Update linting and config

hugovk · hugovk · commit 5e8379d165c6 · 2025-08-07T10:48:37.000+03:00
diff --git a/.coveragerc b/.coveragerc
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:base"],
+  "extends": ["config:base", ":semanticCommitsDisabled"],
   "labels": ["changelog: skip", "dependencies"],
   "packageRules": [
     {
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -11,8 +11,7 @@ on:
       - published
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   FORCE_COLOR: 1
@@ -27,14 +26,15 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
 
   # Upload to Test PyPI on every commit on main.
   release-test-pypi:
     name: Publish in-dev package to test.pypi.org
     if: |
-      github.repository_owner == 'hugovk'
+      github.event.repository.fork == false
       && github.event_name == 'push'
       && github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
@@ -66,7 +66,7 @@ jobs:
   release-pypi:
     name: Publish released package to pypi.org
     if: |
-      github.repository_owner == 'hugovk'
+      github.event.repository.fork == false
       && github.event.action == 'published'
     runs-on: ubuntu-latest
     needs: build-package
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
@@ -1,8 +1,5 @@
 name: Sync labels
 
-permissions:
-  pull-requests: write
-
 on:
   push:
     branches:
@@ -13,9 +10,13 @@ on:
 
 jobs:
   sync:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: micnncim/action-label-syncer@v1
         with:
           prune: false
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,19 +2,20 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
-  PIP_DISABLE_PIP_VERSION_CHECK: 1
-
-permissions:
-  contents: read
+  RUFF_OUTPUT_FORMAT: github
 
 jobs:
   lint:
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.x"
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -14,12 +14,9 @@ on:
   #   types: [opened, reopened, synchronize]
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   update_release_draft:
-    if: github.repository_owner == 'hugovk'
+    if: github.event.repository.fork == false
     permissions:
       # write permission is required to create a GitHub Release
       contents: write
diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
@@ -17,6 +17,11 @@ jobs:
         with:
           mode: minimum
           count: 1
-          labels:
-            "changelog: Added, changelog: Changed, changelog: Deprecated, changelog:
-            Fixed, changelog: Removed, changelog: Security, changelog: skip"
+          labels: |
+            changelog: Added
+            changelog: Changed
+            changelog: Deprecated
+            changelog: Fixed
+            changelog: Removed
+            changelog: Security
+            changelog: skip
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -2,11 +2,11 @@ name: Test
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   FORCE_COLOR: 1
+  PIP_DISABLE_PIP_VERSION_CHECK: 1
 
 jobs:
   test:
@@ -28,6 +28,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,7 @@
+# Configuration for the zizmor static analysis tool, run via pre-commit in CI
+# https://woodruffw.github.io/zizmor/configuration/
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": ref-pin
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,8 +1,8 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.12.2
+    rev: v0.12.7
     hooks:
-      - id: ruff
+      - id: ruff-check
         args: [--exit-non-zero-on-fix]
 
   - repo: https://github.com/psf/black-pre-commit-mirror
@@ -23,6 +23,7 @@ repos:
       - id: debug-statements
       - id: end-of-file-fixer
       - id: forbid-submodules
+      - id: requirements-txt-fixer
       - id: trailing-whitespace
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
@@ -36,6 +37,11 @@ repos:
     hooks:
       - id: actionlint
 
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.11.0
+    hooks:
+      - id: zizmor
+
   - repo: https://github.com/tox-dev/pyproject-fmt
     rev: v2.6.0
     hooks:
@@ -47,7 +53,7 @@ repos:
       - id: validate-pyproject
 
   - repo: https://github.com/tox-dev/tox-ini-fmt
-    rev: 1.5.0
+    rev: 1.6.0
     hooks:
       - id: tox-ini-fmt
 
diff --git a/pyproject.toml b/pyproject.toml
@@ -55,12 +55,13 @@ lint.select = [
   "C4",     # flake8-comprehensions
   "E",      # pycodestyle errors
   "EM",     # flake8-errmsg
-  "F",      # pyflakes errors
+  "F",      # pyflakes
   "I",      # isort
   "ICN",    # flake8-import-conventions
   "ISC",    # flake8-implicit-str-concat
   "LOG",    # flake8-logging
   "PGH",    # pygrep-hooks
+  "PIE",    # flake8-pie
   "PYI",    # flake8-pyi
   "RUF022", # unsorted-dunder-all
   "RUF100", # unused noqa (yesqa)
@@ -69,11 +70,12 @@ lint.select = [
   "YTT",    # flake8-2020
 ]
 lint.ignore = [
-  "E203",  # Whitespace before ':'
-  "E221",  # Multiple spaces before operator
-  "E226",  # Missing whitespace around arithmetic operator
-  "E241",  # Multiple spaces after ','
-  "UP038", # Makes code slower and more verbose
+  "E203",   # Whitespace before ':'
+  "E221",   # Multiple spaces before operator
+  "E226",   # Missing whitespace around arithmetic operator
+  "E241",   # Multiple spaces after ','
+  "PIE790", # flake8-pie: unnecessary-placeholder
+  "UP038",  # Makes code slower and more verbose
 ]
 lint.flake8-import-conventions.aliases.datetime = "dt"
 lint.flake8-import-conventions.banned-from = [ "datetime" ]
@@ -85,8 +87,15 @@ max_supported_python = "3.14"
 
 [tool.pytest.ini_options]
 addopts = "-W error::DeprecationWarning"
-filterwarnings = [
-  # Python <= 3.11
-  "ignore:sys.monitoring isn't available, using default core:coverage.exceptions.CoverageWarning",
-]
 testpaths = [ "tests" ]
+
+[tool.coverage.run]
+disable_warnings = [
+  "no-sysmon",
+]
+[tool.coverage.report]
+# Regexes for lines to exclude from consideration
+exclude_also = [
+  # Don't complain if non-runnable code isn't run:
+  "if __name__ == .__main__.:",
+]
diff --git a/tox.ini b/tox.ini
@@ -11,6 +11,8 @@ extras =
     tests
 pass_env =
     FORCE_COLOR
+set_env =
+    COVERAGE_CORE = sysmon
 commands =
     coverage erase
     {envpython} -m pytest \
@@ -23,6 +25,7 @@ commands =
       --cov test \
       --cov-append test/functional/test_manager.py \
       {posargs}
+    coverage html
     coverage xml
 
 [testenv:lint]

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"$schema": "https://docs.renovatebot.com/renovate-schema.json",`
`3`		`- "extends": ["config:base"],`
	`3`	`+ "extends": ["config:base", ":semanticCommitsDisabled"],`
`4`	`4`	`"labels": ["changelog: skip", "dependencies"],`
`5`	`5`	`"packageRules": [`
`6`	`6`	`{`