Merge pull request #22 from manics/pr21

Disable some zizmor rules, increase build timeout

Author: manics

.github/workflows/build.yml

@@ -88,7 +88,7 @@ jobs:
 
   publish-docker:
     runs-on: ubuntu-24.04
-    timeout-minutes: 30
+    timeout-minutes: 45
     needs:
       - tag
 

.github/workflows/watch-dependencies.yaml

@@ -68,7 +68,7 @@ jobs:
 
       # ref: https://github.com/peter-evans/create-pull-request
       - name: Create a PR
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           token: "${{ secrets.jupyterhub_bot_pat }}"
           author: JupyterHub Bot Account <[email protected]>

.github/zizmor.yml

@@ -0,0 +1,11 @@
+# Zizmor configuration file
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # Zizmor defaults to requiring pinning by immutable hashes.
+        # Allow pinning by refs for trusted organisations.
+        # https://woodruffw.github.io/zizmor/audits/#rulesunpinned-usesconfigpolicies
+        actions/*: ref-pin
+        docker/*: ref-pin
+        jupyterhub/*: ref-pin

.pre-commit-config.yaml

@@ -22,14 +22,15 @@ repos:
 
   # autoformat and lint Python code
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.11.4
+    rev: v0.11.8
     hooks:
       - id: ruff
         args: ["--select=I", "--fix", "--show-fixes"]
       - id: ruff-format
 
   # Static security analysis of GitHub actions https://github.com/woodruffw/zizmor
+  # Additional config is in .github/zizmor.yml
   - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: v1.5.2
+    rev: v1.6.0
     hooks:
       - id: zizmor