diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 96505a93..33272b1a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,3 +8,14 @@ updates: interval: "weekly" commit-message: prefix: "ci(dependabot):" + - package-ecosystem: github-actions + directory: /.github/workflows + schedule: + interval: "quarterly" + cooldown: + default-days: 7 + groups: + gha-updates: + applies-to: version-updates + patterns: + - '*' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 14fd9a8b..4acfac18 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,23 +23,29 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.13" - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 check-manifest: # check-manifest is a tool that checks that all files in version control are # included in the sdist (unless explicitly excluded) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - run: pipx run check-manifest + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - run: pipx run --spec check-manifest==0.51 check-manifest setup: # Outputs a reduced matrix for PRs, full matrix for main/tags/schedule @@ -63,18 +69,23 @@ jobs: fail-fast: false matrix: include: ${{ fromJson(needs.setup.outputs.matrix) }} + permissions: + contents: read + issues: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: 🔧 Set up pixi - uses: prefix-dev/setup-pixi@v0.9.5 + uses: prefix-dev/setup-pixi@1b2de7f3351f171c8b4dfeb558c639cb58ed4ec0 # v0.9.5 with: environments: ${{ matrix.environment }} - name: Restore shared data cache id: cache-data - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: data/ key: "${{ runner.os }}-data-${{ hashFiles('tests/conftest.py') }}" @@ -87,7 +98,7 @@ jobs: # If something goes wrong with scheduled tests, open an issue in the repo - name: 📝 Report Failures if: failure() && github.event_name == 'schedule' - uses: JasonEtco/create-an-issue@v2 + uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PLATFORM: ${{ matrix.platform }} @@ -100,7 +111,7 @@ jobs: - name: Coverage if: success() && matrix.platform == 'ubuntu-latest' - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: token: ${{ secrets.CODECOV_TOKEN }} files: /home/runner/work/ngio/ngio/coverage.xml @@ -119,16 +130,15 @@ jobs: contents: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: 🐍 Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" - cache: "pip" - cache-dependency-path: "pyproject.toml" - name: 👷 Build run: | @@ -136,9 +146,9 @@ jobs: python -m build - name: 🚢 Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 - - uses: softprops/action-gh-release@v3 + - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: generate_release_notes: true files: "./dist/*" diff --git a/.github/workflows/ci_upstream.yml b/.github/workflows/ci_upstream.yml index 99cc49a2..99f1d1d6 100644 --- a/.github/workflows/ci_upstream.yml +++ b/.github/workflows/ci_upstream.yml @@ -20,20 +20,28 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: test-pip: name: pip (stable) runs-on: ubuntu-latest + permissions: + contents: read + issues: write + # For workflow_run: only proceed if the main CI succeeded if: > github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: 🐍 Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.13" cache: "pip" @@ -45,7 +53,7 @@ jobs: python -m pip install .[test] - name: Restore shared data cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: data/ key: "${{ runner.os }}-data-${{ hashFiles('tests/conftest.py') }}" @@ -57,7 +65,7 @@ jobs: - name: 📝 Report Failures if: failure() && github.event_name == 'schedule' - uses: JasonEtco/create-an-issue@v2 + uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PLATFORM: ubuntu-latest @@ -71,16 +79,22 @@ jobs: test-pip-pre: name: pip (--pre) runs-on: ubuntu-latest + permissions: + contents: read + issues: write + # For workflow_run: only proceed if the main CI succeeded if: > github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: 🐍 Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.13" cache: "pip" @@ -92,7 +106,7 @@ jobs: python -m pip install .[test] --pre - name: Restore shared data cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: data/ key: "${{ runner.os }}-data-${{ hashFiles('tests/conftest.py') }}" @@ -104,7 +118,7 @@ jobs: - name: 📝 Report Failures if: failure() - uses: JasonEtco/create-an-issue@v2 + uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PLATFORM: ubuntu-latest diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index f0a8244a..43b00db4 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -21,13 +21,18 @@ jobs: name: Deploy Docs runs-on: ubuntu-latest + permissions: + contents: read + pages: write + steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: 🔧 Set up pixi - uses: prefix-dev/setup-pixi@v0.9.5 + uses: prefix-dev/setup-pixi@1b2de7f3351f171c8b4dfeb558c639cb58ed4ec0 # v0.9.5 with: environments: docs @@ -36,14 +41,6 @@ jobs: git config --local user.email "github-actions[bot]@users.noreply.github.com" git config --local user.name "github-actions[bot]" - - name: Restore shared data cache - uses: actions/cache@v5 - with: - path: data/ - key: "${{ runner.os }}-data-${{ hashFiles('tests/conftest.py') }}" - restore-keys: | - "${{ runner.os }}-data-" - - name: Deploy docs run: | VERSION=$(echo $GITHUB_REF | sed 's/refs\/tags\///' | sed 's/refs\/heads\///') diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 00000000..953fe28b --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,25 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + # contents: read # only needed for private or internal repos + # actions: read # only needed for private or internal repos + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b572f7b1a1c2d41efaab43d504f68d215c3cd727 # v0.5.4 diff --git a/CHANGELOG.md b/CHANGELOG.md index 773c37fb..6a79e96b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +### Chores +- Harden GitHub Actions and scan workflows through `zizmor`. + ## [v0.5.11] ### Fix