diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fc9f855 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 1336e17..fd900ed 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -1,4 +1,6 @@ name: "Check with pre-commit" +permissions: + contents: read on: push: branches: ["main"] @@ -14,6 +16,8 @@ jobs: steps: - uses: "actions/checkout@v3" + with: + persist-credentials: false - name: "Set up Python ${{ matrix.python-version }}" uses: "actions/setup-python@v4" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8e13e01..9ab0fcc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,6 @@ name: "Release" +permissions: + contents: read on: release: types: @@ -10,6 +12,8 @@ jobs: runs-on: "ubuntu-latest" steps: - uses: "actions/checkout@v3" + with: + persist-credentials: false - name: "Set up Python" uses: "actions/setup-python@v4" @@ -23,6 +27,6 @@ jobs: run: "python -m build" - name: "Publish to PyPI" - uses: "pypa/gh-action-pypi-publish@release/v1" + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 with: password: "${{ secrets.PYPI_TOKEN }}" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2244163..fa239db 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,4 +1,6 @@ name: "Test" +permissions: + contents: read on: push: branches: ["main"] @@ -20,6 +22,8 @@ jobs: steps: - uses: "actions/checkout@v3" + with: + persist-credentials: false - name: "Set up Python ${{ matrix.python-version }}" uses: "actions/setup-python@v4"