astral-sh · woodruffw · Aug 1, 2025 · Jul 31, 2025 · Jul 31, 2025 · Jul 31, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,18 +1,32 @@
 version: 2
 updates:
-- package-ecosystem: "pip"
-  directory: "/"
-  schedule:
-    interval: "monthly"
-  groups:
-    python:
-      patterns:
-        - "*"
-- package-ecosystem: "cargo"
-  directory: "/"
-  schedule:
-    interval: "monthly"
-  groups:
-    rust:
-      patterns:
-        - "*"
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    cooldown:
+      default-days: 14
+    groups:
+      python:
+        patterns:
+          - "*"
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    cooldown:
+      default-days: 14
+    groups:
+      rust:
+        patterns:
+          - "*"
+  - package-ecosystem: "github-actions"
+    directory: ".github/workflows"
+    schedule:
+      interval: "monthly"
+    cooldown:
+      default-days: 14
+    groups:
+      actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -12,12 +12,16 @@ concurrency:
 env:
   FORCE_COLOR: 1
 
+permissions: {}
+
 jobs:
   check:
     runs-on: "ubuntu-latest"
     name: "check"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -2,7 +2,7 @@ name: linux
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
 
 concurrency:
@@ -12,6 +12,8 @@ concurrency:
 env:
   FORCE_COLOR: 1
 
+permissions: {}
+
 jobs:
   crate-build:
     needs:
@@ -28,6 +30,8 @@ jobs:
           sudo apt install -y --no-install-recommends libssl-dev pkg-config
 
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Emit rustc version
         run: |
@@ -64,11 +68,13 @@ jobs:
       packages: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: "3.11"
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
@@ -90,7 +96,7 @@ jobs:
 
       - name: Build Image
         id: build-image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: build/${{ matrix.name }}.Dockerfile
@@ -110,8 +116,12 @@ jobs:
 
       - name: Compress Image
         run: |
-          echo ${{ steps.build-image.outputs.imageid }} > build/image-${{ matrix.name }}.linux_${{ matrix.arch }}
+          echo ${STEPS_BUILD_IMAGE_OUTPUTS_IMAGEID} > build/image-${MATRIX_NAME}.linux_${MATRIX_ARCH}
           zstd -v -T0 -6 --rm build/image-*.tar
+        env:
+          STEPS_BUILD_IMAGE_OUTPUTS_IMAGEID: ${{ steps.build-image.outputs.imageid }}
+          MATRIX_NAME: ${{ matrix.name }}
+          MATRIX_ARCH: ${{ matrix.arch }}
 
       - name: Upload Docker Image
         uses: actions/upload-artifact@v4
@@ -120,6 +130,7 @@ jobs:
           path: build/image-*
 
   generate-matrix:
+    name: Generate build matrix
     runs-on: ubuntu-latest
     outputs:
       python-build-matrix-0: ${{ steps.set-matrix.outputs.python-build-matrix-0 }}
@@ -130,16 +141,19 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # fetch history for subsequent `git diff`
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Python
         uses: astral-sh/setup-uv@v4
 
       - name: Get pull request labels
         id: get-labels
+        env:
+          PULL_REQUEST_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }}
         run: |
           # Convert GitHub labels array to comma-separated string
-          LABELS=$(echo '${{ toJson(github.event.pull_request.labels.*.name) }}' | jq -r 'join(",")')
+          LABELS=$(echo "${PULL_REQUEST_LABELS}" | jq -r 'join(",")')
           echo "labels=$LABELS" >> $GITHUB_OUTPUT
 
       - name: Check if the `pythonbuild` crate changed
@@ -159,7 +173,7 @@ jobs:
         run: |
           uv run ci-matrix.py \
             --platform linux \
-            --labels '${{ steps.get-labels.outputs.labels }}' \
+            --labels '${STEPS_GET_LABELS_OUTPUTS_LABELS}' \
             --max-shards 2 \
             ${{ (steps.check-pythonbuild.outputs.changed == 'true' || github.ref == 'refs/heads/main') && '--force-crate-build' || '' }} \
             > matrix.json
@@ -179,6 +193,8 @@ jobs:
             # Build matrix is empty
             echo "any_builds=false" >> $GITHUB_OUTPUT
           fi
+        env:
+          STEPS_GET_LABELS_OUTPUTS_LABELS: ${{ steps.get-labels.outputs.labels }}
 
   build-0:
     needs:
@@ -198,11 +214,12 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: "3.11"
 
       - name: Download pythonbuild
         uses: actions/download-artifact@v4
@@ -247,7 +264,11 @@ jobs:
           # Touch mtimes of all images so they are newer than autogenerated files above.
           touch build/image-*
 
-          ./build-linux.py --target-triple ${{ matrix.target_triple }} --python cpython-${{ matrix.python }} --options ${{ matrix.build_options }}
+          ./build-linux.py --target-triple ${MATRIX_TARGET_TRIPLE} --python cpython-${MATRIX_PYTHON} --options ${MATRIX_BUILD_OPTIONS}
+        env:
+          MATRIX_TARGET_TRIPLE: ${{ matrix.target_triple }}
+          MATRIX_PYTHON: ${{ matrix.python }}
+          MATRIX_BUILD_OPTIONS: ${{ matrix.build_options }}
 
       - name: Generate attestations
         uses: actions/attest-build-provenance@v2
@@ -267,8 +288,8 @@ jobs:
         run: |
           chmod +x build/pythonbuild
 
-          if [ "${{ matrix.run }}" == "true" ]; then
-            if [ "${{ matrix.libc }}" == "musl" ]; then
+          if [ "${MATRIX_RUN}" == "true" ]; then
+            if [ "${MATRIX_LIBC}" == "musl" ]; then
               sudo apt install musl-dev
 
               # GitHub's setup-python action sets `LD_LIBRARY_PATH` which overrides `RPATH`
@@ -279,6 +300,9 @@ jobs:
           fi
 
           build/pythonbuild validate-distribution ${EXTRA_ARGS} dist/*.tar.zst
+        env:
+          MATRIX_RUN: ${{ matrix.run }}
+          MATRIX_LIBC: ${{ matrix.libc }}
 
   build-1:
     needs:
@@ -298,11 +322,12 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: "3.11"
 
       - name: Download pythonbuild
         uses: actions/download-artifact@v4
@@ -347,7 +372,11 @@ jobs:
           # Touch mtimes of all images so they are newer than autogenerated files above.
           touch build/image-*
 
-          ./build-linux.py --target-triple ${{ matrix.target_triple }} --python cpython-${{ matrix.python }} --options ${{ matrix.build_options }}
+          ./build-linux.py --target-triple ${MATRIX_TARGET_TRIPLE} --python cpython-${MATRIX_PYTHON} --options ${MATRIX_BUILD_OPTIONS}
+        env:
+          MATRIX_TARGET_TRIPLE: ${{ matrix.target_triple }}
+          MATRIX_PYTHON: ${{ matrix.python }}
+          MATRIX_BUILD_OPTIONS: ${{ matrix.build_options }}
 
       - name: Generate attestations
         uses: actions/attest-build-provenance@v2
@@ -367,8 +396,8 @@ jobs:
         run: |
           chmod +x build/pythonbuild
 
-          if [ "${{ matrix.run }}" == "true" ]; then
-            if [ "${{ matrix.libc }}" == "musl" ]; then
+          if [ "${MATRIX_RUN}" == "true" ]; then
+            if [ "${MATRIX_LIBC}" == "musl" ]; then
               sudo apt install musl-dev
 
               # GitHub's setup-python action sets `LD_LIBRARY_PATH` which overrides `RPATH`
@@ -379,3 +408,6 @@ jobs:
           fi
 
           build/pythonbuild validate-distribution ${EXTRA_ARGS} dist/*.tar.zst
+        env:
+          MATRIX_RUN: ${{ matrix.run }}
+          MATRIX_LIBC: ${{ matrix.libc }}
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -12,6 +12,8 @@ concurrency:
 env:
   FORCE_COLOR: 1
 
+permissions: {}
+
 jobs:
   crate-build:
     needs:
@@ -23,6 +25,8 @@ jobs:
     name: crate / ${{ matrix.arch }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Emit rustc version
         run: |
@@ -47,6 +51,7 @@ jobs:
           path: target/release/pythonbuild
 
   generate-matrix:
+    name: Generate build matrix
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
@@ -55,16 +60,19 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # fetch history for subsequent `git diff`
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Python
         uses: astral-sh/setup-uv@v4
 
       - name: Get pull request labels
         id: get-labels
+        env:
+          PULL_REQUEST_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }}
         run: |
           # Convert GitHub labels array to comma-separated string
-          LABELS=$(echo '${{ toJson(github.event.pull_request.labels.*.name) }}' | jq -r 'join(",")')
+          LABELS=$(echo "${PULL_REQUEST_LABELS}" | jq -r 'join(",")')
           echo "labels=$LABELS" >> $GITHUB_OUTPUT
 
       - name: Check if the `pythonbuild` crate changed
@@ -82,12 +90,12 @@ jobs:
       - name: Generate build matrix
         id: set-matrix
         run: |
-          uv run ci-matrix.py --platform darwin --labels '${{ steps.get-labels.outputs.labels }}' ${{ (steps.check-pythonbuild.outputs.changed == 'true' || github.ref == 'refs/heads/main') && '--force-crate-build' || '' }} > matrix.json
-          
+          uv run ci-matrix.py --platform darwin --labels '${STEPS_GET_LABELS_OUTPUTS_LABELS}' ${{ (steps.check-pythonbuild.outputs.changed == 'true' || github.ref == 'refs/heads/main') && '--force-crate-build' || '' }} > matrix.json
+
           # Extract python-build matrix
           echo "matrix=$(jq -c '."python-build"' matrix.json)" >> $GITHUB_OUTPUT
           echo "crate-build-matrix=$(jq -c '."crate-build"' matrix.json)" >> $GITHUB_OUTPUT
-          
+
           # Display the matrix for debugging too
           cat matrix.json | jq
 
@@ -98,6 +106,8 @@ jobs:
             # Build matrix is empty
             echo "any_builds=false" >> $GITHUB_OUTPUT
           fi
+        env:
+          STEPS_GET_LABELS_OUTPUTS_LABELS: ${{ steps.get-labels.outputs.labels }}
 
   build:
     needs:
@@ -116,11 +126,12 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: "3.11"
 
       - name: Download pythonbuild
         uses: actions/download-artifact@v4
@@ -131,16 +142,20 @@ jobs:
       - name: Build
         if: ${{ ! matrix.dry-run }}
         run: |
-          if [ "${{ matrix.target_triple }}" = "aarch64-apple-darwin" ]; then
+          if [ "${MATRIX_TARGET_TRIPLE}" = "aarch64-apple-darwin" ]; then
             export APPLE_SDK_PATH=/Applications/Xcode_15.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.sdk
-          elif [ "${{ matrix.target_triple }}" = "x86_64-apple-darwin" ]; then
+          elif [ "${MATRIX_TARGET_TRIPLE}" = "x86_64-apple-darwin" ]; then
             export APPLE_SDK_PATH=/Applications/Xcode_15.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.sdk
           else
-            echo "unhandled target triple: ${{ matrix.target_triple }}"
+            echo "unhandled target triple: ${MATRIX_TARGET_TRIPLE}"
             exit 1
           fi
 
-          ./build-macos.py --target-triple ${{ matrix.target_triple }} --python cpython-${{ matrix.python }} --options ${{ matrix.build_options }}
+          ./build-macos.py --target-triple ${MATRIX_TARGET_TRIPLE} --python cpython-${MATRIX_PYTHON} --options ${MATRIX_BUILD_OPTIONS}
+        env:
+          MATRIX_TARGET_TRIPLE: ${{ matrix.target_triple }}
+          MATRIX_PYTHON: ${{ matrix.python }}
+          MATRIX_BUILD_OPTIONS: ${{ matrix.build_options }}
 
       - name: Generate attestations
         uses: actions/attest-build-provenance@v2
@@ -159,9 +174,10 @@ jobs:
         if: ${{ ! matrix.dry-run }}
         uses: actions/checkout@v4
         with:
-          repository: 'phracker/MacOSX-SDKs'
+          repository: phracker/MacOSX-SDKs
           ref: master
           path: macosx-sdks
+          persist-credentials: false
 
       - name: Validate Distribution
         if: ${{ ! matrix.dry-run }}