action linting (#59)

* add hooks specifically for actions

* fix the easier suggestions for the python ci

* figure out if setting it again is overkill

* select the stable toolchain

* print on all platforms

* avoid setting env variables from the template

* use powershell syntax for windows

* set shell to bash for windows (no login shell)

* print the command rather than executing it

* avoid executing `pkg-config` ourselves

* temporarily disable the cache

* enable the cache again

* use `repository_owner` to detect forks

* follow zizmor recommendations for the rust ci

* missing space

* try using the standard bash shell

* add back the arg

* enable the pkg-config test again

* print the github env

* smaller execution footprint while testing

* work around a weird windows bash

* try using `export`

* quotes and debug printing

* skip other ci

* remove extra shells

* typo

* the runner os

* disable the rust setup [skip-rtd]

* see if the python ci works

* ignore the python-ci template injections

(low-risk, these are not controlled by someone else)

* ignore the rust-ci template injections

* switch to inline comments

* use the ignore outside of the string

* follow recommendations for the publishing workflow

* re-enable the different CI [skip-rtd]

Author: keewis

.github/workflows/python-ci.yml

@@ -12,21 +12,24 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   detect-ci-trigger:
     name: detect ci trigger
     runs-on: ubuntu-latest
     if: |
-      github.repository == 'keewis/grid-indexing'
+      github.repository_owner == 'keewis'
       && (github.event_name == 'push' || github.event_name == 'pull_request')
     outputs:
       triggered: ${{ steps.detect-trigger.outputs.trigger-found }}
     steps:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 2
+          persist-credentials: false
 
-      - uses: xarray-contrib/ci-trigger@v1
+      - uses: xarray-contrib/ci-trigger@10cd2bfec3484946a4058a421ddf9cfad101e715 # v1.2.1
         id: detect-trigger
         with:
           keyword: "[skip-ci]"
@@ -52,16 +55,22 @@ jobs:
           - "ubuntu-latest"
           - "macos-latest"
           - "windows-latest"
-        python-version: ["3.10", "3.12"]
+        python-version:
+          - "3.10"
+          - "3.12"
 
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # 1.0
+        with:
+          toolchain: stable
 
       - name: Setup micromamba
-        uses: mamba-org/setup-micromamba@v2
+        uses: mamba-org/setup-micromamba@7f29b8b80078b1b601dfa018b0f7425c587c63bb # 2.0.6
         with:
           environment-file: ci/requirements/environment.yaml
           environment-name: python-tests
@@ -71,7 +80,7 @@ jobs:
             python=${{matrix.python-version}}
 
       - name: Create rust cache
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # 2.8.0
         with:
           prefix-key: "py${{ matrix.python-version }}"
 
@@ -93,19 +102,21 @@ jobs:
 
       - name: Clean up pkg-config
         if: runner.os == 'Windows'
-        run: |
-          export PKG_CONFIG_PATH="${{env.PKG_CONFIG_PATH}}"
+        run: | # zizmor: ignore[template-injection]
+          export PKG_CONFIG_PATH="${{ env.PKG_CONFIG_PATH }}"
 
           # remove dependency paths
-          sed -i '/Requires.private:/d' $PKG_CONFIG_PATH/*.pc
+          sed -i '/Requires.private:/d' $(find $PKG_CONFIG_PATH -name "*.pc" -type f)
 
           # check that this actually works
           pkg-config --libs --cflags proj 'proj >= 9.4.0'
 
       - name: Install the package
-        run: |
-          export PKG_CONFIG_PATH="${{env.PKG_CONFIG_PATH}}"
-          export PYO3_PYTHON="${{env.PYO3_PYTHON}}"
+        run: | # zizmor: ignore[template-injection]
+          if [[ "${{ runner.os }}" == "Windows" ]]; then
+              export PKG_CONFIG_PATH="${{ env.PKG_CONFIG_PATH }}"
+              export PYO3_PYTHON="${{ env.PYO3_PYTHON }}"
+          fi
 
           maturin develop
 

.github/workflows/rust-ci.yml

@@ -10,21 +10,24 @@ concurrency:
   group: ${{ github.workflow }}.${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   detect-ci-trigger:
     name: detect ci trigger
     runs-on: ubuntu-latest
     if: |
-      github.repository == 'keewis/grid-indexing'
+      github.repository_owner == 'keewis'
       && (github.event_name == 'push' || github.event_name == 'pull_request')
     outputs:
       triggered: ${{ steps.detect-trigger.outputs.trigger-found }}
     steps:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 2
+          persist-credentials: false
 
-      - uses: xarray-contrib/ci-trigger@v1
+      - uses: xarray-contrib/ci-trigger@10cd2bfec3484946a4058a421ddf9cfad101e715 # v1.2.1
         id: detect-trigger
         with:
           keyword: "[skip-ci]"
@@ -43,10 +46,12 @@ jobs:
       matrix:
         os:
           - "ubuntu-latest"
-          # building proj-sys on windows appears to not really be possible
           - "windows-latest"
           - "macos-latest"
-        python-version: ["3.10", "3.12", "3.13"]
+        python-version:
+          - "3.10"
+          - "3.12"
+          - "3.13"
 
     env:
       FORCE_COLOR: 3
@@ -58,12 +63,16 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
-      - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
+      # - name: Install Rust
+      #   uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # 1.0
+      #   with:
+      #     toolchain: stable
 
       - name: Setup micromamba
-        uses: mamba-org/setup-micromamba@v2
+        uses: mamba-org/setup-micromamba@7f29b8b80078b1b601dfa018b0f7425c587c63bb # 2.0.6
         with:
           environment-name: rust-tests
           environment-file: ci/requirements/environment-rust.yaml
@@ -72,10 +81,10 @@ jobs:
           create-args: >-
             python=${{ matrix.python-version }}
 
-      - name: Create rust cache
-        uses: Swatinem/rust-cache@v2
-        with:
-          prefix-key: "py${{ matrix.python-version }}"
+      # - name: Create rust cache
+      #   uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # 2.8.0
+      #   with:
+      #     prefix-key: "py${{ matrix.python-version }}"
 
       - name: Help finding installed libraries
         run: |
@@ -98,8 +107,6 @@ jobs:
       - name: Help the linker on macos
         if: runner.os == 'MacOS'
         run: |
-          export PKG_CONFIG_PATH="${{env.PKG_CONFIG_PATH}}"
-
           mkdir -p target/debug/deps
           ln -s $CONDA_PREFIX/lib/*.dylib target/debug/deps/
 
@@ -108,22 +115,21 @@ jobs:
 
       - name: Clean up pkg-config on windows
         if: runner.os == 'Windows'
-        run: |
-          export PKG_CONFIG_PATH="${{env.PKG_CONFIG_PATH}}"
+        run: | # zizmor: ignore[template-injection]
+          export PKG_CONFIG_PATH="${{ env.PKG_CONFIG_PATH }}"
 
           # remove dependency paths
-          sed -i '/Requires.private:/d' $PKG_CONFIG_PATH/*.pc
-
-          ls -l ${{env.PYO3_PYTHON}}
-          ls -l $CONDA_PREFIX
+          sed -i '/Requires.private:/d' $(find $PKG_CONFIG_PATH -name "*.pc" -type f)
 
           # check that this actually works
           pkg-config --libs --cflags proj 'proj >= 9.4.0'
 
       - name: Run tests
-        run: |
-          export PKG_CONFIG_PATH="${{env.PKG_CONFIG_PATH}}"
-          export PYO3_PYTHON="${{env.PYO3_PYTHON}}"
+        run: | # zizmor: ignore[template-injection]
+          if [[ "${{ runner.os }}" == "Windows" ]]; then
+              export PKG_CONFIG_PATH="${{ env.PKG_CONFIG_PATH }}"
+              export PYO3_PYTHON="${{ env.PYO3_PYTHON }}"
+          fi
 
           cargo build --tests --keep-going
           cargo test --no-fail-fast
@@ -146,14 +152,17 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # 1.0
         with:
+          toolchain: stable
           components: rustfmt, clippy
 
       - name: Setup micromamba
-        uses: mamba-org/setup-micromamba@v2
+        uses: mamba-org/setup-micromamba@7f29b8b80078b1b601dfa018b0f7425c587c63bb # 2.0.6
         with:
           environment-name: rust-tests
           environment-file: ci/requirements/environment-rust.yaml
@@ -163,7 +172,7 @@ jobs:
             python=${{ matrix.python-version }}
 
       - name: Create rust cache
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # 2.8.0
 
       - name: Cargo clippy
         run: |

.github/workflows/wheels.yml

@@ -43,13 +43,15 @@ jobs:
           #   manylinux: auto
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Build wheels
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist -i 3.10 -i 3.11 -i 3.12 -i 3.13
-          sccache: "true"
+          sccache: "false"
           manylinux: ${{ matrix.manylinux }}
           before-script-linux: |
             sudo apt-get update
@@ -83,13 +85,15 @@ jobs:
             target: armv7
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Build wheels
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist -i 3.10 -i 3.11 -i 3.12 -i 3.13
-          sccache: "true"
+          sccache: "false"
           manylinux: musllinux_1_2
           before-script-linux: |
             sudo apt-get update
@@ -117,17 +121,19 @@ jobs:
             target: x64
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: check installed libs
         run: |
           pkg-config --list-all
 
       - name: Build wheels
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist -i 3.10 -i 3.11 -i 3.12 -i 3.13
-          sccache: "true"
+          sccache: "false"
 
       - name: Upload wheels
         uses: actions/upload-artifact@v4
@@ -146,17 +152,19 @@ jobs:
             target: aarch64
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: check installed libs
         run: |
           pkg-config --list-all
 
       - name: Build wheels
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist -i 3.10 -i 3.11 -i 3.12 -i 3.13
-          sccache: "true"
+          sccache: "false"
 
       - name: Upload wheels
         uses: actions/upload-artifact@v4
@@ -212,4 +220,4 @@ jobs:
         with:
           subject-path: "dist/*.whl"
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0

.pre-commit-config.yaml

@@ -53,6 +53,14 @@ repos:
     hooks:
       - id: typos
         exclude: ".*\\.ipynb$"
+  - repo: https://github.com/mpalmer/action-validator
+    rev: v0.7.0
+    hooks:
+      - id: action-validator
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.12.1
+    hooks:
+      - id: zizmor
   - repo: local
     hooks:
       - id: cargo-fmt