Merge branch 'main' into dcreager/module-resolution

* main:
  Bump zizmor pre-commit hook to the latest version and fix new warnings (#15022)
  Add `actionlint` as a pre-commit hook (with shellcheck integration) (#15021)
  Update dependency mdformat-mkdocs to v4 (#15011)

.github/actionlint.yaml

@@ -0,0 +1,9 @@
+# Configuration for the actionlint tool, which we run via pre-commit
+# to verify the correctness of the syntax in our GitHub Actions workflows.
+
+self-hosted-runner:
+  # Various runners we use that aren't recognized out-of-the-box by actionlint:
+  labels:
+    - depot-ubuntu-latest-8
+    - depot-ubuntu-22.04-16
+    - windows-latest-xlarge

.github/workflows/build-binaries.yml

@@ -53,7 +53,7 @@ jobs:
           args: --out dist
       - name: "Test sdist"
         run: |
-          pip install dist/${PACKAGE_NAME}-*.tar.gz --force-reinstall
+          pip install dist/"${PACKAGE_NAME}"-*.tar.gz --force-reinstall
           "${MODULE_NAME}" --help
           python -m "${MODULE_NAME}" --help
       - name: "Upload sdist"
@@ -125,7 +125,7 @@ jobs:
           args: --release --locked --out dist
       - name: "Test wheel - aarch64"
         run: |
-          pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
+          pip install dist/"${PACKAGE_NAME}"-*.whl --force-reinstall
           ruff --help
           python -m ruff --help
       - name: "Upload wheels"
@@ -186,7 +186,7 @@ jobs:
         if: ${{ !startsWith(matrix.platform.target, 'aarch64') }}
         shell: bash
         run: |
-          python -m pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
+          python -m pip install dist/"${PACKAGE_NAME}"-*.whl --force-reinstall
           "${MODULE_NAME}" --help
           python -m "${MODULE_NAME}" --help
       - name: "Upload wheels"
@@ -236,7 +236,7 @@ jobs:
       - name: "Test wheel"
         if: ${{ startsWith(matrix.target, 'x86_64') }}
         run: |
-          pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
+          pip install dist/"${PACKAGE_NAME}"-*.whl --force-reinstall
           "${MODULE_NAME}" --help
           python -m "${MODULE_NAME}" --help
       - name: "Upload wheels"

.github/workflows/build-docker.yml

@@ -142,6 +142,7 @@ jobs:
         # The printf will expand the base image with the `<RUFF_BASE_IMG>@sha256:<sha256> ...` for each sha256 in the directory
         # The final command becomes `docker buildx imagetools create -t tag1 -t tag2 ... <RUFF_BASE_IMG>@sha256:<sha256_1> <RUFF_BASE_IMG>@sha256:<sha256_2> ...`
         run: |
+          # shellcheck disable=SC2046
           docker buildx imagetools create \
             $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
             $(printf "${RUFF_BASE_IMG}@sha256:%s " *)
@@ -286,6 +287,8 @@ jobs:
         # The final command becomes `docker buildx imagetools create -t tag1 -t tag2 ... <RUFF_BASE_IMG>@sha256:<sha256_1> <RUFF_BASE_IMG>@sha256:<sha256_2> ...`
         run: |
           readarray -t lines <<< "$DOCKER_METADATA_OUTPUT_ANNOTATIONS"; annotations=(); for line in "${lines[@]}"; do annotations+=(--annotation "$line"); done
+
+          # shellcheck disable=SC2046
           docker buildx imagetools create \
             "${annotations[@]}" \
             $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \

.github/workflows/ci.yaml

@@ -290,7 +290,9 @@ jobs:
           file: "Cargo.toml"
           field: "workspace.package.rust-version"
       - name: "Install Rust toolchain"
-        run: rustup default ${{ steps.msrv.outputs.value }}
+        env:
+          MSRV: ${{ steps.msrv.outputs.value }}
+        run: rustup default "${MSRV}"
       - name: "Install mold"
         uses: rui314/setup-mold@v1
       - name: "Install cargo nextest"
@@ -306,7 +308,8 @@ jobs:
         shell: bash
         env:
           NEXTEST_PROFILE: "ci"
-        run: cargo +${{ steps.msrv.outputs.value }} insta test --all-features --unreferenced reject --test-runner nextest
+          MSRV: ${{ steps.msrv.outputs.value }}
+        run: cargo "+${MSRV}" insta test --all-features --unreferenced reject --test-runner nextest
 
   cargo-fuzz-build:
     name: "cargo fuzz build"
@@ -354,16 +357,18 @@ jobs:
           name: ruff
           path: ruff-to-test
       - name: Fuzz
+        env:
+          DOWNLOAD_PATH: ${{ steps.download-cached-binary.outputs.download-path }}
         run: |
           # Make executable, since artifact download doesn't preserve this
-          chmod +x ${{ steps.download-cached-binary.outputs.download-path }}/ruff
+          chmod +x "${DOWNLOAD_PATH}/ruff"
 
           (
             uvx \
-            --python=${{ env.PYTHON_VERSION }} \
+            --python="${PYTHON_VERSION}" \
             --from=./python/py-fuzzer \
             fuzz \
-            --test-executable=${{ steps.download-cached-binary.outputs.download-path }}/ruff \
+            --test-executable="${DOWNLOAD_PATH}/ruff" \
             --bin=ruff \
             0-500
           )
@@ -429,64 +434,72 @@ jobs:
 
       - name: Run `ruff check` stable ecosystem check
         if: ${{ needs.determine_changes.outputs.linter == 'true' }}
+        env:
+          DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }}
         run: |
           # Make executable, since artifact download doesn't preserve this
-          chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff
+          chmod +x ./ruff "${DOWNLOAD_PATH}/ruff"
 
           # Set pipefail to avoid hiding errors with tee
           set -eo pipefail
 
-          ruff-ecosystem check ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown | tee ecosystem-result-check-stable
+          ruff-ecosystem check ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown | tee ecosystem-result-check-stable
 
-          cat ecosystem-result-check-stable > $GITHUB_STEP_SUMMARY
+          cat ecosystem-result-check-stable > "$GITHUB_STEP_SUMMARY"
           echo "### Linter (stable)"  > ecosystem-result
           cat ecosystem-result-check-stable >> ecosystem-result
           echo "" >> ecosystem-result
 
       - name: Run `ruff check` preview ecosystem check
         if: ${{ needs.determine_changes.outputs.linter == 'true' }}
+        env:
+          DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }}
         run: |
           # Make executable, since artifact download doesn't preserve this
-          chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff
+          chmod +x ./ruff "${DOWNLOAD_PATH}/ruff"
 
           # Set pipefail to avoid hiding errors with tee
           set -eo pipefail
 
-          ruff-ecosystem check ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-check-preview
+          ruff-ecosystem check ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-check-preview
 
-          cat ecosystem-result-check-preview > $GITHUB_STEP_SUMMARY
+          cat ecosystem-result-check-preview > "$GITHUB_STEP_SUMMARY"
           echo "### Linter (preview)" >> ecosystem-result
           cat ecosystem-result-check-preview >> ecosystem-result
           echo "" >> ecosystem-result
 
       - name: Run `ruff format` stable ecosystem check
         if: ${{ needs.determine_changes.outputs.formatter == 'true' }}
+        env:
+          DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }}
         run: |
           # Make executable, since artifact download doesn't preserve this
-          chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff
+          chmod +x ./ruff "${DOWNLOAD_PATH}/ruff"
 
           # Set pipefail to avoid hiding errors with tee
           set -eo pipefail
 
-          ruff-ecosystem format ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown | tee ecosystem-result-format-stable
+          ruff-ecosystem format ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown | tee ecosystem-result-format-stable
 
-          cat ecosystem-result-format-stable > $GITHUB_STEP_SUMMARY
+          cat ecosystem-result-format-stable > "$GITHUB_STEP_SUMMARY"
           echo "### Formatter (stable)" >> ecosystem-result
           cat ecosystem-result-format-stable >> ecosystem-result
           echo "" >> ecosystem-result
 
       - name: Run `ruff format` preview ecosystem check
         if: ${{ needs.determine_changes.outputs.formatter == 'true' }}
+        env:
+          DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }}
         run: |
           # Make executable, since artifact download doesn't preserve this
-          chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff
+          chmod +x ./ruff "${DOWNLOAD_PATH}/ruff"
 
           # Set pipefail to avoid hiding errors with tee
           set -eo pipefail
 
-          ruff-ecosystem format ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-format-preview
+          ruff-ecosystem format ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-format-preview
 
-          cat ecosystem-result-format-preview > $GITHUB_STEP_SUMMARY
+          cat ecosystem-result-format-preview > "$GITHUB_STEP_SUMMARY"
           echo "### Formatter (preview)" >> ecosystem-result
           cat ecosystem-result-format-preview >> ecosystem-result
           echo "" >> ecosystem-result
@@ -541,7 +554,7 @@ jobs:
           args: --out dist
       - name: "Test wheel"
         run: |
-          pip install --force-reinstall --find-links dist ${{ env.PACKAGE_NAME }}
+          pip install --force-reinstall --find-links dist "${PACKAGE_NAME}"
           ruff --help
           python -m ruff --help
       - name: "Remove wheels from cache"
@@ -570,13 +583,13 @@ jobs:
           key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
       - name: "Run pre-commit"
         run: |
-          echo '```console' > $GITHUB_STEP_SUMMARY
+          echo '```console' > "$GITHUB_STEP_SUMMARY"
           # Enable color output for pre-commit and remove it for the summary
           SKIP=cargo-fmt,clippy,dev-generate-all pre-commit run --all-files --show-diff-on-failure --color=always | \
-            tee >(sed -E 's/\x1B\[([0-9]{1,2}(;[0-9]{1,2})*)?[mGK]//g' >> $GITHUB_STEP_SUMMARY) >&1
-          exit_code=${PIPESTATUS[0]}
-          echo '```' >> $GITHUB_STEP_SUMMARY
-          exit $exit_code
+            tee >(sed -E 's/\x1B\[([0-9]{1,2}(;[0-9]{1,2})*)?[mGK]//g' >> "$GITHUB_STEP_SUMMARY") >&1
+          exit_code="${PIPESTATUS[0]}"
+          echo '```' >> "$GITHUB_STEP_SUMMARY"
+          exit "$exit_code"
 
   docs:
     name: "mkdocs"
@@ -637,7 +650,7 @@ jobs:
       - name: "Run checks"
         run: scripts/formatter_ecosystem_checks.sh
       - name: "Github step summary"
-        run: cat target/formatter-ecosystem/stats.txt > $GITHUB_STEP_SUMMARY
+        run: cat target/formatter-ecosystem/stats.txt > "$GITHUB_STEP_SUMMARY"
       - name: "Remove checkouts from cache"
         run: rm -r target/formatter-ecosystem
 
@@ -676,11 +689,13 @@ jobs:
           just install
 
       - name: Run ruff-lsp tests
+        env:
+          DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }}
         run: |
           # Setup development binary
           pip uninstall --yes ruff
-          chmod +x ${{ steps.ruff-target.outputs.download-path }}/ruff
-          export PATH=${{ steps.ruff-target.outputs.download-path }}:$PATH
+          chmod +x "${DOWNLOAD_PATH}/ruff"
+          export PATH="${DOWNLOAD_PATH}:${PATH}"
           ruff version
 
           just test

.github/workflows/daily_fuzz.yaml

@@ -46,6 +46,7 @@ jobs:
         run: cargo build --locked
       - name: Fuzz
         run: |
+          # shellcheck disable=SC2046
           (
             uvx \
             --python=3.12 \

.github/workflows/pr-comment.yaml

@@ -10,12 +10,11 @@ on:
         description: The ecosystem workflow that triggers the workflow run
         required: true
 
-permissions:
-  pull-requests: write
-
 jobs:
   comment:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: dawidd6/action-download-artifact@v7
         name: Download pull request number
@@ -30,7 +29,7 @@ jobs:
         run: |
           if [[ -f pr-number ]]
           then
-            echo "pr-number=$(<pr-number)" >> $GITHUB_OUTPUT
+            echo "pr-number=$(<pr-number)" >> "$GITHUB_OUTPUT"
           fi
 
       - uses: dawidd6/action-download-artifact@v7
@@ -66,9 +65,9 @@ jobs:
           cat pr/ecosystem/ecosystem-result >> comment.txt
           echo "" >> comment.txt
 
-          echo 'comment<<EOF' >> $GITHUB_OUTPUT
-          cat comment.txt >> $GITHUB_OUTPUT
-          echo 'EOF' >> $GITHUB_OUTPUT
+          echo 'comment<<EOF' >> "$GITHUB_OUTPUT"
+          cat comment.txt >> "$GITHUB_OUTPUT"
+          echo 'EOF' >> "$GITHUB_OUTPUT"
 
       - name: Find existing comment
         uses: peter-evans/find-comment@v3

.github/workflows/publish-docs.yml

@@ -44,8 +44,8 @@ jobs:
           # Use version as display name for now
           display_name="$version"
 
-          echo "version=$version" >> $GITHUB_ENV
-          echo "display_name=$display_name" >> $GITHUB_ENV
+          echo "version=$version" >> "$GITHUB_ENV"
+          echo "display_name=$display_name" >> "$GITHUB_ENV"
 
       - name: "Set branch name"
         run: |
@@ -55,8 +55,8 @@ jobs:
           # characters disallowed in git branch names with hyphens
           branch_display_name="$(echo "${display_name}" | tr -c '[:alnum:]._' '-' | tr -s '-')"
 
-          echo "branch_name=update-docs-$branch_display_name-$timestamp" >> $GITHUB_ENV
-          echo "timestamp=$timestamp" >> $GITHUB_ENV
+          echo "branch_name=update-docs-$branch_display_name-$timestamp" >> "$GITHUB_ENV"
+          echo "timestamp=$timestamp" >> "$GITHUB_ENV"
 
       - name: "Add SSH key"
         if: ${{ env.MKDOCS_INSIDERS_SSH_KEY_EXISTS == 'true' }}
@@ -112,7 +112,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.ASTRAL_DOCS_PAT }}
         run: |
           # set the PR title
-          pull_request_title="Update ruff documentation for "${display_name}""
+          pull_request_title="Update ruff documentation for ${display_name}"
 
           # Delete any existing pull requests that are open for this version
           # by checking against pull_request_title because the new PR will
@@ -124,10 +124,12 @@ jobs:
           git push origin "${branch_name}"
 
           # create the PR
-          gh pr create --base main --head "${branch_name}" \
-            --title "$pull_request_title" \
-            --body "Automated documentation update for "${display_name}"" \
-            --label "documentation"
+          gh pr create \
+            --base=main \
+            --head="${branch_name}" \
+            --title="${pull_request_title}" \
+            --body="Automated documentation update for ${display_name}" \
+            --label="documentation"
 
       - name: "Merge Pull Request"
         if: ${{ inputs.plan != '' && !fromJson(inputs.plan).announcement_tag_is_implicit }}

.github/workflows/sync_typeshed.yaml

@@ -59,7 +59,7 @@ jobs:
         run: |
           cd ruff
           git push --force origin typeshedbot/sync-typeshed
-          gh pr list --repo $GITHUB_REPOSITORY --head typeshedbot/sync-typeshed --json id --jq length | grep 1 && exit 0 # exit if there is existing pr
+          gh pr list --repo "$GITHUB_REPOSITORY" --head typeshedbot/sync-typeshed --json id --jq length | grep 1 && exit 0 # exit if there is existing pr
           gh pr create --title "Sync vendored typeshed stubs" --body "Close and reopen this PR to trigger CI" --label "internal"
 
   create-issue-on-failure:

.github/zizmor.yml

@@ -0,0 +1,6 @@
+# Configuration for the zizmor static analysis tool, run via pre-commit in CI
+# https://woodruffw.github.io/zizmor/configuration/
+rules:
+  dangerous-triggers:
+    ignore:
+      - pr-comment.yaml

.markdownlint.yaml

@@ -21,3 +21,11 @@ MD014: false
 MD024:
   # Allow when nested under different parents e.g. CHANGELOG.md
   siblings_only: true
+
+# MD046/code-block-style
+#
+# Ignore this because it conflicts with the code block style used in content
+# tabs of mkdocs-material which is to add a blank line after the content title.
+#
+# Ref: https://github.com/astral-sh/ruff/pull/15011#issuecomment-2544790854
+MD046: false