Skip to content

Commit ac21a17

Browse files
sloriasloria
authored
Harden CI (#711)
same as marshmallow-code/marshmallow#2952
1 parent 334560e commit ac21a17

2 files changed

Lines changed: 15 additions & 3 deletions

File tree

.github/workflows/build-release.yml

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ on:
44
branches: ["dev"]
55
tags: ["*"]
66
pull_request:
7+
permissions:
8+
contents: read
79
jobs:
810
tests:
911
name: ${{ matrix.name }}
@@ -20,17 +22,21 @@ jobs:
2022
- { name: "mypy-madev", tox: mypy-marshmallowdev }
2123
steps:
2224
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
23-
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
2425
with:
26+
persist-credentials: false
27+
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
28+
with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
2529
enable-cache: true
2630
- run: uv run tox -e${{ matrix.tox }}
2731
build:
2832
name: Build package
2933
runs-on: ubuntu-latest
3034
steps:
3135
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
32-
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
3336
with:
37+
persist-credentials: false
38+
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
39+
with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
3440
enable-cache: true
3541
- run: uv build
3642
- run: uvx twine check --strict dist/*
@@ -46,8 +52,10 @@ jobs:
4652
runs-on: ubuntu-latest
4753
steps:
4854
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
49-
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
5055
with:
56+
persist-credentials: false
57+
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
58+
with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
5159
enable-cache: true
5260
- run: uv run tox -e lint
5361
publish-to-pypi:

.pre-commit-config.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,10 @@ repos:
1111
hooks:
1212
- id: check-github-workflows
1313
- id: check-readthedocs
14+
- repo: https://github.com/zizmorcore/zizmor-pre-commit
15+
rev: v1.24.0
16+
hooks:
17+
- id: zizmor
1418
- repo: https://github.com/asottile/blacken-docs
1519
rev: 1.20.0
1620
hooks:

0 commit comments

Comments
 (0)