Steal a few good ideas from the attrs GH workflow.

Author: Julian

.github/workflows/ci.yml

@@ -9,33 +9,46 @@ on:
     # Daily at 8:33
     - cron: "33 8 * * *"
 
+env:
+  PIP_DISABLE_PIP_VERSION_CHECK: "1"
+  PIP_NO_PYTHON_VERSION_WARNING: "1"
+  PYTHON_LATEST: "3.11"
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
-          python-version: "3.11"
+          python-version: ${{ env.PYTHON_LATEST }}
       - uses: pre-commit/[email protected]
 
   ci:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            pypi.org:443
       - uses: actions/checkout@v3
       - name: Install dependencies
-        run: >
-          sudo apt-get update &&
-          sudo apt-get install -y libenchant-2-dev libxml2-dev libxslt-dev
+        run: sudo apt-get update && sudo apt-get install -y libenchant-2-dev
         if: runner.os == 'Linux'
       - name: Install dependencies
         run: brew install enchant
         if: runner.os == 'macOS'
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
-          python-version: "3.11"
+          python-version: ${{env.PYTHON_LATEST}}
       - name: Set up nox
         uses: wntrblm/[email protected]
       - name: Run nox
@@ -50,7 +63,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
-          python-version: "3.11"
+          python-version: ${{ env.PYTHON_LATEST }}
       - name: Install dependencies
         run: python -m pip install build
       - name: Create packages