From 16585165c5d56acc821fff0f1b0c5e60a86dc6ee Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 21:01:20 -0400 Subject: [PATCH 1/8] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 1184ce5..cb289f5 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -15,7 +15,7 @@ jobs: run: rm ./docs/_build/html/objects.inv - name: Publish if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/_build/html From 662d2b2e10a044d4c1045f49d6e219aa227a94e2 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 22:53:24 -0400 Subject: [PATCH 2/8] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/circleupload.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/circleupload.yaml b/.github/workflows/circleupload.yaml index b9ad42f..b820c5c 100644 --- a/.github/workflows/circleupload.yaml +++ b/.github/workflows/circleupload.yaml @@ -5,7 +5,7 @@ jobs: name: Run CircleCI artifacts redirector steps: - name: GitHub Action step - uses: larsoner/circleci-artifacts-redirector-action@master + uses: scientific-python/circleci-artifacts-redirector-action@7eafdb60666f57706a5525a2f5eb76224dc8779b # v1.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} api-token: ${{ secrets.CIRCLECI_TOKEN }} From 036f09c7a9b23b3a450f67c5cd2c1b0f9bb5334c Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:08:09 -0400 Subject: [PATCH 3/8] CI: auto-fix via zizmor May include: - Avoids risky string interpolation. - Prevents checkout premissions from leaking --- .github/workflows/codeql.yml | 2 ++ .github/workflows/main.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 16d1b35..99f7da1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v3 diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index cb289f5..9901fe0 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -7,6 +7,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Python dependencies run: pip install -r requirements.txt - name: Build From a6db1fc9bd9291b66f764477b315efd6818e6067 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:25:37 -0400 Subject: [PATCH 4/8] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/main.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 9901fe0..81c3918 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -1,4 +1,6 @@ name: CI +permissions: + contents: write on: [push, pull_request] From 391a4de3cbcb2d1649281340bfa319a6f9e9207a Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:36:32 -0400 Subject: [PATCH 5/8] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/main.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 81c3918..d69fce8 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -1,12 +1,13 @@ name: CI -permissions: - contents: write on: [push, pull_request] jobs: build: runs-on: ubuntu-latest + permissions: + contents: write + steps: - uses: actions/checkout@v4 with: From 0a5023c167aa7930a96d175c5e9939a869307935 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:44:08 -0400 Subject: [PATCH 6/8] CI: set permissions --- .github/workflows/circleupload.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/circleupload.yaml b/.github/workflows/circleupload.yaml index b820c5c..3983203 100644 --- a/.github/workflows/circleupload.yaml +++ b/.github/workflows/circleupload.yaml @@ -1,6 +1,10 @@ on: [status] jobs: circleci_artifacts_redirector_job: + permissions: + contents: read + checks: write + pull-requests: write runs-on: ubuntu-latest name: Run CircleCI artifacts redirector steps: From ddd5ecbe735db8388dd7c9ce0f5f9dae9ba7b728 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 11:30:38 -0400 Subject: [PATCH 7/8] CI: add dependabot config file for GHA --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fc9f855 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly From bd38cd9d433d5bb84f7b4e0bf9c334905aa05d8f Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 22 Jul 2025 09:16:08 -0400 Subject: [PATCH 8/8] DOC: update version label Co-authored-by: Elliott Sales de Andrade --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index d69fce8..a7d5e43 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -20,7 +20,7 @@ jobs: run: rm ./docs/_build/html/objects.inv - name: Publish if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/_build/html