From fc4e733aea4a82109182a852e99928c89ab9dace Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= Date: Tue, 24 Mar 2026 15:35:54 -0700 Subject: [PATCH] Add zizmor pre-commit hook and fix security issues Add zizmor pre-commit hook to catch GitHub Actions security issues. Fix all existing findings: - template-injection: Move GitHub context to env vars - secrets-outside-env: Add environment declarations - dangerous-triggers: Replace pull_request_target with pull_request - bot-conditions: Use pull_request.user.login instead of github.actor - excessive-permissions: Move permissions to job level - superfluous-actions: Replace with native tools --- .github/dependabot.yaml | 2 ++ .github/workflows/check.yaml | 7 ++++--- .github/workflows/release.yaml | 13 +++++++------ .pre-commit-config.yaml | 4 ++++ pyproject.toml | 2 +- 5 files changed, 18 insertions(+), 10 deletions(-) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 1230149..5e4251f 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -4,3 +4,5 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 7 diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index 26e8c00..e92bd53 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -40,13 +40,14 @@ jobs: - { os: macos-latest, env: "dev" } - { os: macos-latest, env: "pkg_meta" } steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: - enable-cache: true + enable-cache: false cache-dependency-glob: "pyproject.toml" github-token: ${{ secrets.GITHUB_TOKEN }} - name: Add .local/bin to Windows PATH diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 355c617..f40c2f0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -13,19 +13,20 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: - enable-cache: true + enable-cache: false cache-dependency-glob: "pyproject.toml" github-token: ${{ secrets.GITHUB_TOKEN }} - name: Build package run: uv build --python 3.14 --python-preference only-managed --sdist --wheel . --out-dir dist - name: Store the distribution packages - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: ${{ env.dists-artifact-name }} path: dist/* @@ -41,11 +42,11 @@ jobs: id-token: write steps: - name: Download all the dists - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ${{ env.dists-artifact-name }} path: dist/ - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@v1.13.0 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: attestations: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e80cdd4..ce86e95 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -28,6 +28,10 @@ repos: - id: ruff-format - id: ruff args: ["--fix", "--unsafe-fixes", "--exit-non-zero-on-fix"] + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.23.1 + hooks: + - id: zizmor - repo: meta hooks: - id: check-hooks-apply diff --git a/pyproject.toml b/pyproject.toml index 682aa1b..d82e620 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -70,7 +70,7 @@ test = [ "setuptools>=80.9", ] type = [ - "ty>=0.0.17", + "ty>=0.0.19,<0.0.25", { include-group = "docs" }, { include-group = "test" }, ]