From 81e188c3b50875f99fc6bf23b6c0b32f5141449d Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 01:00:45 +0300 Subject: [PATCH 01/16] Improve security of our GitHub Actions --- .github/workflows/build_wheels.yml | 7 ++++--- .github/workflows/docs.yml | 2 ++ .github/workflows/mypy_primer.yml | 5 +++++ .github/workflows/mypy_primer_comment.yml | 21 +++++++++++---------- .github/workflows/sync_typeshed.yml | 8 ++++---- .github/workflows/test.yml | 4 ++++ .github/workflows/test_stubgenc.yml | 2 ++ .pre-commit-config.yaml | 10 ++++++++++ 8 files changed, 42 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml index 8055cfd24180..ac90609fe20c 100644 --- a/.github/workflows/build_wheels.yml +++ b/.github/workflows/build_wheels.yml @@ -5,15 +5,16 @@ on: branches: [main, master, 'release*'] tags: ['*'] -permissions: - contents: write - jobs: build-wheels: if: github.repository == 'python/mypy' runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.11' diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 112102954dd3..3f945b84b7f0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -35,6 +35,8 @@ jobs: VERIFY_MYPY_ERROR_CODES: 1 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.12' diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index 54fa2177716c..a1ea0b0efbbc 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -38,6 +38,7 @@ jobs: with: path: mypy_to_test fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: "3.12" @@ -102,3 +103,7 @@ jobs: name: mypy_primer_diffs pattern: mypy_primer_diffs-* delete-merged: true + - name: Call comments workflow + uses: python/mypy/.github/workflows/mypy_primer_comment.yml@master + with: + workflow_id: ${{ workflow.id }} diff --git a/.github/workflows/mypy_primer_comment.yml b/.github/workflows/mypy_primer_comment.yml index 72f111b96c53..43f4bbc4ce23 100644 --- a/.github/workflows/mypy_primer_comment.yml +++ b/.github/workflows/mypy_primer_comment.yml @@ -1,31 +1,32 @@ name: Comment with mypy_primer diff on: - workflow_run: - workflows: - - Run mypy_primer - types: - - completed + workflow_call: + input: + workflow_id: + required: true + type: integer -permissions: - contents: read - pull-requests: write jobs: comment: name: Comment PR from mypy_primer runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' }} + permissions: + contents: read + pull-requests: write steps: - name: Download diffs uses: actions/github-script@v7 + env: + WORKFLOW_ID: ${{ inputs.workflow_id }} with: script: | const fs = require('fs'); const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ github.event.workflow_run.id }}, + run_id: process.env.WORKFLOW_ID, }); const [matchArtifact] = artifacts.data.artifacts.filter((artifact) => artifact.name == "mypy_primer_diffs"); diff --git a/.github/workflows/sync_typeshed.yml b/.github/workflows/sync_typeshed.yml index 84d246441f3d..bdce04ff2ea3 100644 --- a/.github/workflows/sync_typeshed.yml +++ b/.github/workflows/sync_typeshed.yml @@ -5,20 +5,20 @@ on: schedule: - cron: "0 0 1,15 * *" -permissions: - contents: write - pull-requests: write - jobs: sync_typeshed: name: Sync typeshed if: github.repository == 'python/mypy' runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write timeout-minutes: 10 steps: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false # TODO: use whatever solution ends up working for # https://github.com/python/typeshed/issues/8434 - uses: actions/setup-python@v5 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 97bc62e002c5..a57d08fa4da8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -136,6 +136,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Debug build if: ${{ matrix.debug_build }} @@ -217,6 +219,8 @@ jobs: CC: i686-linux-gnu-gcc steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install 32-bit build dependencies run: | sudo dpkg --add-architecture i386 && \ diff --git a/.github/workflows/test_stubgenc.yml b/.github/workflows/test_stubgenc.yml index 115eb047556e..4676acf8695b 100644 --- a/.github/workflows/test_stubgenc.yml +++ b/.github/workflows/test_stubgenc.yml @@ -29,6 +29,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup 🐍 3.9 uses: actions/setup-python@v5 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1e53f084e675..e0cab8c31131 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -29,5 +29,15 @@ repos: -ignore=property "allow_failure" is not defined, -ignore=SC2(046|086), ] + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.0.0 + hooks: + - id: zizmor + # Should be the last one: + - repo: meta + hooks: + - id: check-hooks-apply + - id: check-useless-excludes + ci: autoupdate_schedule: quarterly From 234cd371f3c77873c5d3409f3c24f71f4815d24b Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 01:07:21 +0300 Subject: [PATCH 02/16] Improve security of our GitHub Actions --- .github/workflows/mypy_primer.yml | 2 +- .github/workflows/mypy_primer_comment.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index a1ea0b0efbbc..a883aac040ba 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -106,4 +106,4 @@ jobs: - name: Call comments workflow uses: python/mypy/.github/workflows/mypy_primer_comment.yml@master with: - workflow_id: ${{ workflow.id }} + workflow_id: ${{ github.run_id }} diff --git a/.github/workflows/mypy_primer_comment.yml b/.github/workflows/mypy_primer_comment.yml index 43f4bbc4ce23..50c31c31348c 100644 --- a/.github/workflows/mypy_primer_comment.yml +++ b/.github/workflows/mypy_primer_comment.yml @@ -2,10 +2,10 @@ name: Comment with mypy_primer diff on: workflow_call: - input: + inputs: workflow_id: required: true - type: integer + type: number jobs: From ef0d2113e6d5afc631ccaa63c5620edb408f57bf Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 01:08:39 +0300 Subject: [PATCH 03/16] Fix CI --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e0cab8c31131..50c67e028afd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,7 +18,6 @@ repos: - repo: https://github.com/python-jsonschema/check-jsonschema rev: 0.30.0 hooks: - - id: check-dependabot - id: check-github-workflows - repo: https://github.com/rhysd/actionlint rev: v1.7.4 From 2b5f024ee467e171a2f58ee9a0c59fe6f0ea6f67 Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 01:15:44 +0300 Subject: [PATCH 04/16] Fix CI --- .github/workflows/mypy_primer.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index a883aac040ba..8e303909f8b7 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -26,8 +26,6 @@ jobs: mypy_primer: name: Run mypy_primer runs-on: ubuntu-latest - permissions: - contents: read strategy: matrix: shard-index: [0, 1, 2, 3, 4] @@ -94,8 +92,6 @@ jobs: name: Join artifacts runs-on: ubuntu-latest needs: [mypy_primer] - permissions: - contents: read steps: - name: Merge artifacts uses: actions/upload-artifact/merge@v4 @@ -103,7 +99,10 @@ jobs: name: mypy_primer_diffs pattern: mypy_primer_diffs-* delete-merged: true - - name: Call comments workflow - uses: python/mypy/.github/workflows/mypy_primer_comment.yml@master - with: - workflow_id: ${{ github.run_id }} + + call_comment_workflow: + name: Call mypy_primer_comment workflow + needs: [join_artifacts] + uses: python/mypy/.github/workflows/mypy_primer_comment.yml@master + with: + workflow_id: ${{ github.run_id }} From 0d5934418a12bdaf8a8f8ed6b0868b36c1c6f4a6 Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 01:19:02 +0300 Subject: [PATCH 05/16] Fix CI --- .github/workflows/mypy_primer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index 8e303909f8b7..da6ff3adc901 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -103,6 +103,6 @@ jobs: call_comment_workflow: name: Call mypy_primer_comment workflow needs: [join_artifacts] - uses: python/mypy/.github/workflows/mypy_primer_comment.yml@master + uses: python/mypy/.github/workflows/mypy_primer_comment.yml with: workflow_id: ${{ github.run_id }} From a809119acf3db16ddc7a32b9d06fa5b1e787222d Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 01:19:26 +0300 Subject: [PATCH 06/16] Fix CI --- .github/workflows/mypy_primer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index da6ff3adc901..0b37bde949d3 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -103,6 +103,6 @@ jobs: call_comment_workflow: name: Call mypy_primer_comment workflow needs: [join_artifacts] - uses: python/mypy/.github/workflows/mypy_primer_comment.yml + uses: ./.github/workflows/mypy_primer_comment.yml with: workflow_id: ${{ github.run_id }} From e9ead659c0ffebbe6c12170c65dee7e916cead13 Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 01:20:59 +0300 Subject: [PATCH 07/16] Fix CI --- .github/workflows/mypy_primer_comment.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/mypy_primer_comment.yml b/.github/workflows/mypy_primer_comment.yml index 50c31c31348c..b673be276838 100644 --- a/.github/workflows/mypy_primer_comment.yml +++ b/.github/workflows/mypy_primer_comment.yml @@ -7,14 +7,14 @@ on: required: true type: number +permissions: + contents: read + pull-requests: write jobs: comment: name: Comment PR from mypy_primer runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write steps: - name: Download diffs uses: actions/github-script@v7 From 46d0544459afc495899127e6230a6830765ff768 Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 01:23:12 +0300 Subject: [PATCH 08/16] Fix CI --- .github/workflows/mypy_primer.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index 0b37bde949d3..7f9246c9bc4a 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -103,6 +103,9 @@ jobs: call_comment_workflow: name: Call mypy_primer_comment workflow needs: [join_artifacts] + permissions: + contents: read + pull-requests: write uses: ./.github/workflows/mypy_primer_comment.yml with: workflow_id: ${{ github.run_id }} From 2234fd7425ff6dcbd218483436daca4861500835 Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 11:35:51 +0300 Subject: [PATCH 09/16] Fix CI --- .github/workflows/mypy_primer_comment.yml | 2 +- .github/workflows/sync_typeshed.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/mypy_primer_comment.yml b/.github/workflows/mypy_primer_comment.yml index b673be276838..da13b3af7800 100644 --- a/.github/workflows/mypy_primer_comment.yml +++ b/.github/workflows/mypy_primer_comment.yml @@ -5,7 +5,7 @@ on: inputs: workflow_id: required: true - type: number + type: string permissions: contents: read diff --git a/.github/workflows/sync_typeshed.yml b/.github/workflows/sync_typeshed.yml index bdce04ff2ea3..70d4f17dc428 100644 --- a/.github/workflows/sync_typeshed.yml +++ b/.github/workflows/sync_typeshed.yml @@ -18,7 +18,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - persist-credentials: false + persist-credentials: true # needed to `git push` the typeshed # TODO: use whatever solution ends up working for # https://github.com/python/typeshed/issues/8434 - uses: actions/setup-python@v5 From 695743d154e2d4ab5d1a20537c608a768bdb383c Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 15:02:53 +0300 Subject: [PATCH 10/16] Address review --- .github/workflows/build_wheels.yml | 2 +- .github/workflows/mypy_primer.yml | 1 - .github/workflows/sync_typeshed.yml | 2 +- .pre-commit-config.yaml | 5 +++++ 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml index ac90609fe20c..521f5320de3f 100644 --- a/.github/workflows/build_wheels.yml +++ b/.github/workflows/build_wheels.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v4 with: - persist-credentials: false + persist-credentials: true # needed to push tags - uses: actions/setup-python@v5 with: python-version: '3.11' diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index 7f9246c9bc4a..0455f822de85 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -104,7 +104,6 @@ jobs: name: Call mypy_primer_comment workflow needs: [join_artifacts] permissions: - contents: read pull-requests: write uses: ./.github/workflows/mypy_primer_comment.yml with: diff --git a/.github/workflows/sync_typeshed.yml b/.github/workflows/sync_typeshed.yml index 70d4f17dc428..eaf73daef653 100644 --- a/.github/workflows/sync_typeshed.yml +++ b/.github/workflows/sync_typeshed.yml @@ -18,7 +18,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - persist-credentials: true # needed to `git push` the typeshed + persist-credentials: true # needed to `git push` the PR branch # TODO: use whatever solution ends up working for # https://github.com/python/typeshed/issues/8434 - uses: actions/setup-python@v5 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 50c67e028afd..1101701eafaf 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -28,6 +28,11 @@ repos: -ignore=property "allow_failure" is not defined, -ignore=SC2(046|086), ] + additional_dependencies: + # actionlint has a shellcheck integration which extracts shell scripts in `run:` steps from GitHub Actions + # and checks these with shellcheck. This is arguably its most useful feature, + # but the integration only works if shellcheck is installed + - "github.com/wasilibs/go-shellcheck/cmd/shellcheck@v0.10.0" - repo: https://github.com/woodruffw/zizmor-pre-commit rev: v1.0.0 hooks: From 985513f53c6e86789d5eee2a7bae58b44c43b336 Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 15:06:19 +0300 Subject: [PATCH 11/16] Fix CI --- .github/workflows/mypy_primer.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index 0455f822de85..7f9246c9bc4a 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -104,6 +104,7 @@ jobs: name: Call mypy_primer_comment workflow needs: [join_artifacts] permissions: + contents: read pull-requests: write uses: ./.github/workflows/mypy_primer_comment.yml with: From 04dde471570554de2996eb47d0db436941f1273e Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 19:50:15 +0300 Subject: [PATCH 12/16] Address review --- .github/workflows/mypy_primer.yml | 2 +- ...mypy_primer_comment.yml => reusable_mypy_primer_comment.yml} | 0 .github/workflows/sync_typeshed.yml | 2 ++ 3 files changed, 3 insertions(+), 1 deletion(-) rename .github/workflows/{mypy_primer_comment.yml => reusable_mypy_primer_comment.yml} (100%) diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index 7f9246c9bc4a..4846bfd7bece 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -106,6 +106,6 @@ jobs: permissions: contents: read pull-requests: write - uses: ./.github/workflows/mypy_primer_comment.yml + uses: ./.github/workflows/reusable_mypy_primer_comment.yml with: workflow_id: ${{ github.run_id }} diff --git a/.github/workflows/mypy_primer_comment.yml b/.github/workflows/reusable_mypy_primer_comment.yml similarity index 100% rename from .github/workflows/mypy_primer_comment.yml rename to .github/workflows/reusable_mypy_primer_comment.yml diff --git a/.github/workflows/sync_typeshed.yml b/.github/workflows/sync_typeshed.yml index eaf73daef653..2d5361a5919c 100644 --- a/.github/workflows/sync_typeshed.yml +++ b/.github/workflows/sync_typeshed.yml @@ -5,6 +5,8 @@ on: schedule: - cron: "0 0 1,15 * *" +permissions: {} + jobs: sync_typeshed: name: Sync typeshed From 45cdb4040226e026cb647d9a871f670171891da1 Mon Sep 17 00:00:00 2001 From: sobolevn Date: Fri, 3 Jan 2025 19:52:07 +0300 Subject: [PATCH 13/16] More pre-commit checks based on jsonschema --- .pre-commit-config.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1101701eafaf..6aa452ffca63 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -19,6 +19,8 @@ repos: rev: 0.30.0 hooks: - id: check-github-workflows + - id: check-github-actions + - id: check-readthedocs - repo: https://github.com/rhysd/actionlint rev: v1.7.4 hooks: From cfad9489c9017709b7c98b8a248f83a69bca10b6 Mon Sep 17 00:00:00 2001 From: sobolevn Date: Wed, 8 Jan 2025 11:26:36 +0300 Subject: [PATCH 14/16] Revert mypy_primer_comment.yml changes --- .github/workflows/mypy_primer.yml | 10 -------- ...er_comment.yml => mypy_primer_comment.yml} | 24 +++++++++---------- .pre-commit-config.yaml | 8 +++---- action.yml | 2 +- 4 files changed, 16 insertions(+), 28 deletions(-) rename .github/workflows/{reusable_mypy_primer_comment.yml => mypy_primer_comment.yml} (91%) diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index 4846bfd7bece..cf62ce24fb9e 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -99,13 +99,3 @@ jobs: name: mypy_primer_diffs pattern: mypy_primer_diffs-* delete-merged: true - - call_comment_workflow: - name: Call mypy_primer_comment workflow - needs: [join_artifacts] - permissions: - contents: read - pull-requests: write - uses: ./.github/workflows/reusable_mypy_primer_comment.yml - with: - workflow_id: ${{ github.run_id }} diff --git a/.github/workflows/reusable_mypy_primer_comment.yml b/.github/workflows/mypy_primer_comment.yml similarity index 91% rename from .github/workflows/reusable_mypy_primer_comment.yml rename to .github/workflows/mypy_primer_comment.yml index da13b3af7800..fbaa83fe7ff1 100644 --- a/.github/workflows/reusable_mypy_primer_comment.yml +++ b/.github/workflows/mypy_primer_comment.yml @@ -1,32 +1,30 @@ name: Comment with mypy_primer diff -on: - workflow_call: - inputs: - workflow_id: - required: true - type: string - -permissions: - contents: read - pull-requests: write +on: # zizmor: ignore[dangerous-triggers] + workflow_run: + workflows: + - Run mypy_primer + types: + - completed jobs: comment: name: Comment PR from mypy_primer runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: Download diffs uses: actions/github-script@v7 - env: - WORKFLOW_ID: ${{ inputs.workflow_id }} with: script: | const fs = require('fs'); const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, - run_id: process.env.WORKFLOW_ID, + run_id: ${{ github.event.workflow_run.id }}, }); const [matchArtifact] = artifacts.data.artifacts.filter((artifact) => artifact.name == "mypy_primer_diffs"); diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6aa452ffca63..dc411c6da49b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -11,18 +11,18 @@ repos: - id: black exclude: '^(test-data/)' - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.8.4 + rev: v0.8.6 hooks: - id: ruff args: [--exit-non-zero-on-fix] - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.30.0 + rev: 0.31.0 hooks: - id: check-github-workflows - id: check-github-actions - id: check-readthedocs - repo: https://github.com/rhysd/actionlint - rev: v1.7.4 + rev: v1.7.6 hooks: - id: actionlint args: [ @@ -36,7 +36,7 @@ repos: # but the integration only works if shellcheck is installed - "github.com/wasilibs/go-shellcheck/cmd/shellcheck@v0.10.0" - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: v1.0.0 + rev: v1.0.1 hooks: - id: zizmor # Should be the last one: diff --git a/action.yml b/action.yml index df8715327830..732929412651 100644 --- a/action.yml +++ b/action.yml @@ -32,7 +32,7 @@ branding: runs: using: composite steps: - - name: mypy setup + - name: mypy setup # zizmor: ignore[template-injection] shell: bash run: | echo ::group::Installing mypy... From d44ea68e5165fc8524f4581d05a4e1f1129d1120 Mon Sep 17 00:00:00 2001 From: sobolevn Date: Wed, 8 Jan 2025 11:41:16 +0300 Subject: [PATCH 15/16] Adress review --- .github/workflows/build_wheels.yml | 7 +++---- .github/workflows/mypy_primer_comment.yml | 2 ++ 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml index 521f5320de3f..4181444ffcba 100644 --- a/.github/workflows/build_wheels.yml +++ b/.github/workflows/build_wheels.yml @@ -5,16 +5,15 @@ on: branches: [main, master, 'release*'] tags: ['*'] +permissions: + contents: read + jobs: build-wheels: if: github.repository == 'python/mypy' runs-on: ubuntu-latest - permissions: - contents: write steps: - uses: actions/checkout@v4 - with: - persist-credentials: true # needed to push tags - uses: actions/setup-python@v5 with: python-version: '3.11' diff --git a/.github/workflows/mypy_primer_comment.yml b/.github/workflows/mypy_primer_comment.yml index fbaa83fe7ff1..21f1222a5b89 100644 --- a/.github/workflows/mypy_primer_comment.yml +++ b/.github/workflows/mypy_primer_comment.yml @@ -7,6 +7,8 @@ on: # zizmor: ignore[dangerous-triggers] types: - completed +permissions: {} + jobs: comment: name: Comment PR from mypy_primer From 1e9e50936a8fc0b3be35404493a2e388a94c3516 Mon Sep 17 00:00:00 2001 From: sobolevn Date: Wed, 8 Jan 2025 12:37:43 +0300 Subject: [PATCH 16/16] Fix CI --- .github/workflows/build_wheels.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml index 4181444ffcba..dae4937d5081 100644 --- a/.github/workflows/build_wheels.yml +++ b/.github/workflows/build_wheels.yml @@ -14,6 +14,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.11'