Skip to content

Commit ec71888

Browse files
Merge pull request #23 from nextmv-io/merschformann/fix-zizmor
Addresses zizmor issues
2 parents df41294 + dcdd61f commit ec71888

3 files changed

Lines changed: 18 additions & 9 deletions

File tree

.github/workflows/build.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,12 @@ jobs:
1515
# due to the way we are testing
1616
python-version: ["3.11"]
1717
steps:
18-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
18+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
19+
with:
20+
persist-credentials: false
1921

2022
- name: Set up Python ${{ matrix.python-version }}
21-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
23+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
2224
with:
2325
python-version: ${{ matrix.python-version }}
2426

.github/workflows/release.yml

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ on: [push]
66
jobs:
77
release:
88
if: ${{ github.ref_type == 'branch' }}
9-
uses: nextmv-io/release/.github/workflows/release.yml@develop
9+
uses: nextmv-io/release/.github/workflows/release.yml@949cbb3b90ab294f8da42cf9c314637deaa578f5
1010
permissions:
1111
contents: write # Required for creating releases and tags
1212
pull-requests: write
@@ -17,7 +17,10 @@ jobs:
1717
PACKAGE_NAME: nextplot
1818
PACKAGE_LOCATION: .
1919
VERSION_FILE: __about__.py
20-
secrets: inherit
20+
secrets:
21+
SLACK_URL_MISSION_CONTROL: ${{ secrets.SLACK_URL_MISSION_CONTROL }}
22+
NEXTMVBOT_SSH_KEY: ${{ secrets.NEXTMVBOT_SSH_KEY }}
23+
NEXTMVBOT_SIGNING_KEY: ${{ secrets.NEXTMVBOT_SIGNING_KEY }}
2124

2225
publish: # Unfortunately, PyPI publishing does not support reusable workflows, so we must publish here.
2326
needs: release
@@ -30,12 +33,13 @@ jobs:
3033
id-token: write # This is required for trusted publishing to PyPI
3134
steps:
3235
- name: git clone ${{ github.ref_name }}
33-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
36+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3437
with:
3538
ref: ${{ github.ref_name }}
39+
persist-credentials: false
3640

3741
- name: set up Python
38-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
42+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
3943

4044
- name: install dependencies
4145
run: |
@@ -46,18 +50,19 @@ jobs:
4650
run: python -m build
4751

4852
- name: python - publish package distributions to PyPI
49-
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
53+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
5054
with:
5155
packages-dir: ./dist
5256

5357
notify:
5458
needs: [release, publish]
5559
if: ${{ needs.release.outputs.RELEASE_NEEDED == 'true' && needs.release.outputs.SHOULD_NOTIFY_SLACK == 'true' }}
56-
uses: nextmv-io/release/.github/workflows/notify-slack.yml@develop
60+
uses: nextmv-io/release/.github/workflows/notify-slack.yml@949cbb3b90ab294f8da42cf9c314637deaa578f5
5761
permissions:
5862
contents: read
5963
with:
6064
PACKAGE_NAME: nextplot
6165
VERSION: ${{ needs.release.outputs.VERSION }}
6266
REPOSITORY: nextplot
63-
secrets: inherit
67+
secrets:
68+
SLACK_URL_MISSION_CONTROL: ${{ secrets.SLACK_URL_MISSION_CONTROL }}

.github/workflows/static.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ jobs:
3131
steps:
3232
- name: Checkout
3333
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
34+
with:
35+
persist-credentials: false
3436
- name: Setup Pages
3537
uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
3638
- name: Upload artifact

0 commit comments

Comments
 (0)