Merge pull request #258 from offbyone/actions-speed

Actions security
hamcrest · Nov 2, 2024 · ea26ddc · ea26ddc
2 parents 2e66e12 + e781a46
commit ea26ddc
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 6 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -40,6 +40,8 @@ jobs:
         with:
           # We want our tags here
           fetch-depth: 0
+          persist-credentials: false
+
       - name: Install the latest version of uv
         id: setup-uv
         uses: astral-sh/setup-uv@v3
@@ -65,6 +67,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install the latest version of uv
         id: setup-uv
         uses: astral-sh/setup-uv@v3
@@ -104,6 +108,7 @@ jobs:
         with:
           # We want our tags here
           fetch-depth: 0
+          persist-credentials: false
       - uses: hynek/build-and-inspect-python-package@v2
 
   install-dev:
@@ -116,6 +121,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install the latest version of uv
         id: setup-uv
         uses: astral-sh/setup-uv@v3

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,8 +16,6 @@ on:
 
 permissions:
   contents: read
-  # Needed for trusted publishing.
-  id-token: write
 
 jobs:
   pure-python-wheel-and-sdist:
@@ -29,11 +27,17 @@ jobs:
         with:
           # Fetch all tags; this is needed for hatch-vcs
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
 
   # Upload to Test PyPI on every commit on main.
   publish-test-release:
+    permissions:
+      contents: read
+      # Needed for trusted publishing.
+      id-token: write
+
     name: Publish in-dev package to test.pypi.org
     environment: publish-test-release
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
@@ -54,6 +58,11 @@ jobs:
           repository-url: https://test.pypi.org/legacy/
 
   publish-release:
+    permissions:
+      contents: read
+      # Needed for trusted publishing.
+      id-token: write
+
     name: Publish release
     environment: publish-release
     needs:

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -5,22 +5,22 @@ repos:
       - id: check-useless-excludes
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: debug-statements
 
   - repo: https://github.com/asottile/blacken-docs
-    rev: 1.18.0
+    rev: 1.19.1
     hooks:
       - id: blacken-docs
         # args: ["-l100"]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.6.8
+    rev: v0.7.2
     hooks:
       # Run the linter.
       - id: ruff
-        args: [ --fix ]
+        args: [--fix]
       # Run the formatter.
       - id: ruff-format