Skip to content

Add zizmor pre-commit configuration#96

Open
ROHITCRAFTSYT wants to merge 3 commits into
beeware:mainfrom
ROHITCRAFTSYT:zizmor-pre-commit
Open

Add zizmor pre-commit configuration#96
ROHITCRAFTSYT wants to merge 3 commits into
beeware:mainfrom
ROHITCRAFTSYT:zizmor-pre-commit

Conversation

@ROHITCRAFTSYT

@ROHITCRAFTSYT ROHITCRAFTSYT commented Jul 17, 2026

Copy link
Copy Markdown

Adds zizmor to the pre-commit pipeline, as requested in #95, and fixes every finding it reports on the existing GitHub Actions configuration. Follows the approach of beeware/.github#378.

Changes

  • .pre-commit-config.yaml: add the zizmor hook (v1.27.0).
  • unpinned-uses: every action and reusable-workflow reference is pinned to a full commit hash (actions/checkout v7.0.0, actions/upload-artifact v7.0.1, actions/add-to-project v2.0.0, and beeware/.github pinned to current main, 741cc5a).
  • excessive-permissions: explicit least-privilege permissions: everywhere — contents: read for CI and the PR-template check; permissions: {} for new-issue.yml (it authenticates with BRUTUS_PAT_TOKEN, so the job's own GITHUB_TOKEN needs nothing); contents: read + pull-requests: write for the changenote workflow, mirroring what the reusable workflow declares.
  • secrets-inherit: dependabot-changenote.yml passes BRUTUS_PAT_TOKEN explicitly instead of secrets: inherit (the reusable workflow declares it as a required secret).
  • artipacked: the CI checkout sets persist-credentials: false; nothing in that job pushes.
  • dependabot-cooldown: 7-day cooldown on all three ecosystems, matching Audit permissions and add zizmor configuration .github#378 — this also resolves Add cooldown to dependabot actions #94.

zizmor .github/ now reports no findings, and pre-commit run --all-files passes with the new hook.

Fixes #95
Fixes #94

PR Checklist:

  • I will abide by the BeeWare Code of Conduct
  • I have read and have followed the CONTRIBUTING.md file
  • This PR was generated or assisted using an AI tool
    Assisted-by: Claude Fable 5 (Claude Code)

ROHITCRAFTSYT and others added 3 commits July 17, 2026 16:14
Adds the zizmor hook to pre-commit and resolves every finding it
reports on the existing workflows:

* unpinned-uses: all action and reusable-workflow references are
  pinned to full commit hashes (beeware/.github is pinned to current
  main; dependabot will propose updates).
* excessive-permissions: explicit least-privilege permissions on every
  workflow/job; new-issue.yml runs with no token permissions since it
  authenticates via BRUTUS_PAT_TOKEN.
* secrets-inherit: dependabot-changenote.yml now passes
  BRUTUS_PAT_TOKEN explicitly instead of inheriting all secrets.
* artipacked: CI checkout no longer persists credentials.
* dependabot-cooldown: 7-day cooldown on all three ecosystems,
  matching beeware/.github#378 (also resolves beeware#94).

Refs beeware#95

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
With an explicit workflow-level 'permissions: contents: read', the
towncrier-run reusable workflow's request for pull-requests: write
exceeded the caller's grant, which GitHub rejects at workflow
startup (CI failed with 'no jobs were run'). Mirror the called
workflow's declared permissions on the calling job, as already done
for dependabot-changenote.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add zizmor pre-commit configuration Add cooldown to dependabot actions

1 participant