From dae988d4e7ce05de290063c3e06794d3747ea775 Mon Sep 17 00:00:00 2001 From: Alex Waygood Date: Mon, 7 Jul 2025 14:12:27 +0100 Subject: [PATCH 1/2] Add zizmor as a pre-commit hook --- .github/workflows/ci.yml | 2 ++ .github/workflows/publish.yml | 14 ++++++++++++-- .github/workflows/third_party.yml | 9 +++++++++ .pre-commit-config.yaml | 4 ++++ 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 450fdbb2..ac749860 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -57,6 +57,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 47704723..f3112d89 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -24,12 +24,16 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.x" - name: Check package metadata - run: python scripts/check_package.py ${{ github.ref }} + env: + GITHUB_REF: ${{ github.ref }} + run: python scripts/check_package.py "${github.ref}" - name: Install pypa/build run: | # Be wary of running `pip install` here, since it becomes easy for us to @@ -52,6 +56,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 with: @@ -78,6 +84,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 with: @@ -103,6 +111,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 with: @@ -146,4 +156,4 @@ jobs: - name: Ensure exactly one sdist and one wheel have been downloaded run: test $(ls dist/*.tar.gz | wc -l) = 1 && test $(ls dist/*.whl | wc -l) = 1 - name: Publish distribution to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc diff --git a/.github/workflows/third_party.yml b/.github/workflows/third_party.yml index 2ac26a58..1ceac814 100644 --- a/.github/workflows/third_party.yml +++ b/.github/workflows/third_party.yml @@ -63,6 +63,7 @@ jobs: uses: actions/checkout@v4 with: path: typing-extensions-latest + persist-credentials: false - name: Add local version of typing_extensions as a dependency run: cd pydantic; uv add --editable ../typing-extensions-latest - name: Install pydantic test dependencies @@ -94,6 +95,7 @@ jobs: uses: actions/checkout@v4 with: path: typing-extensions-latest + persist-credentials: false - name: Install typing_inspect test dependencies run: | set -x @@ -131,6 +133,7 @@ jobs: uses: actions/checkout@v4 with: path: typing-extensions-latest + persist-credentials: false - name: Install pycroscope test requirements run: | set -x @@ -168,6 +171,7 @@ jobs: uses: actions/checkout@v4 with: path: typing-extensions-latest + persist-credentials: false - name: Install typeguard test requirements run: | set -x @@ -205,6 +209,7 @@ jobs: uses: actions/checkout@v4 with: path: typing-extensions-latest + persist-credentials: false - name: Configure git for typed-argument-parser tests # typed-argument parser does this in their CI, # and the tests fail unless we do this @@ -249,6 +254,7 @@ jobs: uses: actions/checkout@v4 with: path: typing-extensions-latest + persist-credentials: false - name: Install mypy test requirements run: | set -x @@ -284,6 +290,7 @@ jobs: uses: actions/checkout@v4 with: path: typing-extensions-latest + persist-credentials: false - name: Install pdm for cattrs run: pip install pdm - name: Add latest typing-extensions as a dependency @@ -326,6 +333,7 @@ jobs: uses: actions/checkout@v4 with: path: typing-extensions-latest + persist-credentials: false - name: Install sqlalchemy test dependencies run: uv pip install --system tox setuptools - name: List installed dependencies @@ -362,6 +370,7 @@ jobs: uses: actions/checkout@v4 with: path: typing-extensions-latest + persist-credentials: false - name: Install uv run: curl -LsSf https://astral.sh/uv/install.sh | sh - name: Run litestar tests diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 96e97c70..61fae2b8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -30,6 +30,10 @@ repos: rev: v1.7.7 hooks: - id: actionlint + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.11.0 + hooks: + - id: zizmor - repo: meta hooks: - id: check-hooks-apply From 2035a548e3cc74c398b3874d96cb255defc7911b Mon Sep 17 00:00:00 2001 From: Alex Waygood Date: Mon, 7 Jul 2025 14:23:01 +0100 Subject: [PATCH 2/2] . --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a8e850ef..e078218f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -33,7 +33,7 @@ jobs: - name: Check package metadata env: GITHUB_REF: ${{ github.ref }} - run: python scripts/check_package.py "${github.ref}" + run: python scripts/check_package.py "${GITHUB_REF}" - name: Install pypa/build run: | # Be wary of running `pip install` here, since it becomes easy for us to