Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
steps:
- uses: actions/checkout@v7.0.0
- name: Set up Python 3.11
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v6.3.0
with:
python-version: 3.11
- name: Install uv
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docs.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Deploy Documentation to GitHub Pages
permissions:
contents: read
pages: write

Check failure on line 4 in .github/workflows/docs.yml

View workflow job for this annotation

GitHub Actions / zizmor

excessive-permissions

docs.yml:4: overly broad permissions: pages: write is overly broad at the workflow level
id-token: write

Check failure on line 5 in .github/workflows/docs.yml

View workflow job for this annotation

GitHub Actions / zizmor

excessive-permissions

docs.yml:5: overly broad permissions: id-token: write is overly broad at the workflow level
# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
Expand All @@ -29,10 +29,10 @@
build:
runs-on: ubuntu-latest-8-cores
steps:
- name: Checkout

Check warning on line 32 in .github/workflows/docs.yml

View workflow job for this annotation

GitHub Actions / zizmor

artipacked

docs.yml:32: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
uses: actions/checkout@v7.0.0
- name: Set up Python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v6.3.0
with:
python-version: 3.x
- name: Install uv
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/generate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0

Check warning on line 18 in .github/workflows/generate.yml

View workflow job for this annotation

GitHub Actions / zizmor

artipacked

generate.yml:18: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Set up Python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v6.3.0
with:
python-version: '3.13'
- name: Install uv
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/make-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,12 @@
name: make-release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0

Check warning on line 13 in .github/workflows/make-release.yml

View workflow job for this annotation

GitHub Actions / zizmor

artipacked

make-release.yml:13: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
- uses: actions/setup-python@v6.2.0
- uses: actions/setup-python@v6.3.0
with:
python-version: '3.x'
- name: Install uv
uses: astral-sh/setup-uv@v8.2.0

Check failure on line 18 in .github/workflows/make-release.yml

View workflow job for this annotation

GitHub Actions / zizmor

cache-poisoning

make-release.yml:18: runtime artifacts potentially vulnerable to a cache poisoning attack: this step
with:
version: "latest"
enable-cache: true
Expand All @@ -25,10 +25,10 @@
shell: bash
run: |
uv build
uv publish \

Check notice on line 28 in .github/workflows/make-release.yml

View workflow job for this annotation

GitHub Actions / zizmor

use-trusted-publishing

make-release.yml:28: prefer trusted publishing for authentication: this command
--username ${{secrets.PYPI_USERNAME}} \
--password ${{secrets.PYPI_SECRET}}
# TODO: generate a nice little doc for the release text like we do for the
# cli repo.
- name: Create a Release
uses: softprops/action-gh-release@v2

Check notice on line 34 in .github/workflows/make-release.yml

View workflow job for this annotation

GitHub Actions / zizmor

superfluous-actions

make-release.yml:34: action functionality is already included by the runner: use `gh release` in a script step
2 changes: 1 addition & 1 deletion .github/workflows/mypy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@
- 'pyproject.toml'
pull_request:
jobs:
mypy:

Check warning on line 11 in .github/workflows/mypy.yml

View workflow job for this annotation

GitHub Actions / zizmor

excessive-permissions

mypy.yml:11: overly broad permissions: default permissions used due to no permissions: block
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0

Check warning on line 14 in .github/workflows/mypy.yml

View workflow job for this annotation

GitHub Actions / zizmor

artipacked

mypy.yml:14: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false

- name: Set up Python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v6.3.0
with:
python-version: '3.x'

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ruff.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@
- 'pyproject.toml'
pull_request:
jobs:
ruff:

Check warning on line 11 in .github/workflows/ruff.yml

View workflow job for this annotation

GitHub Actions / zizmor

excessive-permissions

ruff.yml:11: overly broad permissions: default permissions used due to no permissions: block
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0

Check warning on line 14 in .github/workflows/ruff.yml

View workflow job for this annotation

GitHub Actions / zizmor

artipacked

ruff.yml:14: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false

- name: Set up Python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v6.3.0
with:
python-version: '3.x'

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/update-spec-for-docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,24 +11,24 @@
group: docs-${{ github.ref }}
cancel-in-progress: true
jobs:
update-spec:

Check warning on line 14 in .github/workflows/update-spec-for-docs.yml

View workflow job for this annotation

GitHub Actions / zizmor

excessive-permissions

update-spec-for-docs.yml:14: overly broad permissions: default permissions used due to no permissions: block
name: update-spec
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v3

Check failure on line 18 in .github/workflows/update-spec-for-docs.yml

View workflow job for this annotation

GitHub Actions / zizmor

github-app

update-spec-for-docs.yml:18: dangerous use of GitHub App tokens: app token inherits blanket installation permissions
id: app-token
with:
# required
app-id: ${{ secrets.GH_ORG_APP_ID }}
private-key: ${{ secrets.GH_ORG_APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}

Check failure on line 24 in .github/workflows/update-spec-for-docs.yml

View workflow job for this annotation

GitHub Actions / zizmor

github-app

update-spec-for-docs.yml:24: dangerous use of GitHub App tokens: token granted access to all repositories for this owner's app installation
- uses: actions/checkout@v7.0.0

Check warning on line 25 in .github/workflows/update-spec-for-docs.yml

View workflow job for this annotation

GitHub Actions / zizmor

artipacked

update-spec-for-docs.yml:25: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v6.3.0
with:
python-version: 3.x
- name: Install uv
uses: astral-sh/setup-uv@v8.2.0

Check failure on line 31 in .github/workflows/update-spec-for-docs.yml

View workflow job for this annotation

GitHub Actions / zizmor

cache-poisoning

update-spec-for-docs.yml:31: runtime artifacts potentially vulnerable to a cache poisoning attack: this step
with:
version: "latest"
enable-cache: true
Expand All @@ -53,7 +53,7 @@
echo "No files changed, proceeding";
fi
# Checkout the docs repo since we will want to update the files there.
- uses: actions/checkout@v7.0.0

Check warning on line 56 in .github/workflows/update-spec-for-docs.yml

View workflow job for this annotation

GitHub Actions / zizmor

artipacked

update-spec-for-docs.yml:56: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
with:
repository: 'kittycad/website'
path: 'docs'
Expand Down
Loading