Merge pull request #102 from tacaswell/harden_gha

dstansby · web-flow · commit 53aa8592da76 · 2025-08-11T21:52:17.000+01:00
CI: Harden GHA configuration
diff --git a/.github/.github/workflows/lighthouse.yml b/.github/.github/workflows/lighthouse.yml
@@ -1,10 +1,14 @@
 name: Lighthouse
+permissions:
+  contents: read
 on: [push, pull_request]
 jobs:
   CI:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v1
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.7
         uses: actions/setup-python@v1
@@ -22,7 +26,7 @@ jobs:
           make html
 
       - name: Run Lighthouse against example docs build
-        uses: treosh/lighthouse-ci-action@v2
+        uses: treosh/lighthouse-ci-action@005e1277a8a17ea0b0ef6c3332d59a7cd0f730ce # v2
         with:
           configPath: "./lighthouserc.json"
           temporaryPublicStorage: true
diff --git a/.github/.github/workflows/pre-commit.yaml b/.github/.github/workflows/pre-commit.yaml
@@ -1,4 +1,6 @@
 name: Linting
+permissions:
+  contents: read
 
 on:
   push:
@@ -12,5 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v2
-      - uses: pre-commit/action@v2.0.0
+      - uses: pre-commit/action@0764670bf370aab253130d534e1eda7ff497dc60 # v2.0.0
diff --git a/.github/.github/workflows/publish-pypi.yml b/.github/.github/workflows/publish-pypi.yml
@@ -1,4 +1,6 @@
 name: Push to PyPI
+permissions:
+  contents: read
 
 on:
   push:
@@ -8,10 +10,15 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
-
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v1
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.7
         uses: actions/setup-python@v1
@@ -29,7 +36,7 @@ jobs:
           python setup.py sdist bdist_wheel
 
       - name: Publish mpl-sphinx-theme
-        uses: pypa/gh-action-pypi-publish@master
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
         with:
           user: __token__
           password: ${{ secrets.pypi_token }}
diff --git a/.github/.githubold/workflows/main.yml b/.github/.githubold/workflows/main.yml
@@ -5,7 +5,7 @@ jobs:
     name: Run CircleCI artifacts redirector
     steps:
       - name: GitHub Action step
-        uses: larsoner/circleci-artifacts-redirector-action@master
+        uses: scientific-python/circleci-artifacts-redirector-action@7eafdb60666f57706a5525a2f5eb76224dc8779b  # v1.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           artifact-path: 0/docs/_build/html/index.html
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 /mpl_sphinx_theme.egg-info/
 /mpl_sphinx_theme/__pycache__/
 build
+dist

-Original file line number
+Diff line change
@@ @@ -1,3 +1,4 @@ @@
 /mpl_sphinx_theme.egg-info/
 /mpl_sphinx_theme/__pycache__/
 build
 +dist