ci: various configs (#129)

Author: yxtay

.github/workflows/ci.yml

@@ -19,6 +19,8 @@ concurrency:
 
 jobs:
   python:
+    permissions:
+      contents: read
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]

.github/workflows/scans.yml

@@ -50,17 +50,7 @@ jobs:
         # More info at https://megalinter.io/latest/flavors/
         uses: oxsecurity/megalinter@ec124f7998718d79379a3c5b39f5359952baf21d # v8
         env:
-          # All available variables are described in documentation
-          # https://megalinter.io/latest/configuration/
-          APPLY_FIXES: all
-          DISABLE_LINTERS: JSON_JSONLINT,SPELL_CSPELL
-          DISABLE_ERRORS_LINTERS: REPOSITORY_DEVSKIM,REPOSITORY_KICS
-          FAIL_IF_UPDATED_SOURCES: true
-          GITHUB_STATUS_REPORTER: true
           GITHUB_TOKEN: ${{ github.token }}
-          PYTHON_DEFAULT_STYLE: ruff
-          SARIF_REPORTER: true
-          VALIDATE_ALL_CODEBASE: false
 
       - if: ${{ success() || failure() }}
         uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4

.mega-linter.yml

@@ -0,0 +1,16 @@
+APPLY_FIXES: all
+DISABLE_LINTERS:
+  - JSON_JSONLINT
+  - PYTHON_ISORT
+  - PYTHON_PYLINT
+  - PYTHON_PYRIGHT
+  - SPELL_CSPELL
+DISABLE_ERRORS_LINTERS:
+  - COPYPASTE_JSCPD
+  - REPOSITORY_DEVSKIM
+  - REPOSITORY_KICS
+FAIL_IF_UPDATED_SOURCES: true
+GITHUB_STATUS_REPORTER: true
+PYTHON_DEFAULT_STYLE: ruff
+SARIF_REPORTER: true
+VALIDATE_ALL_CODEBASE: false

.pre-commit-config.yaml

@@ -61,7 +61,7 @@ repos:
       - id: detect-private-key
 
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.23.3
+    rev: v8.24.0
     hooks:
       - id: gitleaks
 
@@ -81,7 +81,7 @@ repos:
       - id: markdownlint
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.9.6
+    rev: v0.9.7
     hooks:
       - id: ruff
         types_or: [python, pyi, jupyter]
@@ -95,7 +95,7 @@ repos:
       - id: taplo-format
 
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.6.1
+    rev: 0.6.2
     hooks:
       - id: uv-lock
 

.python-version

@@ -0,0 +1 @@
+3.13

renovate.json

@@ -1,10 +1,19 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:best-practices", "group:allNonMajor"],
+  "extends": [
+    "config:best-practices",
+    "security:openssf-scorecard",
+    "group:allNonMajor",
+    "group:allDigest",
+    ":automergeMinor",
+    ":automergeDigest"
+  ],
   "packageRules": [
     {
-      "automerge": true,
-      "matchUpdateTypes": ["minor", "patch", "pin", "digest"]
+      "automerge": false,
+      "groupName": "python",
+      "matchPackageNames": ["python"],
+      "matchUpdateTypes": ["minor"]
     }
   ]
 }