Skip to content

Commit 4a1c58d

Browse files
sloriasloria
authored
Harden CI (#229)
same as marshmallow-code/marshmallow#2952
1 parent aaaf51f commit 4a1c58d

2 files changed

Lines changed: 16 additions & 3 deletions

File tree

.github/workflows/build-release.yml

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ on:
55
tags: ["*"]
66
pull_request:
77

8+
permissions:
9+
contents: read
10+
811
jobs:
912
tests:
1013
name: ${{ matrix.name }}
@@ -21,17 +24,21 @@ jobs:
2124
- { name: "dev", tox: py314-marshmallowdev }
2225
steps:
2326
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
24-
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
2527
with:
28+
persist-credentials: false
29+
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
30+
with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
2631
enable-cache: true
2732
- run: uv run tox -e${{ matrix.tox }}
2833
build:
2934
name: Build package
3035
runs-on: ubuntu-latest
3136
steps:
3237
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
33-
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
3438
with:
39+
persist-credentials: false
40+
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
41+
with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
3542
enable-cache: true
3643
- run: uv build
3744
- run: uvx twine check --strict dist/*
@@ -47,8 +54,10 @@ jobs:
4754
runs-on: ubuntu-latest
4855
steps:
4956
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
50-
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
5157
with:
58+
persist-credentials: false
59+
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
60+
with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
5261
enable-cache: true
5362
- run: uv run tox -e lint
5463
publish-to-pypi:

.pre-commit-config.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,10 @@ repos:
1010
rev: 0.37.0
1111
hooks:
1212
- id: check-github-workflows
13+
- repo: https://github.com/zizmorcore/zizmor-pre-commit
14+
rev: v1.24.0
15+
hooks:
16+
- id: zizmor
1317
- repo: https://github.com/asottile/blacken-docs
1418
rev: 1.20.0
1519
hooks:

0 commit comments

Comments
 (0)