From 6091aea6b97664db794407acaf5a7d9cd333e291 Mon Sep 17 00:00:00 2001 From: Ben Moss Date: Thu, 23 Oct 2025 13:23:58 -0400 Subject: [PATCH 1/4] Add zizmor linter --- lefthook.yaml | 3 +++ pixi.lock | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++ pixi.toml | 1 + zizmor.yml | 5 ++++ 4 files changed, 82 insertions(+) create mode 100644 zizmor.yml diff --git a/lefthook.yaml b/lefthook.yaml index e4efe9fc42..149a0c41f7 100644 --- a/lefthook.yaml +++ b/lefthook.yaml @@ -56,6 +56,9 @@ pre-commit: - name: typos stage_fixed: true run: pixi {run} typos + - name: zizmor + glob: ".github/*.{yaml,yml}" + run: pixi {run} zizmor {staged_files} pre-push: jobs: diff --git a/pixi.lock b/pixi.lock index 0883215727..59b795edf9 100644 --- a/pixi.lock +++ b/pixi.lock @@ -1554,6 +1554,7 @@ environments: - conda: https://prefix.dev/conda-forge/noarch/tzdata-2025b-h78e105d_0.conda - conda: https://prefix.dev/conda-forge/linux-64/yaml-0.2.5-h7f98852_2.tar.bz2 - conda: https://prefix.dev/conda-forge/noarch/zipp-3.22.0-pyhd8ed1ab_0.conda + - conda: https://prefix.dev/conda-forge/linux-64/zizmor-1.14.1-py313h5c7d99a_0.conda - conda: https://prefix.dev/conda-forge/linux-64/zstd-1.5.7-hb8e6e7a_2.conda linux-aarch64: - conda: https://prefix.dev/conda-forge/linux-aarch64/_openmp_mutex-4.5-2_gnu.tar.bz2 @@ -1683,6 +1684,7 @@ environments: - conda: https://prefix.dev/conda-forge/noarch/tzdata-2025b-h78e105d_0.conda - conda: https://prefix.dev/conda-forge/linux-aarch64/yaml-0.2.5-hf897c2e_2.tar.bz2 - conda: https://prefix.dev/conda-forge/noarch/zipp-3.22.0-pyhd8ed1ab_0.conda + - conda: https://prefix.dev/conda-forge/linux-aarch64/zizmor-1.14.1-py313he77ad87_0.conda - conda: https://prefix.dev/conda-forge/linux-aarch64/zstd-1.5.7-hbcf94c1_2.conda osx-64: - conda: https://prefix.dev/conda-forge/noarch/_python_abi3_support-1.0-hd8ed1ab_2.conda @@ -1816,6 +1818,7 @@ environments: - conda: https://prefix.dev/conda-forge/noarch/tzdata-2025b-h78e105d_0.conda - conda: https://prefix.dev/conda-forge/osx-64/yaml-0.2.5-h0d85af4_2.tar.bz2 - conda: https://prefix.dev/conda-forge/noarch/zipp-3.22.0-pyhd8ed1ab_0.conda + - conda: https://prefix.dev/conda-forge/osx-64/zizmor-1.14.1-py313ha265c4a_0.conda - conda: https://prefix.dev/conda-forge/osx-64/zlib-1.3.1-hd23fc13_2.conda - conda: https://prefix.dev/conda-forge/osx-64/zstd-1.5.7-h8210216_2.conda osx-arm64: @@ -1951,6 +1954,7 @@ environments: - conda: https://prefix.dev/conda-forge/noarch/tzdata-2025b-h78e105d_0.conda - conda: https://prefix.dev/conda-forge/osx-arm64/yaml-0.2.5-h3422bc3_2.tar.bz2 - conda: https://prefix.dev/conda-forge/noarch/zipp-3.22.0-pyhd8ed1ab_0.conda + - conda: https://prefix.dev/conda-forge/osx-arm64/zizmor-1.14.1-py313h0b74987_0.conda - conda: https://prefix.dev/conda-forge/osx-arm64/zlib-1.3.1-h8359307_2.conda - conda: https://prefix.dev/conda-forge/osx-arm64/zstd-1.5.7-h6491c7d_2.conda win-64: @@ -2059,6 +2063,7 @@ environments: - conda: https://prefix.dev/conda-forge/noarch/vswhere-3.1.7-h40126e0_1.conda - conda: https://prefix.dev/conda-forge/win-64/yaml-0.2.5-h8ffe710_2.tar.bz2 - conda: https://prefix.dev/conda-forge/noarch/zipp-3.22.0-pyhd8ed1ab_0.conda + - conda: https://prefix.dev/conda-forge/win-64/zizmor-1.14.1-py313hf61f64f_0.conda - conda: https://prefix.dev/conda-forge/win-64/zstd-1.5.7-hbeecb71_2.conda pypi-gen: channels: @@ -11757,6 +11762,74 @@ packages: - pkg:pypi/zipp?source=hash-mapping size: 22691 timestamp: 1748277499928 +- conda: https://prefix.dev/conda-forge/linux-64/zizmor-1.14.1-py313h5c7d99a_0.conda + sha256: 690e45bade088bd43995195ad8c904640901fe8ac8a7f9e064a6e4673172016c + md5: 708503104848c38b6dba5baee1efaa79 + depends: + - __glibc >=2.17,<3.0.a0 + - libgcc >=14 + - python >=3.13,<3.14.0a0 + - python_abi 3.13.* *_cp313 + constrains: + - __glibc >=2.17 + license: MIT + license_family: MIT + size: 4888158 + timestamp: 1758927533053 +- conda: https://prefix.dev/conda-forge/linux-aarch64/zizmor-1.14.1-py313he77ad87_0.conda + sha256: 4ef27207809b692878cb86200e3a9ac33e29e141d1c0aab61bf4acae69903eb2 + md5: 8740f6ca1794273cce02f03ae787a453 + depends: + - libgcc >=14 + - python >=3.13,<3.14.0a0 + - python >=3.13,<3.14.0a0 *_cp313 + - python_abi 3.13.* *_cp313 + constrains: + - __glibc >=2.17 + license: MIT + license_family: MIT + size: 4652529 + timestamp: 1758927824057 +- conda: https://prefix.dev/conda-forge/osx-64/zizmor-1.14.1-py313ha265c4a_0.conda + sha256: 9840df51e6fe5e6e3e03ededa53e60d69a35271b17abd4bbf1fea89c5533c700 + md5: da271cc6f3b993f46f8233a4447f8adc + depends: + - __osx >=10.13 + - python >=3.13,<3.14.0a0 + - python_abi 3.13.* *_cp313 + constrains: + - __osx >=10.13 + license: MIT + license_family: MIT + size: 4750051 + timestamp: 1758928071721 +- conda: https://prefix.dev/conda-forge/osx-arm64/zizmor-1.14.1-py313h0b74987_0.conda + sha256: 6c17ac7d398d8e79200a7076e767e75b96b194b90ce99977bf21f0bfe70c6a75 + md5: 809944d44e09390b2456853ae9a80e35 + depends: + - __osx >=11.0 + - python >=3.13,<3.14.0a0 + - python >=3.13,<3.14.0a0 *_cp313 + - python_abi 3.13.* *_cp313 + constrains: + - __osx >=11.0 + license: MIT + license_family: MIT + size: 4469942 + timestamp: 1758928186604 +- conda: https://prefix.dev/conda-forge/win-64/zizmor-1.14.1-py313hf61f64f_0.conda + sha256: 6cf16dd3cf358761efd70c89bfdd55dd770686d706dc4401ad823efb04ac1752 + md5: 79a85ca5455729763afe5a7694dba218 + depends: + - python >=3.13,<3.14.0a0 + - python_abi 3.13.* *_cp313 + - ucrt >=10.0.20348.0 + - vc >=14.3,<15 + - vc14_runtime >=14.44.35208 + license: MIT + license_family: MIT + size: 5007028 + timestamp: 1758928256045 - conda: https://prefix.dev/conda-forge/osx-64/zlib-1.3.1-hd23fc13_2.conda sha256: 219edbdfe7f073564375819732cbf7cc0d7c7c18d3f546a09c2dfaf26e4d69f3 md5: c989e0295dcbdc08106fe5d9e935f0b9 diff --git a/pixi.toml b/pixi.toml index 3a09927ff1..c896f9e341 100644 --- a/pixi.toml +++ b/pixi.toml @@ -138,6 +138,7 @@ ruff = ">=0.14.0,<0.15" shellcheck = ">=0.10.0,<0.11" taplo = ">=0.10.0,<0.11" typos = ">=1.38.1,<2" +zizmor = ">=1.14.1,<2" [feature.lint.tasks] actionlint = { cmd = "actionlint", env = { SHELLCHECK_OPTS = "-e SC2086" } } diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 0000000000..649f2bf9e4 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + prefix-dev/*: any From 73037850ab3fd39773977eb63dbc564ad920b364 Mon Sep 17 00:00:00 2001 From: Ben Moss Date: Thu, 23 Oct 2025 13:54:10 -0400 Subject: [PATCH 2/4] zizmor --fix=all --- .github/workflows/ci.yml | 101 +++++++++++++++++++---- .github/workflows/docs.yml | 11 ++- .github/workflows/enforce-sha.yaml | 2 + .github/workflows/release.yml | 21 ++++- .github/workflows/schema.yml | 2 + .github/workflows/test_common_wheels.yml | 3 +- .github/workflows/trampoline.yaml | 3 + 7 files changed, 120 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b227e5013c..1f38def645 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,6 +56,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 + persist-credentials: false - uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46 id: changed @@ -88,6 +89,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Set up pixi uses: prefix-dev/setup-pixi@main with: @@ -103,6 +106,8 @@ jobs: if: ${{ needs.determine_changes.outputs.code == 'true' || github.ref == 'refs/heads/main' }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 with: save-if: ${{ github.ref == 'refs/heads/main' }} @@ -118,6 +123,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Machete uses: bnjbvr/cargo-machete@7959c845782fed02ee69303126d4a12d64f1db18 # v0.9.1 @@ -127,6 +134,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@main with: cache: ${{ github.ref == 'refs/heads/main' }} @@ -142,6 +151,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@main - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 @@ -178,6 +189,8 @@ jobs: runs-on: 8core_ubuntu_latest_runner steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@main with: cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }} @@ -200,6 +213,8 @@ jobs: runs-on: macos-14 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@main with: cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }} @@ -222,6 +237,8 @@ jobs: runs-on: macos-13 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@main with: cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }} @@ -245,6 +262,8 @@ jobs: steps: # We don't use the dev drive here since we run out of space otherwise - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Create Dev Drive run: ${{ github.workspace }}/.github/workflows/setup-dev-drive.ps1 - uses: prefix-dev/setup-pixi@main @@ -273,6 +292,8 @@ jobs: name: "build binary | linux x86_64" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1 - name: "Setup musl" run: | @@ -300,6 +321,8 @@ jobs: name: "build binary | macos aarch64" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1 - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 - name: "Build" @@ -322,6 +345,8 @@ jobs: name: "build binary | macos x86_64" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1 - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 - name: "Build" @@ -344,6 +369,8 @@ jobs: name: "build binary | windows x86_64" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Create Dev Drive run: ${{ github.workspace }}/.github/workflows/setup-dev-drive.ps1 - name: Copy Git Repo to Dev Drive @@ -374,11 +401,13 @@ jobs: name: "build binary | windows aarch64" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Create Dev Drive run: ${{ github.workspace }}/.github/workflows/setup-dev-drive.ps1 - name: Copy Git Repo to Dev Drive run: | - Copy-Item -Path "${{ github.workspace }}" -Destination "${{ env.PIXI_WORKSPACE }}" -Recurse + Copy-Item -Path "${{ github.workspace }}" -Destination "$env:PIXI_WORKSPACE" -Recurse - name: "Install Rust toolchain" run: rustup target add aarch64-pc-windows-msvc - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 @@ -412,12 +441,14 @@ jobs: TARGET_RELEASE: "target/pixi/release" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Create Dev Drive run: ${{ github.workspace }}/.github/workflows/setup-dev-drive.ps1 - name: Copy Git Repo to Dev Drive run: | - Copy-Item -Path "${{ github.workspace }}" -Destination "${{ env.PIXI_WORKSPACE }}" -Recurse - echo "${{ env.PIXI_WORKSPACE }}/${{ env.TARGET_RELEASE }}" | Out-File -Append -Encoding utf8 -FilePath $env:GITHUB_PATH + Copy-Item -Path "${{ github.workspace }}" -Destination "$env:PIXI_WORKSPACE" -Recurse + echo "$env:PIXI_WORKSPACE/${{ env.TARGET_RELEASE }}" | Out-File -Append -Encoding utf8 -FilePath $env:GITHUB_PATH - name: Download binary from build uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: @@ -440,6 +471,8 @@ jobs: TARGET_RELEASE: "${{ github.workspace }}/target/pixi/release" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Download binary from build uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: @@ -447,8 +480,8 @@ jobs: path: ${{ env.TARGET_RELEASE }} - name: Setup unix binary, add to github path run: | - chmod a+x ${{ env.TARGET_RELEASE }}/pixi - echo "${{ env.TARGET_RELEASE }}" >> $GITHUB_PATH + chmod a+x ${TARGET_RELEASE}/pixi + echo "${TARGET_RELEASE}" >> $GITHUB_PATH - name: Verify pixi installation run: pixi info @@ -464,6 +497,8 @@ jobs: TARGET_RELEASE: "${{ github.workspace }}/target/pixi/release" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Download binary from build uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: @@ -489,12 +524,14 @@ jobs: TARGET_RELEASE: "target/pixi/release" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Create Dev Drive run: ${{ github.workspace }}/.github/workflows/setup-dev-drive.ps1 - name: Copy Git Repo to Dev Drive run: | - Copy-Item -Path "${{ github.workspace }}" -Destination "${{ env.PIXI_WORKSPACE }}" -Recurse - echo "${{ env.PIXI_WORKSPACE }}/${{ env.TARGET_RELEASE }}" | Out-File -Append -Encoding utf8 -FilePath $env:GITHUB_PATH + Copy-Item -Path "${{ github.workspace }}" -Destination "$env:PIXI_WORKSPACE" -Recurse + echo "$env:PIXI_WORKSPACE/${{ env.TARGET_RELEASE }}" | Out-File -Append -Encoding utf8 -FilePath $env:GITHUB_PATH - name: Download binary from build uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: @@ -524,6 +561,8 @@ jobs: TARGET_RELEASE: "${{ github.workspace }}/target/pixi/release" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Download binary from build uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: @@ -531,8 +570,8 @@ jobs: path: ${{ env.TARGET_RELEASE }} - name: Setup unix binary, add to github path run: | - chmod a+x ${{ env.TARGET_RELEASE }}/pixi - echo "${{ env.TARGET_RELEASE }}" >> $GITHUB_PATH + chmod a+x ${TARGET_RELEASE}/pixi + echo "${TARGET_RELEASE}" >> $GITHUB_PATH - name: Verify pixi installation run: pixi info @@ -558,6 +597,8 @@ jobs: TARGET_RELEASE: "${{ github.workspace }}/target/pixi/release" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Download binary from build uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: @@ -593,12 +634,14 @@ jobs: TARGET_RELEASE: "target/pixi/release" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Create Dev Drive run: ${{ github.workspace }}/.github/workflows/setup-dev-drive.ps1 - name: Copy Git Repo to Dev Drive run: | - Copy-Item -Path "${{ github.workspace }}" -Destination "${{ env.PIXI_WORKSPACE }}" -Recurse - echo "${{ env.PIXI_WORKSPACE }}/${{ env.TARGET_RELEASE }}" | Out-File -Append -Encoding utf8 -FilePath $env:GITHUB_PATH + Copy-Item -Path "${{ github.workspace }}" -Destination "$env:PIXI_WORKSPACE" -Recurse + echo "$env:PIXI_WORKSPACE/${{ env.TARGET_RELEASE }}" | Out-File -Append -Encoding utf8 -FilePath $env:GITHUB_PATH - name: Download binary from build uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: @@ -616,8 +659,9 @@ jobs: with: repository: Deltares/Ribasim path: ribasim + persist-credentials: false - name: Copy Deltares/Ribasim to Dev Drive - run: Copy-Item -Path "${{ github.workspace }}/ribasim" -Destination "${{ env.PIXI_WORKSPACE }}/ribasim" -Recurse + run: Copy-Item -Path "${{ github.workspace }}/ribasim" -Destination "$env:PIXI_WORKSPACE/ribasim" -Recurse - name: Install Deltares/Ribasim run: pixi install -vvv --locked working-directory: ${{ env.PIXI_WORKSPACE }}/ribasim @@ -627,8 +671,9 @@ jobs: with: repository: quantco/polarify path: polarify + persist-credentials: false - name: Copy quantco/polarify to Dev Drive - run: Copy-Item -Path "${{ github.workspace }}/polarify" -Destination "${{ env.PIXI_WORKSPACE }}/polarify" -Recurse + run: Copy-Item -Path "${{ github.workspace }}/polarify" -Destination "$env:PIXI_WORKSPACE/polarify" -Recurse - name: Install quantco/polarify run: pixi install -vvv --locked working-directory: ${{ env.PIXI_WORKSPACE }}/polarify @@ -650,6 +695,8 @@ jobs: TARGET_RELEASE: "${{ github.workspace }}/target/pixi/release" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Download binary from build uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: @@ -657,8 +704,8 @@ jobs: path: ${{ env.TARGET_RELEASE }} - name: Setup unix binary, add to github path run: | - chmod a+x ${{ env.TARGET_RELEASE }}/pixi - echo "${{ env.TARGET_RELEASE }}" >> $GITHUB_PATH + chmod a+x ${TARGET_RELEASE}/pixi + echo "${TARGET_RELEASE}" >> $GITHUB_PATH - name: Verify pixi installation run: pixi info @@ -671,6 +718,7 @@ jobs: with: repository: Deltares/Ribasim path: ribasim + persist-credentials: false - name: "Install Deltares/Ribasim" run: pixi install -vvv --locked working-directory: ribasim @@ -680,6 +728,7 @@ jobs: with: repository: quantco/polarify path: polarify + persist-credentials: false - name: "Install quantco/polarify" run: pixi install -vvv --locked working-directory: polarify @@ -698,6 +747,8 @@ jobs: TARGET_RELEASE: "${{ github.workspace }}/target/pixi/release" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Download binary from build uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: @@ -719,6 +770,7 @@ jobs: with: repository: nerfstudio-project/nerfstudio path: nerfstudio + persist-credentials: false - name: "Install nerfstudio-project/nerfstudio" # Not using locked as their lockfile is not in sync run: pixi install -vvv @@ -729,6 +781,7 @@ jobs: with: repository: Deltares/Ribasim path: ribasim + persist-credentials: false - name: "Install Deltares/Ribasim" run: pixi install -vvv --locked working-directory: ribasim @@ -738,6 +791,7 @@ jobs: with: repository: quantco/polarify path: polarify + persist-credentials: false - name: "Install quantco/polarify" run: pixi install -vvv --locked working-directory: polarify @@ -794,6 +848,8 @@ jobs: if: ${{ needs.determine_changes.outputs.unix_installer == 'true' }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: "Install" run: | uname -a @@ -809,6 +865,8 @@ jobs: if: ${{ needs.determine_changes.outputs.unix_installer == 'true' }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Setup latest Alpine Linux uses: jirutka/setup-alpine@de807bada44fc7dce6bbd00672b92827aa5f3c99 # v1 - name: "Install" @@ -828,6 +886,8 @@ jobs: if: ${{ needs.determine_changes.outputs.unix_installer == 'true' }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Setup latest Alpine Linux uses: jirutka/setup-alpine@cf5fddcea495dcc19c0f991c6f6fa6a7abf3d50a # v1 - name: "Install" @@ -849,6 +909,8 @@ jobs: if: ${{ needs.determine_changes.outputs.unix_installer == 'true' }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Setup ucrt64 msys2 uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2 with: @@ -871,6 +933,8 @@ jobs: if: ${{ needs.determine_changes.outputs.unix_installer == 'true' }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Setup ucrt64 msys2 uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2 with: @@ -893,6 +957,8 @@ jobs: PIXI_REPOURL: "https://github.com/prefix-dev/pixi/" steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Setup ucrt64 msys2 uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2 with: @@ -917,6 +983,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: repository: prefix-dev/pixi-build-testsuite + persist-credentials: false - name: Set up pixi uses: prefix-dev/setup-pixi@main @@ -948,12 +1015,13 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: repository: prefix-dev/pixi-build-testsuite + persist-credentials: false - name: Create Dev Drive run: ${{ github.workspace }}/.github/workflows/setup-dev-drive.ps1 - name: Copy Git Repo to Dev Drive - run: Copy-Item -Path "${{ github.workspace }}" -Destination "${{ env.PIXI_WORKSPACE }}" -Recurse + run: Copy-Item -Path "${{ github.workspace }}" -Destination "$env:PIXI_WORKSPACE" -Recurse - name: Set up pixi uses: prefix-dev/setup-pixi@main @@ -986,6 +1054,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: repository: prefix-dev/pixi-build-testsuite + persist-credentials: false - name: Set up pixi uses: prefix-dev/setup-pixi@main diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index bdccbc6822..24064f3103 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -43,6 +43,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: submodules: recursive + persist-credentials: false - uses: prefix-dev/setup-pixi@main with: @@ -65,12 +66,15 @@ jobs: # fetch everything so we can checkout the tag fetch-depth: 0 submodules: recursive + persist-credentials: false # check out tag if workflow_dispatch - name: Checkout tag if: github.event_name == 'workflow_dispatch' run: | - git checkout tags/${{ github.event.inputs.tag }} + git checkout tags/${GITHUB_EVENT_INPUTS_TAG} + env: + GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} - uses: prefix-dev/setup-pixi@main with: @@ -87,7 +91,9 @@ jobs: - name: Tag from workflow_dispatch if: github.event_name == 'workflow_dispatch' - run: echo "RELEASE_VERSION=${{ github.event.inputs.tag }}" >> $GITHUB_ENV + run: echo "RELEASE_VERSION=${GITHUB_EVENT_INPUTS_TAG}" >> $GITHUB_ENV + env: + GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} - name: Deploy with mike 🚀 run: | @@ -106,6 +112,7 @@ jobs: # fetch everything so we can checkout the tag fetch-depth: 0 submodules: recursive + persist-credentials: false - uses: prefix-dev/setup-pixi@main with: diff --git a/.github/workflows/enforce-sha.yaml b/.github/workflows/enforce-sha.yaml index 0acb12dfff..dec7af0890 100644 --- a/.github/workflows/enforce-sha.yaml +++ b/.github/workflows/enforce-sha.yaml @@ -13,6 +13,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Ensure SHA pinned actions uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74 # v4 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eface81b61..b5e2ce0182 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -61,6 +61,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: submodules: recursive + persist-credentials: false # Turn back on when we're on the released version of dist # - name: Install dist # # we specify bash to get pipefail; it guards against the `curl` command @@ -146,6 +147,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: submodules: recursive + persist-credentials: false # Use fork of dist to allow for binaries in the root of the tarball - name: Install cargo-dist from git @@ -189,8 +191,11 @@ jobs: fi # Actually do builds and make zips and whatnot - dist build ${{ needs.plan.outputs.tag-flag }} --print=linkage --output-format=json ${{ matrix.dist_args }} > dist-manifest.json + dist build ${NEEDS_PLAN_OUTPUTS_TAG_FLAG} --print=linkage --output-format=json ${MATRIX_DIST_ARGS} > dist-manifest.json echo "dist ran successfully" + env: + NEEDS_PLAN_OUTPUTS_TAG_FLAG: ${{ needs.plan.outputs.tag-flag }} + MATRIX_DIST_ARGS: ${{ matrix.dist_args }} - name: Attest Builds id: attest uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 @@ -232,6 +237,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: submodules: recursive + persist-credentials: false - name: Install cached dist uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: @@ -248,7 +254,7 @@ jobs: - id: cargo-dist shell: bash run: | - dist build ${{ needs.plan.outputs.tag-flag }} --output-format=json "--artifacts=global" > dist-manifest.json + dist build ${NEEDS_PLAN_OUTPUTS_TAG_FLAG} --output-format=json "--artifacts=global" > dist-manifest.json echo "dist ran successfully" # Parse out what we just built and upload it to scratch storage @@ -257,6 +263,8 @@ jobs: echo "EOF" >> "$GITHUB_OUTPUT" cp dist-manifest.json "$BUILD_MANIFEST_NAME" + env: + NEEDS_PLAN_OUTPUTS_TAG_FLAG: ${{ needs.plan.outputs.tag-flag }} - name: "Upload artifacts" uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: @@ -281,6 +289,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: submodules: recursive + persist-credentials: false - name: Install cached dist uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: @@ -298,10 +307,12 @@ jobs: - id: host shell: bash run: | - dist host ${{ needs.plan.outputs.tag-flag }} --steps=upload --steps=release --output-format=json > dist-manifest.json + dist host ${NEEDS_PLAN_OUTPUTS_TAG_FLAG} --steps=upload --steps=release --output-format=json > dist-manifest.json echo "artifacts uploaded and released successfully" cat dist-manifest.json echo "manifest=$(jq -c "." dist-manifest.json)" >> "$GITHUB_OUTPUT" + env: + NEEDS_PLAN_OUTPUTS_TAG_FLAG: ${{ needs.plan.outputs.tag-flag }} - name: "Upload dist-manifest.json" uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: @@ -402,6 +413,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: submodules: recursive + persist-credentials: false # Create a GitHub Release while uploading all files to it - name: "Download GitHub Artifacts" uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 @@ -419,8 +431,9 @@ jobs: ANNOUNCEMENT_TITLE: "${{ fromJson(needs.host.outputs.val).announcement_title }}" ANNOUNCEMENT_BODY: "${{ fromJson(needs.host.outputs.val).announcement_github_body }}" RELEASE_COMMIT: "${{ github.sha }}" + NEEDS_PLAN_OUTPUTS_TAG: ${{ needs.plan.outputs.tag }} run: | # Write and read notes from a file to avoid quoting breaking things echo "$ANNOUNCEMENT_BODY" > $RUNNER_TEMP/notes.txt - gh release create "${{ needs.plan.outputs.tag }}" --target "$RELEASE_COMMIT" $PRERELEASE_FLAG --draft --title "$ANNOUNCEMENT_TITLE" --notes-file "$RUNNER_TEMP/notes.txt" artifacts/* + gh release create "${NEEDS_PLAN_OUTPUTS_TAG}" --target "$RELEASE_COMMIT" $PRERELEASE_FLAG --draft --title "$ANNOUNCEMENT_TITLE" --notes-file "$RUNNER_TEMP/notes.txt" artifacts/* diff --git a/.github/workflows/schema.yml b/.github/workflows/schema.yml index f355c8ab1d..599e4f059d 100644 --- a/.github/workflows/schema.yml +++ b/.github/workflows/schema.yml @@ -22,6 +22,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@main with: cache: true diff --git a/.github/workflows/test_common_wheels.yml b/.github/workflows/test_common_wheels.yml index b10906d8ef..05106c3275 100644 --- a/.github/workflows/test_common_wheels.yml +++ b/.github/workflows/test_common_wheels.yml @@ -34,6 +34,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: ${{ inputs.sha }} + persist-credentials: false - name: Create Dev Drive using ReFS if: ${{ contains(inputs.arch, 'windows') }} run: ${{ github.workspace }}/.github/workflows/setup-dev-drive.ps1 @@ -55,7 +56,7 @@ jobs: if: ${{ !contains(inputs.arch, 'windows') && always() }} shell: bash run: | - cat ${{ env.SUMMARY_FILE }} >> $GITHUB_STEP_SUMMARY + cat ${SUMMARY_FILE} >> $GITHUB_STEP_SUMMARY - name: Write .summary.md to GitHub Summary (Windows) if: ${{ contains(inputs.arch, 'windows') && always() }} shell: pwsh diff --git a/.github/workflows/trampoline.yaml b/.github/workflows/trampoline.yaml index 6cdf2cc93e..04a21c85ae 100644 --- a/.github/workflows/trampoline.yaml +++ b/.github/workflows/trampoline.yaml @@ -58,6 +58,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 # Fetch full history so we have branch information + persist-credentials: false - name: Set up Rust uses: taiki-e/setup-cross-toolchain-action@84e58a47fc2bcd3821a2aa8c153595bbffb0e10f # v1 @@ -88,6 +89,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - name: Download all binaries uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 From c246e51444acbd91f95810335ecda4d82bd2d2ac Mon Sep 17 00:00:00 2001 From: Ben Moss Date: Thu, 23 Oct 2025 13:56:40 -0400 Subject: [PATCH 3/4] add github action --- .github/workflows/zizmor.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..aff52edf16 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,23 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0 From 7a560c10f01c5769c819e3c739b5e2df1a6e855f Mon Sep 17 00:00:00 2001 From: Ben Moss Date: Sun, 26 Oct 2025 19:15:26 -0400 Subject: [PATCH 4/4] move to pre-push --- lefthook.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lefthook.yaml b/lefthook.yaml index 149a0c41f7..0794eefc33 100644 --- a/lefthook.yaml +++ b/lefthook.yaml @@ -56,9 +56,6 @@ pre-commit: - name: typos stage_fixed: true run: pixi {run} typos - - name: zizmor - glob: ".github/*.{yaml,yml}" - run: pixi {run} zizmor {staged_files} pre-push: jobs: @@ -74,3 +71,6 @@ pre-push: run: pixi {run} cargo-deny - name: check-openssl run: pixi {run} check-openssl + - name: zizmor + glob: ".github/*.{yaml,yml}" + run: pixi {run} zizmor {staged_files}