From 968627a9336e592eddaecff6bccdb48fa56da72f Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Sat, 28 Dec 2024 21:19:38 -0500 Subject: [PATCH 1/5] API: bump minimum Python to match SPEC0 --- .github/workflows/testing.yml | 2 +- setup.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index a016ff1..cbc76b9 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: ['3.9', '3.10', '3.11', '3.12'] + python-version: ['3.11', '3.12', '3.11'] fail-fast: false steps: diff --git a/setup.py b/setup.py index a828056..25aae60 100644 --- a/setup.py +++ b/setup.py @@ -7,7 +7,7 @@ # NOTE: This file must remain Python 2 compatible for the foreseeable future, # to ensure that we error out properly for people with outdated setuptools # and/or pip. -min_version = (3, 7) +min_version = (3, 11) if sys.version_info < min_version: error = """ mpl-gui does not support Python {0}.{1}. From a949e535d0f0165631b770031b76132b1414c376 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 21:01:34 -0400 Subject: [PATCH 2/5] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/docs.yml | 2 +- .github/workflows/testing.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index e4c45e3..e3fb2d5 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -25,7 +25,7 @@ jobs: - name: Publish if: ${{ env.IS_RELEASE == 'true' }} - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/build/html diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index cbc76b9..9c05f89 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -41,4 +41,4 @@ jobs: coverage report - name: Upload code coverage - uses: codecov/codecov-action@v1 + uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # v1 From a85ffe33f6c47afa2fa9b56cbf20441f74aa3100 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:05:26 -0400 Subject: [PATCH 3/5] CI: auto-fix via zizmor May include: - Avoids risky string interpolation. - Prevents checkout premissions from leaking --- .github/workflows/codeql.yml | 2 ++ .github/workflows/docs.yml | 2 ++ .github/workflows/testing.yml | 1 + 3 files changed, 5 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ccaac44..1ff335c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v3 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v2 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index e3fb2d5..ba2a5e8 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Install Python dependencies run: pip install -r requirements-doc.txt diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 9c05f89..0b1143f 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -19,6 +19,7 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 From dfd22986ed536456758fd76986f34c0de9f13453 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:18:25 -0400 Subject: [PATCH 4/5] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/docs.yml | 2 ++ .github/workflows/testing.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index ba2a5e8..3c28072 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,4 +1,6 @@ name: Docs +permissions: + contents: read on: [push, pull_request] diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 0b1143f..cd6717e 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -1,4 +1,6 @@ name: Unit Tests +permissions: + contents: read on: push: From 3260bf8fe4e792a02f57e53de8bc87df4480f0ab Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 11:31:23 -0400 Subject: [PATCH 5/5] CI: add dependabot config file for GHA --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fc9f855 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly