Merge branch 'main' into patch-5

Author: kingbuzzman

.github/workflows/main.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 concurrency:
-  group: ci-main-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
 env:
@@ -25,6 +25,9 @@ jobs:
     timeout-minutes: 15
     permissions:
       contents: read
+      security-events: write
+    env:
+      TOXENV: ${{ matrix.name }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -53,7 +56,14 @@ jobs:
           pip install tox==4.26.0
 
       - name: Run tox
-        run: tox -e ${{ matrix.name }}
+        run: tox
+
+      - name: Upload zizmor SARIF report into the GitHub repo code scanning
+        if: contains(matrix.name, 'linting')
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: zizmor.sarif
+          category: zizmor
 
       - name: Report coverage
         if: contains(matrix.name, 'coverage')

.github/zizmor.yml

@@ -0,0 +1,7 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin
+        codecov/codecov-action: ref-pin
+        github/*: ref-pin

.gitignore

@@ -18,3 +18,4 @@ _build
 *.egg
 # autogenerated by setuptools-scm
 /pytest_django/_version.py
+zizmor.sarif

pyproject.toml

@@ -63,8 +63,9 @@ xdist = [
     "pytest-xdist",
 ]
 linting = [
-    "ruff==0.9.5",
     "mypy==1.15.0",
+    "ruff==0.9.5",
+    "zizmor==1.9.0",
 ]
 [project.urls]
 Documentation = "https://pytest-django.readthedocs.io/"

tox.ini

@@ -48,6 +48,7 @@ commands =
     ruff check --diff {posargs:pytest_django pytest_django_test tests}
     ruff format --quiet --diff {posargs:pytest_django pytest_django_test tests}
     mypy {posargs:pytest_django pytest_django_test tests}
+    python -c "import subprocess, sys; sys.exit(subprocess.call('zizmor --persona=pedantic --format sarif .github/workflows/deploy.yml .github/workflows/main.yml > zizmor.sarif', shell=True))"
 
 [testenv:doc8]
 basepython = python3