Skip to content

Commit 1840162

Browse files
timhoffmmeeseeksmachine
timhoffm
authored and
meeseeksmachine
committed
Backport PR #29251: Zizmor audit
1 parent 1af51a5 commit 1840162

15 files changed

+74
-55
lines changed

.github/workflows/cibuildwheel.yml

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -39,11 +39,12 @@ jobs:
3939
SDIST_NAME: ${{ steps.sdist.outputs.SDIST_NAME }}
4040

4141
steps:
42-
- uses: actions/checkout@v4
42+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
4343
with:
4444
fetch-depth: 0
45+
persist-credentials: false
4546

46-
- uses: actions/setup-python@v5
47+
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
4748
name: Install Python
4849
with:
4950
python-version: '3.10'
@@ -69,7 +70,7 @@ jobs:
6970
run: twine check dist/*
7071

7172
- name: Upload sdist result
72-
uses: actions/upload-artifact@v4
73+
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
7374
with:
7475
name: cibw-sdist
7576
path: dist/*.tar.gz
@@ -132,12 +133,12 @@ jobs:
132133
steps:
133134
- name: Set up QEMU
134135
if: matrix.cibw_archs == 'aarch64'
135-
uses: docker/setup-qemu-action@v3
136+
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
136137
with:
137138
platforms: arm64
138139

139140
- name: Download sdist
140-
uses: actions/download-artifact@v4
141+
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
141142
with:
142143
name: cibw-sdist
143144
path: dist/
@@ -201,7 +202,7 @@ jobs:
201202
unset PIP_CONSTRAINT
202203
if: matrix.cibw_archs != 'aarch64' && matrix.os != 'windows-latest'
203204

204-
- uses: actions/upload-artifact@v4
205+
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
205206
with:
206207
name: cibw-wheels-${{ runner.os }}-${{ matrix.cibw_archs }}
207208
path: ./wheelhouse/*.whl
@@ -219,7 +220,7 @@ jobs:
219220
contents: read
220221
steps:
221222
- name: Download packages
222-
uses: actions/download-artifact@v4
223+
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
223224
with:
224225
pattern: cibw-*
225226
path: dist

.github/workflows/circleci.yml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,16 +28,20 @@ jobs:
2828
runs-on: ubuntu-latest
2929
name: Post warnings/errors as review
3030
steps:
31-
- uses: actions/checkout@v4
31+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
32+
with:
33+
persist-credentials: false
3234

3335
- name: Fetch result artifacts
3436
id: fetch-artifacts
37+
env:
38+
target_url: "${{ github.event.target_url }}"
3539
run: |
36-
python .circleci/fetch_doc_logs.py "${{ github.event.target_url }}"
40+
python .circleci/fetch_doc_logs.py "${target_url}"
3741
3842
- name: Set up reviewdog
3943
if: "${{ steps.fetch-artifacts.outputs.count != 0 }}"
40-
uses: reviewdog/action-setup@v1
44+
uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0
4145
with:
4246
reviewdog_version: latest
4347

.github/workflows/clean_pr.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,10 @@ jobs:
1010
runs-on: ubuntu-latest
1111

1212
steps:
13-
- uses: actions/checkout@v4
13+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1414
with:
1515
fetch-depth: '0'
16+
persist-credentials: false
1617
- name: Check for added-and-deleted files
1718
run: |
1819
git fetch --quiet origin "$GITHUB_BASE_REF"

.github/workflows/codeql-analysis.yml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,10 +26,12 @@ jobs:
2626

2727
steps:
2828
- name: Checkout repository
29-
uses: actions/checkout@v4
29+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
30+
with:
31+
persist-credentials: false
3032

3133
- name: Initialize CodeQL
32-
uses: github/codeql-action/init@v3
34+
uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
3335
with:
3436
languages: ${{ matrix.language }}
3537

@@ -40,4 +42,4 @@ jobs:
4042
pip install --user -v .
4143
4244
- name: Perform CodeQL Analysis
43-
uses: github/codeql-action/analyze@v3
45+
uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6

.github/workflows/conflictcheck.yml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,12 +9,11 @@ on:
99
pull_request_target:
1010
types: [synchronize]
1111

12-
permissions:
13-
pull-requests: write
14-
1512
jobs:
1613
main:
1714
runs-on: ubuntu-latest
15+
permissions:
16+
pull-requests: write
1817
steps:
1918
- name: Check if PRs have merge conflicts
2019
uses: eps1lon/actions-label-merge-conflict@1b1b1fcde06a9b3d089f3464c96417961dde1168 # v3.0.2

.github/workflows/cygwin.yml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -79,11 +79,12 @@ jobs:
7979
- name: Fix line endings
8080
run: git config --global core.autocrlf input
8181

82-
- uses: actions/checkout@v4
82+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
8383
with:
8484
fetch-depth: 0
85+
persist-credentials: false
8586

86-
- uses: cygwin/cygwin-install-action@v4
87+
- uses: cygwin/cygwin-install-action@006ad0b0946ca6d0a3ea2d4437677fa767392401 # v4
8788
with:
8889
packages: >-
8990
ccache gcc-g++ gdb git graphviz libcairo-devel libffi-devel
@@ -139,21 +140,21 @@ jobs:
139140
# FreeType build fails with bash, succeeds with dash
140141

141142
- name: Cache pip
142-
uses: actions/cache@v4
143+
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
143144
with:
144145
path: C:\cygwin\home\runneradmin\.cache\pip
145146
key: Cygwin-py3.${{ matrix.python-minor-version }}-pip-${{ hashFiles('requirements/*/*.txt') }}
146147
restore-keys: ${{ matrix.os }}-py3.${{ matrix.python-minor-version }}-pip-
147148

148149
- name: Cache ccache
149-
uses: actions/cache@v4
150+
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
150151
with:
151152
path: C:\cygwin\home\runneradmin\.ccache
152153
key: Cygwin-py3.${{ matrix.python-minor-version }}-ccache-${{ hashFiles('src/*') }}
153154
restore-keys: Cygwin-py3.${{ matrix.python-minor-version }}-ccache-
154155

155156
- name: Cache Matplotlib
156-
uses: actions/cache@v4
157+
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
157158
with:
158159
path: |
159160
C:\cygwin\home\runneradmin\.cache\matplotlib

.github/workflows/do_not_merge.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,6 @@ jobs:
2323
echo "This PR cannot be merged because it has one of the following labels: "
2424
echo "* status: needs comment/discussion"
2525
echo "* status: waiting for other PR"
26-
echo "${{env.has_tag}}"
2726
exit 1
2827
- name: Allow merging
2928
if: ${{'false' == env.has_tag}}

.github/workflows/good-first-issue.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ jobs:
1212
issues: write
1313
steps:
1414
- name: Add comment
15-
uses: peter-evans/create-or-update-comment@v4
15+
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
1616
with:
1717
issue-number: ${{ github.event.issue.number }}
1818
body: |

.github/workflows/labeler.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,6 @@ jobs:
1010
pull-requests: write
1111
runs-on: ubuntu-latest
1212
steps:
13-
- uses: actions/labeler@v5
13+
- uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
1414
with:
1515
sync-labels: true

.github/workflows/mypy-stubtest.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,22 +4,25 @@ on: [pull_request]
44

55
permissions:
66
contents: read
7-
checks: write
87

98
jobs:
109
mypy-stubtest:
1110
name: mypy-stubtest
1211
runs-on: ubuntu-latest
12+
permissions:
13+
checks: write
1314
steps:
14-
- uses: actions/checkout@v4
15+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
16+
with:
17+
persist-credentials: false
1518

1619
- name: Set up Python 3
17-
uses: actions/setup-python@v5
20+
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
1821
with:
1922
python-version: '3.10'
2023

2124
- name: Set up reviewdog
22-
uses: reviewdog/action-setup@v1
25+
uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.9
2326

2427
- name: Install tox
2528
run: python -m pip install tox

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy