add zizmor

Author: BartoszBlizniak

.github/workflows/release.yml

@@ -5,23 +5,27 @@ on:
         tags:
             - "v*"
 
-permissions:
-  id-token: write
-  contents: write
-
 jobs:
     # Build and publish to GitHub, Cloudsmith (zipapp + Docker)
     build:
         name: Build and publish artifacts
         runs-on: ubuntu-latest
+        permissions:
+            id-token: write
+            contents: write
+        env:
+            CLOUDSMITH_NAMESPACE: ${{ vars.CLOUDSMITH_NAMESPACE }}
+            CLOUDSMITH_SVC_SLUG: ${{ vars.CLOUDSMITH_SVC_SLUG }}
+            DOCKERHUB_USER: ${{ vars.DOCKERHUB_USER }}
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+              with:
+                  persist-credentials: false
 
             - name: Set up Python 3.10
-              uses: actions/setup-python@v5
+              uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
               with:
                   python-version: '3.10'
-                  cache: 'pip'
 
             - name: Install build dependencies
               run: |
@@ -35,7 +39,7 @@ jobs:
             - name: Create multi-platform Zipapp with PEX
               run: |
                 pex . \
-                  --output-file cloudsmith-${{ env.VERSION }}.pyz \
+                  --output-file "cloudsmith-${VERSION}.pyz" \
                   --console-script cloudsmith \
                   --python-shebang "/usr/bin/env python3" \
                   --venv \
@@ -70,82 +74,75 @@ jobs:
                   --complete-platform .github/.platforms/macos-arm64-py314.json \
                   --complete-platform .github/.platforms/windows-x86_64-py314.json
 
-            - name: Create Release
-              id: create_release
-              uses: actions/create-release@v1
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            - name: Create Release and Upload Asset
+              uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
               with:
-                  tag_name: v${{ env.VERSION }}
-                  release_name: Release v${{ env.VERSION }}
-                  draft: false
-                  prerelease: false
-
-            - name: Upload Release Asset
-              id: upload-release-asset
-              uses: actions/upload-release-asset@v1
+                  name: Release v${{ env.VERSION }}
+                  files: ./cloudsmith-${{ env.VERSION }}.pyz
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-              with:
-                  upload_url: ${{ steps.create_release.outputs.upload_url }}
-                  asset_path: ./cloudsmith-${{ env.VERSION }}.pyz
-                  asset_name: cloudsmith-${{ env.VERSION }}.pyz
-                  asset_content_type: application/zip
 
             - name: Install and authenticate Cloudsmith CLI
-              uses: cloudsmith-io/cloudsmith-cli-action@v1
+              uses: cloudsmith-io/cloudsmith-cli-action@d8a6f3fe4d45eaee8e8fafae7230e808e1c7f8ab # v2.0.0
               with:
                   oidc-namespace: ${{ vars.CLOUDSMITH_NAMESPACE }}
                   oidc-service-slug: ${{ vars.CLOUDSMITH_SVC_SLUG }}
 
             - name: Push Zipapp to Cloudsmith
               id: push_zipapp
-              run: cloudsmith push raw ${{ vars.CLOUDSMITH_NAMESPACE }}/cli-zipapp ./cloudsmith-${{ env.VERSION }}.pyz --name cloudsmith-cli --version ${{ env.VERSION }}
+              run: cloudsmith push raw "${CLOUDSMITH_NAMESPACE}/cli-zipapp" "./cloudsmith-${VERSION}.pyz" --name cloudsmith-cli --version "${VERSION}"
 
             - name: Build Python packages
               run: python setup.py sdist bdist_wheel
 
             - name: Push source distribution to Cloudsmith
-              run: cloudsmith push python ${{ vars.CLOUDSMITH_NAMESPACE }}/cli dist/cloudsmith-cli-${{ env.VERSION }}.tar.gz
+              run: cloudsmith push python "${CLOUDSMITH_NAMESPACE}/cli" "dist/cloudsmith-cli-${VERSION}.tar.gz"
 
             - name: Push wheel to Cloudsmith
-              run: cloudsmith push python ${{ vars.CLOUDSMITH_NAMESPACE }}/cli dist/cloudsmith_cli-${{ env.VERSION }}-py3-none-any.whl
+              run: cloudsmith push python "${CLOUDSMITH_NAMESPACE}/cli" "dist/cloudsmith_cli-${VERSION}-py3-none-any.whl"
 
             - name: Set up QEMU for multi-arch
-              uses: docker/setup-qemu-action@v3
+              uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+              uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
             - name: Push Dockerised CLI to Cloudsmith (multi-arch)
               id: push_dockerised_cli_cloudsmith
               run: |
-                echo "${CLOUDSMITH_API_KEY}" | docker login docker.cloudsmith.io -u ${{ vars.CLOUDSMITH_SVC_SLUG }} --password-stdin
+                echo "${CLOUDSMITH_API_KEY}" | docker login docker.cloudsmith.io -u "${CLOUDSMITH_SVC_SLUG}" --password-stdin
                 docker buildx build \
                   --platform linux/amd64,linux/arm64 \
-                  --build-arg CLOUDSMITH_CLI_VERSION=${{ env.VERSION }} \
-                  -t docker.cloudsmith.io/${{ vars.CLOUDSMITH_NAMESPACE }}/cli-zipapp/cloudsmith-cli:${{ env.VERSION }} \
+                  --build-arg "CLOUDSMITH_CLI_VERSION=${VERSION}" \
+                  -t "docker.cloudsmith.io/${CLOUDSMITH_NAMESPACE}/cli-zipapp/cloudsmith-cli:${VERSION}" \
                   --push .
 
             - name: Push Dockerised CLI to DockerHub (multi-arch)
               id: push_dockerised_cli_dockerhub
+              env:
+                  DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }}
               run: |
-                echo "${{ secrets.DOCKERHUB_PAT }}" | docker login -u ${{ vars.DOCKERHUB_USER }} --password-stdin
+                echo "${DOCKERHUB_PAT}" | docker login -u "${DOCKERHUB_USER}" --password-stdin
                 docker buildx build \
                   --platform linux/amd64,linux/arm64 \
-                  --build-arg CLOUDSMITH_CLI_VERSION=${{ env.VERSION }} \
-                  -t cloudsmith/cloudsmith-cli:${{ env.VERSION }} \
+                  --build-arg "CLOUDSMITH_CLI_VERSION=${VERSION}" \
+                  -t "cloudsmith/cloudsmith-cli:${VERSION}" \
                   --push .
 
     # Publish Python packages to PyPI
     publish-pypi:
         name: Publish to PyPI
         runs-on: ubuntu-latest
+        permissions:
+            id-token: write
+            contents: read
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+              with:
+                  persist-credentials: false
 
             - name: Set up Python 3.10
-              uses: actions/setup-python@v5
+              uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
               with:
                   python-version: '3.10'
 
@@ -158,6 +155,6 @@ jobs:
               run: python setup.py sdist bdist_wheel
 
             - name: Publish to PyPI
-              uses: pypa/gh-action-pypi-publish@release/v1
+              uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1
               with:
                   packages-dir: dist/