Skip to content

Add zizmor pre-commit configuration#34

Open
ROHITCRAFTSYT wants to merge 1 commit into
beeware:mainfrom
ROHITCRAFTSYT:zizmor-pre-commit
Open

Add zizmor pre-commit configuration#34
ROHITCRAFTSYT wants to merge 1 commit into
beeware:mainfrom
ROHITCRAFTSYT:zizmor-pre-commit

Conversation

@ROHITCRAFTSYT

Copy link
Copy Markdown

Adds zizmor to the pre-commit pipeline, as requested in #33, and fixes the findings it reports on the existing GitHub Actions configuration. Follows the approach of beeware/.github#378.

Changes

  • .pre-commit-config.yaml: add the zizmor hook (v1.27.0).
  • unpinned-uses: every action and reusable-workflow reference is pinned to a full commit hash (checkout v7.0.0, build-and-inspect-python-package v2.18.0, download-artifact v8.0.1, add-to-project v2.0.0, fetch-gh-release-asset 1.1.2, gh-action-pypi-publish release/v1 head, and beeware/.github pinned to current main, 741cc5a).
  • excessive-permissions: explicit least-privilege permissions: on every workflow/job; release.yml's ci job explicitly forwards id-token: write + attestations: write so package attestation keeps working; new-issue.yml gets permissions: {} since it authenticates with BRUTUS_PAT_TOKEN.
  • artipacked: checkouts set persist-credentials: false; nothing in those jobs pushes.
  • superfluous-actions: release creation now uses the runner's gh CLI (gh release create --draft --verify-tag dist/*) instead of ncipollo/release-action — same draft release with artifacts, and the step still fails if an artifact upload fails. Happy to revert this piece if you'd rather keep the action.
  • dependabot-cooldown: 7-day cooldown on all three ecosystems, matching Audit permissions and add zizmor configuration .github#378.

One deliberate exclusion (flagging for core team review, per the issue's guidance)

unpinned-images fires on container.image: ${{ matrix.distro }}. The test matrix deliberately tracks rolling distro tags (archlinux:base, opensuse/tumbleweed, ubuntu:25.04, fedora:42) because this repo's entire purpose is testing against each distro's current system PySide6 packages — digest-pinning those images would freeze them and defeat that purpose. I've added an inline # zizmor: ignore[unpinned-images] with a justifying comment; happy to change the approach if the core team prefers digests + dependabot or a .zizmor.yml rule instead.

zizmor .github/ now reports no findings (1 justified ignore), and pre-commit run --all-files passes with the new hook.

Fixes #33

PR Checklist:

  • I will abide by the BeeWare Code of Conduct
  • I have read and have followed the CONTRIBUTING.md file
  • This PR was generated or assisted using an AI tool
    Assisted-by: Claude Fable 5 (Claude Code)

Adds the zizmor hook to pre-commit and resolves the findings it
reports on the existing workflows: hash-pin all action and
reusable-workflow references (beeware/.github pinned to current
main), explicit least-privilege permissions on every workflow/job
(release.yml's ci job forwards id-token/attestations for package
attestation), persist-credentials: false on checkouts, release
creation via the runner's gh CLI instead of ncipollo/release-action,
and a 7-day dependabot cooldown on all three ecosystems.

One finding is ignored with justification rather than fixed:
unpinned-images on the test matrix, because the matrix deliberately
tracks rolling distro tags (archlinux:base, opensuse/tumbleweed) to
test each distro's current PySide6 packages; digest-pinning would
defeat that purpose.

Refs beeware#33

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add zizmor pre-commit configuration

1 participant