diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index df1cfb3..4cc5f9f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,7 @@ jobs: with: submodules: true fetch-depth: 0 + persist-credentials: false - name: ruff check uses: chartboost/ruff-action@v1 - name: ruff format @@ -46,6 +47,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 with: @@ -104,6 +106,7 @@ jobs: with: submodules: true fetch-depth: 0 + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 with: diff --git a/.github/workflows/release-builtins.yml b/.github/workflows/release-builtins.yml index 73b0f36..6f41709 100644 --- a/.github/workflows/release-builtins.yml +++ b/.github/workflows/release-builtins.yml @@ -25,9 +25,12 @@ jobs: with: submodules: true fetch-depth: 0 + persist-credentials: false - name: update core + env: + TAG: ${{ inputs.tag || 'master '}} # needs to detach because we can update to a tag - run: git -C uap-core switch --detach ${{ inputs.tag || 'master' }} + run: git -C uap-core switch --detach "$TAG" - name: Set up Python uses: actions/setup-python@v5 with: diff --git a/.github/workflows/release-main.yml b/.github/workflows/release-main.yml index 17b2c95..bc6fca9 100644 --- a/.github/workflows/release-main.yml +++ b/.github/workflows/release-main.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Checkout working copy uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 with: @@ -34,7 +36,7 @@ jobs: run: python -mbuild - name: Publish to testpypi if: ${{ env.ENVNAME == 'testpypi' }} - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@release/v1 # zizmor: ignore[use-trusted-publishing] with: repository-url: https://test.pypi.org/legacy/ skip-existing: true @@ -42,7 +44,7 @@ jobs: password: ${{ secrets.PUBLISH_TOKEN }} - name: Publish to pypi if: ${{ env.ENVNAME == 'pypi' }} - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@release/v1 # zizmor: ignore[use-trusted-publishing] with: verbose: true password: ${{ secrets.PUBLISH_TOKEN }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..5bf4f98 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,32 @@ +name: Zizmor + +on: + push: + pull_request: + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor