diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d1f40e5..5043f4e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: actions: patterns: - "*" + cooldown: + default-days: 7 # Maintain dependencies for pip constraints-ci.txt - package-ecosystem: "pip" @@ -18,3 +20,5 @@ updates: allow: - dependency-name: "cmake" - dependency-name: "ninja" + cooldown: + default-days: 7 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5e02744..8a5a9ab 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,16 +20,20 @@ concurrency: env: SETUPTOOLS_SCM_PRETEND_VERSION: ${{ github.event.inputs.overrideVersion }} +permissions: {} + jobs: lint: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 build_wheels: @@ -76,26 +80,27 @@ jobs: arch: "universal2" steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 # required for setuptools_scm to find tags submodules: 'recursive' + persist-credentials: false - name: Set up QEMU - uses: docker/setup-qemu-action@v4.1.0 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 if: runner.os == 'Linux' && runner.arch == 'X64' - - uses: astral-sh/setup-uv@v8.2.0 + - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: false - name: Build wheels - uses: pypa/cibuildwheel@v4.1 + uses: pypa/cibuildwheel@294735312765b09d24a2fbec22660ce817587d55 # v4.1.0 env: CIBW_ARCHS: "${{ matrix.arch }}" CIBW_BUILD: "cp39-${{ matrix.build }}*" - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: cibw-wheels-${{ matrix.os }}-${{ matrix.build }}${{ matrix.arch }} path: ./wheelhouse/*.whl @@ -113,15 +118,16 @@ jobs: needs: [lint] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 # required for setuptools_scm to find tags submodules: 'recursive' + persist-credentials: false - name: Build SDist run: pipx run build --sdist - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: cibw-sdist path: dist/*.tar.gz @@ -136,24 +142,28 @@ jobs: python: ["3.8", "3.13"] steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 name: Install Python ${{ matrix.python }} id: python with: python-version: ${{ matrix.python }} update-environment: false - - uses: astral-sh/setup-uv@v8.2.0 + - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: false - name: Setup environment run: | - uv venv --python "${{ steps.python.outputs.python-path }}" + uv venv --python "${STEPS_PYTHON_OUTPUTS_PYTHON_PATH}" uv pip install pip --group test + env: + STEPS_PYTHON_OUTPUTS_PYTHON_PATH: ${{ steps.python.outputs.python-path }} - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: cibw-sdist path: sdist @@ -185,7 +195,7 @@ jobs: needs: [build_wheels, build_sdist, test_sdist] runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: cibw-* path: dist @@ -203,12 +213,15 @@ jobs: url: https://pypi.org/p/ninja permissions: id-token: write + attestations: write steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: cibw-* path: dist merge-multiple: true - name: Upload to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 + with: + attestations: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 17e8198..aea0fbe 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v6.0.0 + rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0 hooks: - id: check-added-large-files - id: check-case-conflict @@ -13,27 +13,33 @@ repos: - id: trailing-whitespace - repo: https://github.com/astral-sh/ruff-pre-commit - rev: "v0.15.17" + rev: "77039ccbba72c8aede339c5f8ae29b42aced0a2e" # frozen: v0.15.18 hooks: - id: ruff args: [--fix, --show-fixes] - repo: https://github.com/pre-commit/mirrors-mypy - rev: "v2.1.0" + rev: "d2823d321df3af8f878f7ee3414dc94d037145b9" # frozen: v2.1.0 hooks: - id: mypy files: src args: [] - repo: https://github.com/abravalheri/validate-pyproject - rev: "v0.25" + rev: "4b2e70d08cb2ccd26d1fba73588de41c7a5d50b7" # frozen: v0.25 hooks: - id: validate-pyproject additional_dependencies: ["validate-pyproject-schema-store[all]>=2024.10.21"] - repo: https://github.com/python-jsonschema/check-jsonschema - rev: "0.37.3" + rev: "8ef330cbb7204d388aa7a620f9549bcea8009663" # frozen: 0.37.3 hooks: - id: check-dependabot - id: check-github-workflows - id: check-readthedocs + +- repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: e3eebf65325ccc992422292cb7a4baee967cf815 # frozen: v1.26.1 + hooks: + - id: zizmor + files: "^\\.github"