Skip to content

Commit ec83ebd

Browse files
authored
adopt zizmor (#191)
* adopt `zizmor` * review actions - revert `fetch-depth`
1 parent 08acacb commit ec83ebd

5 files changed

Lines changed: 79 additions & 28 deletions

File tree

.github/workflows/ci-manifest.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,9 @@ jobs:
1818
shell: bash -l {0}
1919

2020
steps:
21-
- uses: actions/checkout@v6
21+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
2222
with:
23-
fetch-depth: 0
23+
persist-credentials: false
2424

2525
- name: "check-manifest"
2626
run: |

.github/workflows/ci-release.yml

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ concurrency:
1111
group: ${{ github.workflow }}-${{ github.ref }}
1212
cancel-in-progress: true
1313

14+
permissions:
15+
contents: write
16+
1417
jobs:
1518
release:
1619
if: "github.repository_owner == 'SciTools'"
@@ -24,9 +27,9 @@ jobs:
2427
WF_VERSION_FNAME: "version.txt"
2528

2629
steps:
27-
- uses: actions/checkout@v6
30+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
2831
with:
29-
fetch-depth: 0
32+
persist-credentials: false
3033

3134
- name: "calculate release version"
3235
run: |
@@ -50,8 +53,10 @@ jobs:
5053
echo "WF_VERSION=${WF_VERSION}" >> ${GITHUB_ENV}
5154
5255
- name: "store release version"
56+
env:
57+
WF_VERSION: ${{ env.WF_VERSION }}
5358
run: |
54-
echo ${{ env.WF_VERSION }} > ${WF_VERSION_FNAME}
59+
echo ${WF_VERSION} > ${WF_VERSION_FNAME}
5560
if [ -n "${WF_BOOTSTRAP}" ]
5661
then
5762
git add ${WF_VERSION_FNAME}
@@ -62,6 +67,9 @@ jobs:
6267
git push
6368
6469
- name: "perform release"
65-
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda
66-
with:
67-
tag_name: ${{ env.WF_VERSION }}
70+
env:
71+
WF_VERSION: ${{ env.WF_VERSION }}
72+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
73+
run: |
74+
gh release create ${WF_VERSION} --generate-notes
75+

.github/workflows/ci-template-check-pr.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,17 @@
66
name: ci-template-check-pr
77

88
on:
9-
pull_request_target:
9+
pull_request_target: # zizmor: ignore[dangerous-triggers]
1010
branches:
1111
- main
1212

13+
permissions: {}
14+
1315
jobs:
1416
prompt-share:
1517
uses: ./.github/workflows/ci-template-check.yml
16-
secrets: inherit
18+
secrets:
19+
AUTH_APP_ID: ${{ secrets.AUTH_APP_ID }}
20+
AUTH_APP_PRIVATE_KEY: ${{ secrets.AUTH_APP_PRIVATE_KEY }}
1721
with:
1822
pr_number: ${{ github.event.pull_request.number }}

.github/workflows/ci-template-check.yml

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,35 +5,47 @@ name: ci-template-check
55

66
on:
77
workflow_call:
8+
secrets:
9+
AUTH_APP_ID:
10+
required: true
11+
AUTH_APP_PRIVATE_KEY:
12+
required: true
813
inputs:
914
pr_number:
1015
required: true
1116
type: number
1217

18+
permissions: {}
19+
1320
jobs:
1421
prompt-share:
1522
runs-on: ubuntu-latest
1623

1724
steps:
1825
- name: Checkout Repository
19-
uses: actions/checkout@v6
26+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
27+
with:
28+
persist-credentials: false
2029

2130
- name: Checkout SciTools/.github
22-
uses: actions/checkout@v6
31+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
2332
with:
2433
repository: SciTools/.github
2534
path: SciTools.github
35+
persist-credentials: false
2636

2737
- name: Generate Token
2838
id: generate-token
29-
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
39+
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1
3040
with:
31-
app_id: ${{ secrets.AUTH_APP_ID }}
32-
private_key: ${{ secrets.AUTH_APP_PRIVATE_KEY }}
41+
app-id: ${{ secrets.AUTH_APP_ID }}
42+
private-key: ${{ secrets.AUTH_APP_PRIVATE_KEY }}
43+
permission-contents: write
44+
permission-pull-requests: write
3345

3446
- name: Set up Python
3547
# _templating_scripting.py only needs builtins to run.
36-
uses: actions/setup-python@v6
48+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
3749

3850
- name: Prompt author to update templates
3951
id: prompt_author

.github/workflows/refresh-lockfiles.yml

Lines changed: 39 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,13 @@ name: Refresh Lockfiles
1414

1515
on:
1616
workflow_call:
17+
secrets:
18+
AUTH_APP_ID:
19+
required: true
20+
AUTH_APP_PRIVATE_KEY:
21+
required: true
22+
23+
permissions: {}
1724

1825
jobs:
1926
get_python_matrix:
@@ -24,7 +31,10 @@ jobs:
2431
outputs:
2532
matrix: ${{ steps.get_py.outputs.matrix }}
2633
steps:
27-
- uses: actions/checkout@v6
34+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
35+
with:
36+
persist-credentials: false
37+
2838
- id: get_py
2939
run: echo "MATRIX=$(ls -1 requirements/py*.yml | xargs -n1 basename | sed 's/....$//' | jq -cnR '[inputs]')" >> ${GITHUB_OUTPUT}
3040

@@ -40,17 +50,24 @@ jobs:
4050
python: ${{ fromJSON(needs.get_python_matrix.outputs.MATRIX) }}
4151

4252
steps:
43-
- uses: actions/checkout@v6
53+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
54+
with:
55+
persist-credentials: false
56+
4457
- name: install requirements
4558
run: |
4659
source $CONDA/bin/activate base
4760
conda update -n base --all
61+
4862
- name: generate lockfile
63+
env:
64+
MATRIX_PYTHON: ${{ matrix.python }}
4965
run: |
50-
pipx run conda-lock -k explicit -p linux-64 -f requirements/${{matrix.python}}.yml
51-
mv conda-linux-64.lock ${{matrix.python}}-linux-64.lock
66+
pipx run conda-lock -k explicit -p linux-64 -f requirements/${MATRIX_PYTHON}.yml
67+
mv conda-linux-64.lock ${MATRIX_PYTHON}-linux-64.lock
68+
5269
- name: output lockfile
53-
uses: actions/upload-artifact@v7
70+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
5471
with:
5572
name: lock-artifacts-${{matrix.python}}
5673
path: ${{matrix.python}}-linux-64.lock
@@ -64,19 +81,24 @@ jobs:
6481
needs: gen_lockfiles
6582

6683
steps:
67-
- uses: actions/checkout@v6
84+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
85+
with:
86+
persist-credentials: false
87+
6888
- name: get artifacts
69-
uses: actions/download-artifact@v8
89+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
7090
with:
7191
path: ${{ github.workspace }}/requirements/locks
7292
merge-multiple: true
7393

7494
- name: "Generate token"
75-
uses: actions/create-github-app-token@v3
95+
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1
7696
id: generate-token
7797
with:
7898
app-id: ${{ secrets.AUTH_APP_ID }}
7999
private-key: ${{ secrets.AUTH_APP_PRIVATE_KEY }}
100+
permission-contents: write
101+
permission-pull-requests: write
80102

81103
- name: Create Pull Request
82104
id: cpr
@@ -98,11 +120,16 @@ jobs:
98120
99121
- name: Check Pull Request
100122
if: steps.cpr.outputs.pull-request-number != ''
123+
env:
124+
CPR_PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
125+
CPR_PR_URL: ${{ steps.cpr.outputs.pull-request-url }}
126+
CPR_PR_OPERATION: ${{ steps.cpr.outputs.pull-request-operation }}
127+
CPR_PR_HEAD_SHA: ${{ steps.cpr.outputs.pull-request-head-sha }}
101128
run: |
102129
echo "### :rocket: Pull-Request Summary" >> ${GITHUB_STEP_SUMMARY}
103130
echo "" >> ${GITHUB_STEP_SUMMARY}
104131
echo "The following lock-files pull-request has been auto-generated:"
105-
echo "- **PR** #${{ steps.cpr.outputs.pull-request-number }}" >> ${GITHUB_STEP_SUMMARY}
106-
echo "- **URL** ${{ steps.cpr.outputs.pull-request-url }}" >> ${GITHUB_STEP_SUMMARY}
107-
echo "- **Operation** [${{ steps.cpr.outputs.pull-request-operation }}]" >> ${GITHUB_STEP_SUMMARY}
108-
echo "- **SHA** ${{ steps.cpr.outputs.pull-request-head-sha }}" >> ${GITHUB_STEP_SUMMARY}
132+
echo "- **PR** #${CPR_PR_NUMBER}" >> ${GITHUB_STEP_SUMMARY}
133+
echo "- **URL** ${CPR_PR_URL}" >> ${GITHUB_STEP_SUMMARY}
134+
echo "- **Operation** [${CPR_PR_OPERATION}]" >> ${GITHUB_STEP_SUMMARY}
135+
echo "- **SHA** ${CPR_PR_HEAD_SHA}" >> ${GITHUB_STEP_SUMMARY}

0 commit comments

Comments
 (0)