File tree Expand file tree Collapse file tree 5 files changed +53
-4
lines changed Expand file tree Collapse file tree 5 files changed +53
-4
lines changed Original file line number Diff line number Diff line change 1313 shell : bash -leo pipefail {0}
1414 steps :
1515 - uses : actions/checkout@v4
16+ with :
17+ persist-credentials : false
1618 - uses : mamba-org/setup-micromamba@v2
1719 with :
1820 micromamba-version : " 1.5.10-0" # until https://github.com/mamba-org/setup-micromamba/issues/225 is resolved
Original file line number Diff line number Diff line change 2626 with :
2727 fetch-depth : 0
2828 submodules : true
29+ persist-credentials : false
2930
3031 - name : Build SDist
3132 run : pipx run build --sdist
4546 - uses : actions/checkout@v4
4647 with :
4748 fetch-depth : 0
49+ persist-credentials : false
4850 - uses : hynek/build-and-inspect-python-package@v2
4951
5052 build_wheels :
6062 - uses : actions/checkout@v4
6163 with :
6264 fetch-depth : 0
65+ persist-credentials : false
6366
6467 - name : Build wheels
65687679 - uses : actions/checkout@v4
7780 with :
7881 fetch-depth : 0
82+ persist-credentials : false
7983
8084 - name : Set up Python
8185 uses : actions/setup-python@v5
Original file line number Diff line number Diff line change 11name : Read the Docs Pull Request Preview
22on :
3- pull_request_target :
3+ # See <https://github.com/readthedocs/actions/issues/45>
4+ pull_request_target : # zizmor: ignore[dangerous-triggers]
45 types :
56 - opened
67
7- permissions :
8- pull-requests : write
9-
108jobs :
119 documentation-links :
1210 runs-on : ubuntu-latest
11+ permissions :
12+ pull-requests : write
1313 steps :
1414 - uses : readthedocs/actions/preview@v1
1515 with :
Original file line number Diff line number Diff line change 2525 - uses : actions/checkout@v4
2626 with :
2727 fetch-depth : 0
28+ persist-credentials : false
2829 - uses : dorny/paths-filter@v3
2930 id : changes
3031 with :
5657 python-version : ["3.10", "3.12"]
5758 steps :
5859 - uses : actions/checkout@v4
60+ with :
61+ persist-credentials : false
5962 - uses : actions/setup-python@v5
6063 with :
6164 python-version : ${{ matrix.python-version }}
@@ -146,6 +149,7 @@ jobs:
146149 - uses : actions/checkout@v4
147150 with :
148151 fetch-depth : 0
152+ persist-credentials : false
149153 - name : Set up Python ${{ matrix.python-version }}
150154 uses : mamba-org/setup-micromamba@v2
151155 with :
@@ -229,6 +233,7 @@ jobs:
229233 - uses : actions/checkout@v4
230234 with :
231235 fetch-depth : 0
236+ persist-credentials : false
232237 - name : Set up Python 3.10
233238 uses : mamba-org/setup-micromamba@v2
234239 with :
@@ -286,6 +291,8 @@ jobs:
286291 if : ${{ needs.changes.outputs.changes == 'true' && needs.all-checks.result == 'success' }}
287292 steps :
288293 - uses : actions/checkout@v4
294+ with :
295+ persist-credentials : false
289296
290297 - name : Set up Python
291298 uses : actions/setup-python@v5
Original file line number Diff line number Diff line change 1+ # https://github.com/woodruffw/zizmor
2+ name : zizmor GHA analysis
3+
4+ on :
5+ push :
6+ branches : ["main"]
7+ pull_request :
8+ branches : ["**"]
9+
10+ jobs :
11+ zizmor :
12+ name : zizmor latest via PyPI
13+ runs-on : ubuntu-latest
14+ permissions :
15+ security-events : write
16+ steps :
17+ - name : Checkout repository
18+ uses : actions/checkout@v4
19+ with :
20+ persist-credentials : false
21+
22+ - uses : hynek/setup-cached-uv@v2
23+
24+ - name : Run zizmor 🌈
25+ run : uvx zizmor --format sarif . > results.sarif
26+ env :
27+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
28+
29+ - name : Upload SARIF file
30+ uses : github/codeql-action/upload-sarif@v3
31+ with :
32+ # Path to SARIF file relative to the root of the repository
33+ sarif_file : results.sarif
34+ # Optional category for the results
35+ # Used to differentiate multiple results for one commit
36+ category : zizmor
You can’t perform that action at this time.
0 commit comments