Skip to content

Update all used GitHub actions#2

Merged
QuLogic merged 3 commits into
matplotlib:mainfrom
QuLogic:update-workflow
Jun 11, 2026
Merged

Update all used GitHub actions#2
QuLogic merged 3 commits into
matplotlib:mainfrom
QuLogic:update-workflow

Conversation

@QuLogic

@QuLogic QuLogic commented Jun 11, 2026

Copy link
Copy Markdown
Member

Also cleanup a few linting nits.

I also ran zizmor on the repo and it only has one complaint (three times), which are probably okay for now:

$ zizmor --pedantic .
 INFO zizmor: 🌈 zizmor v1.24.1
 INFO audit: zizmor: 🌈 completed ./.github/workflows/wheels.yml
info[template-injection]: code injection via template expansion
   --> ./.github/workflows/wheels.yml:110:29
    |
109 |         run: |
    |         --- this run block
110 |           tar -xvf dist/${{ needs.build_sdist.outputs.SDIST_NAME }}
    |                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Low
    = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
   --> ./.github/workflows/wheels.yml:111:19
    |
109 |         run: |
    |         --- this run block
110 |           tar -xvf dist/${{ needs.build_sdist.outputs.SDIST_NAME }}
111 |           cat ${{ github.workspace }}/tools/wheels/LICENSE_binary.txt >> matplotlib*/LICENSE/LICENSE
    |                   ^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High

info[template-injection]: code injection via template expansion
   --> ./.github/workflows/wheels.yml:112:29
    |
109 |         run: |
    |         --- this run block
...
112 |           tar -cvf dist/${{ needs.build_sdist.outputs.SDIST_NAME }} matplotlib* 
    |                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Low
    = note: this finding has an auto-fix

3 findings (2 fixable): 2 informational, 1 low, 0 medium, 0 high

QuLogic added 2 commits June 11, 2026 15:38
@QuLogic
Update all used GitHub actions
6bd1b2b 
Also cleanup a few linting nits.
@QuLogic
Enable dependabot
57b0711 
However, the cooldown is 1 week longer than the main repo. This allows
us to confirm everything is okay there before it gets to the release
repo.
@QuLogic

QuLogic commented Jun 11, 2026

Copy link
Copy Markdown
Member Author

I've also copied the dependabot config for Actions from the main repo, with a cooldown that is 1 week longer. This should enable us to vet them at least a little bit on the main repo first.

@QuLogic QuLogic mentioned this pull request Jun 11, 2026
Merged
@QuLogic

QuLogic commented Jun 11, 2026

Copy link
Copy Markdown
Member Author

Note, cibuildwheel 4 is out now, but I think we should wait on that update since it's a major release with some breaking changes.

@QuLogic QuLogic merged commit 6685abf into matplotlib:main Jun 11, 2026
11 checks passed
@QuLogic QuLogic deleted the update-workflow branch June 12, 2026 00:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ksunden ksunden ksunden approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@QuLogic @ksunden