Add artifact attestation for build provenance (#609)

- Add `check-yaml`, `actionlint`, `yamllint`, `zizmor` pre-commit hooks.
  - And perform fixes guided by them.
- Update codecov from 4 to 5. This should maybe be looked at closer.
- Remove `conda.recipe` instead of updating it, because it probably isn't used.

Author: eriknw

.github/workflows/pre-commit.yml

@@ -6,6 +6,9 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     name: pre-commit-hooks
@@ -18,4 +21,4 @@ jobs:
       - uses: actions/setup-python@v6
         with:
           python-version: "3.13"
-      - uses: pre-commit/[email protected]
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  # v3.0.1

.github/workflows/publish_pypi.yml

@@ -1,4 +1,4 @@
-name: Publish to PyPI
+name: Builid Wheel and Release
 
 on:
   pull_request:
@@ -17,24 +17,23 @@ on:
     tags:
       - '[0-9]+.[0-9]+.[0-9]+*'
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   build-artifacts:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     defaults:
       run:
         shell: bash -l {0}
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
         with:
           fetch-depth: 0
           persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c  # v6.0.0
         with:
           python-version: "3.9"
       - name: Install build dependencies
@@ -43,7 +42,7 @@ jobs:
           python -m pip install build twine
       - name: Build wheel and sdist
         run: python -m build
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
         with:
           name: releases
           path: dist
@@ -60,16 +59,15 @@ jobs:
       name: test-pypi
       url: https://test.pypi.org/p/toolz
     permissions:
-      contents: read
       id-token: write
 
     steps:
-      - uses: actions/download-artifact@v5
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0  # v5.0.0
         with:
           name: releases
           path: dist
       - name: Publish to Test-PyPI
-        uses: pypa/[email protected]
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
         with:
           repository-url: https://test.pypi.org/legacy/
           print-hash: true
@@ -84,16 +82,23 @@ jobs:
       name: pypi
       url: https://pypi.org/p/toolz
     permissions:
-      contents: read
       id-token: write
+      attestations: write
 
     steps:
-      - uses: actions/download-artifact@v5
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0  # v5.0.0
         with:
           name: releases
           path: dist
+
+      - name: Generate artifact attestation for sdist and wheel
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  # v3.0.0
+        with:
+          subject-path: "dist/toolz-*"
+
       - name: Publish to PyPI
-        uses: pypa/[email protected]
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
         with:
+          attestations: true
           print-hash: true
           verbose: true

.github/workflows/test.yml

@@ -5,6 +5,9 @@ on:
     branches: [master]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ${{ matrix.os }}
@@ -50,6 +53,6 @@ jobs:
           coverage xml
       - name: codecov
         if: (! contains(matrix.python-version, 'pypy'))
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7  # v5.5.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.pre-commit-config.yaml

@@ -1,3 +1,6 @@
+ci:
+  autofix_prs: false
+  skip: [no-commit-to-branch]
 fail_fast: false
 default_language_version:
   python: python3
@@ -13,6 +16,7 @@ repos:
       # Checks based on file type
       - id: check-ast
       - id: check-toml
+      - id: check-yaml
       # Detect mistakes
       - id: check-vcs-permalinks
       - id: debug-statements
@@ -44,6 +48,19 @@ repos:
         additional_dependencies:
           - tomli; python_version<'3.11'
         files: ^(toolz|tlz|docs)/
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.8
+    hooks:
+      - id: actionlint
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.37.1
+    hooks:
+      - id: yamllint
+        args: [-d, "{extends: default, rules: {line-length: disable}}"]
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.15.2
+    hooks:
+      - id: zizmor
   - repo: https://github.com/pre-commit/pygrep-hooks
     rev: v1.10.0
     hooks:
@@ -64,3 +81,8 @@ repos:
     hooks:
       - id: check-hooks-apply
       - id: check-useless-excludes
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: no-commit-to-branch
+        args: [--branch, master]