diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e2c2b0fe..3fb54119 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,13 +31,15 @@ jobs: target: ppc64le steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: 3.x - name: Build wheels - uses: PyO3/maturin-action@v1 + uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1.49.1 with: target: ${{ matrix.platform.target }} args: --release --out dist --find-interpreter --features extension-module @@ -65,13 +67,15 @@ jobs: target: armv7 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: 3.x - name: Build wheels - uses: PyO3/maturin-action@v1 + uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1.49.1 with: target: ${{ matrix.platform.target }} args: --release --out dist --find-interpreter --features extension-module @@ -94,6 +98,8 @@ jobs: target: x86 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: @@ -101,7 +107,7 @@ jobs: architecture: ${{ matrix.platform.target }} - name: Build wheels - uses: PyO3/maturin-action@v1 + uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1.49.1 with: target: ${{ matrix.platform.target }} args: --release --out dist --find-interpreter --features extension-module @@ -124,13 +130,15 @@ jobs: target: aarch64 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: 3.x - name: Build wheels - uses: PyO3/maturin-action@v1 + uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1.49.1 with: target: ${{ matrix.platform.target }} args: --release --out dist --find-interpreter --features extension-module @@ -146,9 +154,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Build sdist - uses: PyO3/maturin-action@v1 + uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1.49.1 with: command: sdist args: --out dist diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 50475769..15b1e1bb 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -23,9 +23,11 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1 with: enable-cache: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a4a6623a..8b46a98c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -50,7 +50,7 @@ jobs: subject-path: "wheels-*/*" - name: Publish to PyPI - uses: PyO3/maturin-action@v1 + uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1.49.1 with: command: upload args: --non-interactive --skip-existing wheels-*/* diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8b144a43..fb97ceed 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -26,22 +26,30 @@ env: FORCE_COLOR: "1" PYTHONUNBUFFERED: "1" +permissions: {} + jobs: generate-matrix: runs-on: ubuntu-latest outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} + permissions: + contents: read steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1 with: enable-cache: true - id: set-matrix + env: + OS: ${{ inputs.os }} run: | - uv run noxfile.py --session gha_matrix -- "${{ inputs.os }}" + uv run noxfile.py --session gha_matrix -- "${OS}" test: name: Python ${{ matrix.python-version }}, Django ${{ matrix.django-version }} (${{ matrix.os }}) @@ -50,17 +58,24 @@ jobs: strategy: fail-fast: false matrix: ${{ fromJSON(needs.generate-matrix.outputs.matrix) }} + permissions: + contents: read steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1 with: enable-cache: true - name: Run tests + env: + DJANGO_VERSION: ${{ matrix.django-version }} + PYTHON_VERSION: ${{ matrix.python-version }} run: | - uv run noxfile.py --session "tests(python='${{ matrix.python-version }}', django='${{ matrix.django-version }}')" + uv run noxfile.py --session "tests(python='${PYTHON_VERSION}', django='${DJANGO_VERSION}')" tests: runs-on: ubuntu-latest diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..3295fd3d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: zizmor 🌈 + +on: + push: + branches: [main] + pull_request: + branches: ["*"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read # only needed for private repos + actions: read # only needed for private repos + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install uv + uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 + with: + enable-cache: true + + - name: Run zizmor 🌈 + run: uvx zizmor --format=sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7d8b417c..369a4b94 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -17,6 +17,10 @@ repos: - id: trailing-whitespace - id: no-commit-to-branch args: ["--branch", "main"] + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.6.0 + hooks: + - id: zizmor - repo: local hooks: - id: fmt