 00:00:00 2001 From: Vecko <36369090+VeckoTheGecko@users.noreply.github.com> Date: Fri, 10 Apr 2026 10:01:56 +0200 Subject: [PATCH 3/5] run zizmor --- .github/dependabot.yml | 2 ++ .github/workflows/cd.yml | 4 ++++ .github/workflows/ci.yml | 6 ++++++ 3 files changed, 12 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3cbe37a0..09f76ff8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,5 @@ updates: actions: patterns: - "*" + cooldown: + default-days: 7 diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 57968035..0b5dd555 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -19,10 +19,14 @@ env: # one distinguishes color depth, where "3" -> "256-bit color". FORCE_COLOR: 3 +permissions: {} + jobs: dist: name: Distribution build runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c9de0820..e2d9b9ea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,9 +20,13 @@ env: # one distinguishes color depth, where "3" -> "256-bit color". FORCE_COLOR: 3 +permissions: {} + jobs: cache-pixi-lock: runs-on: ubuntu-slim + permissions: + contents: read outputs: cache-key: ${{ steps.pixi-lock.outputs.cache-key }} pixi-version: ${{ steps.pixi-lock.outputs.pixi-version }} @@ -41,6 +45,8 @@ jobs: name: "Unit tests: ${{ matrix.runs-on }} | pixi run -e ${{ matrix.pixi-environment }} tests" runs-on: ${{ matrix.runs-on }} needs: cache-pixi-lock + permissions: + contents: read strategy: fail-fast: false matrix: From 3355bd65f22736a931df4c742b1ae2c661cd40ed Mon Sep 17 00:00:00 2001 From: Vecko <36369090+VeckoTheGecko@users.noreply.github.com> Date: Fri, 10 Apr 2026 10:41:23 +0200 Subject: [PATCH 4/5] Ignore codecov item --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e2d9b9ea..b6f3a6e7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -77,7 +77,7 @@ jobs: - name: Upload coverage report uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: - token: ${{ secrets.CODECOV_TOKEN }} + token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] # typechecking: # name: "TypeChecking: pixi run typing" # runs-on: ubuntu-latest From 52209d82f48459475a37d4a4ee0427c35364e75d Mon Sep 17 00:00:00 2001 From: Vecko <36369090+VeckoTheGecko@users.noreply.github.com> Date: Fri, 10 Apr 2026 10:43:28 +0200 Subject: [PATCH 5/5] Add Zizmor github action --- .github/workflows/ci.yml | 16 ++++++++++++++++ .pre-commit-config.yaml | 1 + 2 files changed, 17 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b6f3a6e7..2b82050f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -78,6 +78,22 @@ jobs: uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] + + zizmor: + name: GHA Security Analysis using Zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + + # typechecking: # name: "TypeChecking: pixi run typing" # runs-on: ubuntu-latest diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cc5bb3c0..6658cbad 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -14,6 +14,7 @@ repos: rev: v1.23.1 hooks: - id: zizmor + args: ["--offline"] - repo: https://github.com/astral-sh/ruff-pre-commit rev: v0.15.9 hooks: