From 1328b1cdc15611329eb5a67d2cd941bc4754df22 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:25:13 -0400 Subject: [PATCH 1/9] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/main.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 8ea3441..0415f5a 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -1,4 +1,6 @@ name: CI +permissions: + contents: write on: [push, pull_request] From 08b5a555b4e59b6e169168830d27d9a9455f0061 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:36:36 -0400 Subject: [PATCH 2/9] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/main.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 0415f5a..2e8c7f1 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -1,11 +1,11 @@ name: CI -permissions: - contents: write - on: [push, pull_request] jobs: pre-commit: + permissions: + contents: read + runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v4 @@ -13,6 +13,9 @@ jobs: - uses: pre-commit/action@v3.0.1 build: runs-on: ubuntu-20.04 + permissions: + contents: write + steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 From 042eff83a68a499dfa0d73c3bbebc974e7fcd4cd Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 14:37:50 -0400 Subject: [PATCH 3/9] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/main.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 2e8c7f1..dcb0048 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -10,7 +10,7 @@ jobs: steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 build: runs-on: ubuntu-20.04 permissions: @@ -79,7 +79,7 @@ jobs: >> $GITHUB_STEP_SUMMARY - name: Publish cheatsheets and handouts if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/_build/html/ From 25791eb3b5f7b62f64d9d2c0c459be268883f7e8 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 14:39:36 -0400 Subject: [PATCH 4/9] CI: apply zizmor auto-fixes --- .github/workflows/main.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index dcb0048..727becd 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -9,6 +9,8 @@ jobs: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 build: @@ -18,6 +20,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: "3.10" @@ -75,8 +79,10 @@ jobs: - name: Output artifacts URL run: | echo 'Artifact URL:' \ - '${{ steps.diffs-artifact-upload.outputs.artifact-url }}' \ + '${STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL}' \ >> $GITHUB_STEP_SUMMARY + env: + STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL: ${{ steps.diffs-artifact-upload.outputs.artifact-url }} - name: Publish cheatsheets and handouts if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 From bc88c6d250b7a382ad5858c6b86d8af27ab287f0 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 22 Jul 2025 09:16:53 -0400 Subject: [PATCH 5/9] CI: update version string Co-authored-by: Elliott Sales de Andrade --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 727becd..2f98d8c 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -85,7 +85,7 @@ jobs: STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL: ${{ steps.diffs-artifact-upload.outputs.artifact-url }} - name: Publish cheatsheets and handouts if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/_build/html/ From c9e8440803c767449a20a9b4c9d3d43a410f0bef Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Wed, 23 Jul 2025 22:00:27 -0400 Subject: [PATCH 6/9] CI: try latest image --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 2f98d8c..a6d87da 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -6,7 +6,7 @@ jobs: permissions: contents: read - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: From b7c2b53eeaba9bdb5ca0c99f2b3d552697685c78 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Wed, 23 Jul 2025 22:01:10 -0400 Subject: [PATCH 7/9] CI: remove redundant step --- .github/workflows/main.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index a6d87da..133b040 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -76,13 +76,6 @@ jobs: name: diffs path: | diffs/ - - name: Output artifacts URL - run: | - echo 'Artifact URL:' \ - '${STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL}' \ - >> $GITHUB_STEP_SUMMARY - env: - STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL: ${{ steps.diffs-artifact-upload.outputs.artifact-url }} - name: Publish cheatsheets and handouts if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 From 75491efe80a75262f54f37d0185cd33613a67c2e Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Wed, 23 Jul 2025 22:05:17 -0400 Subject: [PATCH 8/9] CI: try bumping the flake8 version --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b940132..3e80b24 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,6 +10,6 @@ repos: - id: end-of-file-fixer - id: trailing-whitespace - repo: https://github.com/pycqa/flake8 - rev: 4.0.1 + rev: 7.3.0 hooks: - id: flake8 From f25b7afda549feaa969a2dc9f09ff801391998da Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Wed, 23 Jul 2025 22:12:03 -0400 Subject: [PATCH 9/9] CI: bump the other job to ubuntu-latest --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 133b040..76361fe 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -14,7 +14,7 @@ jobs: - uses: actions/setup-python@v5 - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: contents: write pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy