Giskard-AI · Hartorn · Apr 14, 2026 · Apr 14, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,20 +7,27 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   pre_checks:
+    name: pre_checks
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 30
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
-        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
 
       - name: Install deps & build base images
         run: uv sync --all-extras
@@ -41,18 +48,23 @@ jobs:
         run: uv run pre-commit run --all-files
 
   test:
+    name: test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 30
     strategy:
       fail-fast: true
       matrix:
         python-version: ["3.11", "3.12", "3.13", "3.14"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Install uv and set the python version
-        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           python-version: ${{ matrix.python-version }}
 

diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -8,15 +8,20 @@ on:
         required: true
         type: string
 
-# OIDC is needed for PyPI Trusted Publishing
-permissions:
-  contents: write
-  packages: read
-  id-token: write
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
 
 jobs:
   build-and-release:
+    name: build-and-release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write    # push version bump commit and tag
+      packages: read     # read package metadata
+      id-token: write    # OIDC for PyPI Trusted Publishing
 
     steps:
       # Check if the user is a member of the Giskard-AI organization
@@ -46,12 +51,12 @@ jobs:
 
       # Checkout the repository
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0         # ensure tags are available
           fetch-tags: true
           ref: main
-          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
 
       - name: Prepare version env
         env:
@@ -71,34 +76,39 @@ jobs:
             exit 1
           fi
 
-      # Install uv
       - name: Install uv
-        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+        with:
+          enable-cache: false
 
       # Small helper to edit pyproject
       - name: Install toml-cli
         run: uv tool install toml-cli
 
       # Update project version in pyproject.toml
       - name: Update project version
-        run: toml set --toml-path pyproject.toml project.version "${{ env.VERSION_NUMBER }}"
+        run: toml set --toml-path pyproject.toml project.version "$VERSION_NUMBER"
 
       - name: Configure git author
         run: |
           git config --global user.name 'BotReleaser'
           git config --global user.email 'bot.releaser@users.noreply.github.com'
 
       - name: Commit version bump & tag
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
         run: |
+          git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git"
           git add pyproject.toml
           if git diff --cached --quiet; then
             echo "No version change detected in pyproject.toml; aborting."
             exit 1
           fi
-          git commit -m "Release ${{ env.VERSION_NAME }}: bump version to ${{ env.VERSION_NUMBER }}"
-          git tag -a "${{ env.VERSION_NAME }}" -m "Release ${{ env.VERSION_NAME }}"
+          git commit -m "Release ${VERSION_NAME}: bump version to ${VERSION_NUMBER}"
+          git tag -a "${VERSION_NAME}" -m "Release ${VERSION_NAME}"
           git push origin main
-          git push origin "${{ env.VERSION_NAME }}"
+          git push origin "${VERSION_NAME}"
 
       # (Optional) lock env exactly as declared
       - name: Install dependencies
@@ -118,15 +128,10 @@ jobs:
           fi
 
       # --- PUBLISH VIA TRUSTED PUBLISHING (OIDC) ---
-      - name: Publish to PyPI (if selected)
-        uses: pypa/gh-action-pypi-publish@release/v1
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
-        with:
-          tag_name: ${{ env.VERSION_NAME }}
-          fail_on_unmatched_files: true
-          generate_release_notes: true
-          files: |
-            dist/*.tar.gz
-            dist/*.whl
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release create "${VERSION_NAME}" dist/*.tar.gz dist/*.whl --generate-notes --fail-on-no-assets
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,31 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # upload SARIF results to GitHub Advanced Security
+      contents: read          # checkout repository
+      actions: read           # query workflow metadata for analysis
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          persona: pedantic
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1 @@
+rules: {}
diff --git a/.gitignore b/.gitignore
@@ -14,3 +14,4 @@ uv.lock
 
 # Coverage
 .coverage
+.github/CREDENTIALS.md
diff --git a/renovate.json b/renovate.json
@@ -11,6 +11,7 @@
        "helpers:pinGitHubActionDigests",
        ":pinOnlyDevDependencies"
     ],
+    "minimumReleaseAge": "3 days",
     "packageRules": [
        {
           "rangeStrategy": "widen",
Original file line number	Diff line number	Diff line change
Expand Up		@@ -14,3 +14,4 @@ uv.lock

		# Coverage
		.coverage
		.github/CREDENTIALS.md