diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml index 8055cfd24180..521f5320de3f 100644 --- a/.github/workflows/build_wheels.yml +++ b/.github/workflows/build_wheels.yml @@ -5,15 +5,16 @@ on: branches: [main, master, 'release*'] tags: ['*'] -permissions: - contents: write - jobs: build-wheels: if: github.repository == 'python/mypy' runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v4 + with: + persist-credentials: true # needed to push tags - uses: actions/setup-python@v5 with: python-version: '3.11' diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 112102954dd3..3f945b84b7f0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -35,6 +35,8 @@ jobs: VERIFY_MYPY_ERROR_CODES: 1 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.12' diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index 54fa2177716c..4846bfd7bece 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -26,8 +26,6 @@ jobs: mypy_primer: name: Run mypy_primer runs-on: ubuntu-latest - permissions: - contents: read strategy: matrix: shard-index: [0, 1, 2, 3, 4] @@ -38,6 +36,7 @@ jobs: with: path: mypy_to_test fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: "3.12" @@ -93,8 +92,6 @@ jobs: name: Join artifacts runs-on: ubuntu-latest needs: [mypy_primer] - permissions: - contents: read steps: - name: Merge artifacts uses: actions/upload-artifact/merge@v4 @@ -102,3 +99,13 @@ jobs: name: mypy_primer_diffs pattern: mypy_primer_diffs-* delete-merged: true + + call_comment_workflow: + name: Call mypy_primer_comment workflow + needs: [join_artifacts] + permissions: + contents: read + pull-requests: write + uses: ./.github/workflows/reusable_mypy_primer_comment.yml + with: + workflow_id: ${{ github.run_id }} diff --git a/.github/workflows/mypy_primer_comment.yml b/.github/workflows/reusable_mypy_primer_comment.yml similarity index 94% rename from .github/workflows/mypy_primer_comment.yml rename to .github/workflows/reusable_mypy_primer_comment.yml index 72f111b96c53..da13b3af7800 100644 --- a/.github/workflows/mypy_primer_comment.yml +++ b/.github/workflows/reusable_mypy_primer_comment.yml @@ -1,11 +1,11 @@ name: Comment with mypy_primer diff on: - workflow_run: - workflows: - - Run mypy_primer - types: - - completed + workflow_call: + inputs: + workflow_id: + required: true + type: string permissions: contents: read @@ -15,17 +15,18 @@ jobs: comment: name: Comment PR from mypy_primer runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: Download diffs uses: actions/github-script@v7 + env: + WORKFLOW_ID: ${{ inputs.workflow_id }} with: script: | const fs = require('fs'); const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ github.event.workflow_run.id }}, + run_id: process.env.WORKFLOW_ID, }); const [matchArtifact] = artifacts.data.artifacts.filter((artifact) => artifact.name == "mypy_primer_diffs"); diff --git a/.github/workflows/sync_typeshed.yml b/.github/workflows/sync_typeshed.yml index 84d246441f3d..2d5361a5919c 100644 --- a/.github/workflows/sync_typeshed.yml +++ b/.github/workflows/sync_typeshed.yml @@ -5,20 +5,22 @@ on: schedule: - cron: "0 0 1,15 * *" -permissions: - contents: write - pull-requests: write +permissions: {} jobs: sync_typeshed: name: Sync typeshed if: github.repository == 'python/mypy' runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write timeout-minutes: 10 steps: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: true # needed to `git push` the PR branch # TODO: use whatever solution ends up working for # https://github.com/python/typeshed/issues/8434 - uses: actions/setup-python@v5 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 97bc62e002c5..a57d08fa4da8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -136,6 +136,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Debug build if: ${{ matrix.debug_build }} @@ -217,6 +219,8 @@ jobs: CC: i686-linux-gnu-gcc steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install 32-bit build dependencies run: | sudo dpkg --add-architecture i386 && \ diff --git a/.github/workflows/test_stubgenc.yml b/.github/workflows/test_stubgenc.yml index 115eb047556e..4676acf8695b 100644 --- a/.github/workflows/test_stubgenc.yml +++ b/.github/workflows/test_stubgenc.yml @@ -29,6 +29,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup 🐍 3.9 uses: actions/setup-python@v5 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1e53f084e675..6aa452ffca63 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,8 +18,9 @@ repos: - repo: https://github.com/python-jsonschema/check-jsonschema rev: 0.30.0 hooks: - - id: check-dependabot - id: check-github-workflows + - id: check-github-actions + - id: check-readthedocs - repo: https://github.com/rhysd/actionlint rev: v1.7.4 hooks: @@ -29,5 +30,20 @@ repos: -ignore=property "allow_failure" is not defined, -ignore=SC2(046|086), ] + additional_dependencies: + # actionlint has a shellcheck integration which extracts shell scripts in `run:` steps from GitHub Actions + # and checks these with shellcheck. This is arguably its most useful feature, + # but the integration only works if shellcheck is installed + - "github.com/wasilibs/go-shellcheck/cmd/shellcheck@v0.10.0" + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.0.0 + hooks: + - id: zizmor + # Should be the last one: + - repo: meta + hooks: + - id: check-hooks-apply + - id: check-useless-excludes + ci: autoupdate_schedule: quarterly