From 911b768e9a817d982dd72c91d8bf53bf47da5ba1 Mon Sep 17 00:00:00 2001 From: Carol Willing Date: Wed, 15 Apr 2026 17:08:48 -0700 Subject: [PATCH 1/3] Add basic pre-commit config --- .pre-commit-config.yaml | 65 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..fa3e6aa --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,65 @@ +# pre-commit (https://pre-commit.com/) is a tool that runs source code checks +# such as linting, formatting, and code style. + +# CI +# pyosMeta uses pre-commit with the precommit.ci bot to check pull requests. +# Configuration reference doc: https://pre-commit.com/#pre-commit-configyaml---top-level + +# Developers +# You may want to install pre-commit to run locally on each minimum_pre_commit_version +# See https://pre-commit.com/#install +# To set up pre-commit hooks: pre-commit install +# To run on all files: pre-commit run --all-files + +ci: + autofix_prs: false + autofix_commit_msg: | + '[pre-commit.ci 🤖] Apply code format tools to PR' + autoupdate_schedule: monthly + +repos: + # Out of the box hooks for pre-commit https://github.com/pre-commit/pre-commit-hooks + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v6.0.0 + hooks: + # Makes sure files end in a newline and only a newline. + - id: end-of-file-fixer + # Check for files with names that would conflict on a case-insensitive filesystem like MacOS HFS+ or Windows FAT. + - id: check-case-conflict + # Remove trailing whitespace on code lines + - id: trailing-whitespace + + # Spelling hook + - repo: https://github.com/codespell-project/codespell + rev: v2.4.2 + hooks: + - id: codespell + exclude_types: + - javascript + - scss + - yaml + additional_dependencies: + - tomli + + # Linting and formatting for Python code (see pyproject.toml for config) + - repo: https://github.com/astral-sh/ruff-pre-commit + # Ruff version. + rev: v0.15.10 + hooks: + # Run the linter. + - id: ruff + args: [ --fix ] + # Run the formatter. + - id: ruff-format + + # Ensure GitHub workflows match the expected schema. + - repo: https://github.com/sirosen/check-jsonschema + rev: 0.37.1 + hooks: + - id: check-github-workflows + + # Find common security issues in GitHub Actions workflows + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor From 7a5003ec40ed8c5248c1787d18f3da7869d9542b Mon Sep 17 00:00:00 2001 From: Carol Willing Date: Wed, 15 Apr 2026 17:38:48 -0700 Subject: [PATCH 2/3] Update workflows to pin actions to SHA --- .github/workflows/add-to-help-project.yml | 8 +++++- .github/workflows/deploy.yml | 35 ++++++++++++++--------- .github/workflows/update-pr-data.yml | 14 ++++++--- 3 files changed, 38 insertions(+), 19 deletions(-) diff --git a/.github/workflows/add-to-help-project.yml b/.github/workflows/add-to-help-project.yml index ff60b7b..b809329 100644 --- a/.github/workflows/add-to-help-project.yml +++ b/.github/workflows/add-to-help-project.yml @@ -5,13 +5,19 @@ on: types: - labeled +permissions: {} + jobs: add-help-wanted: runs-on: ubuntu-latest + environment: help-wanted + permissions: + contents: read + issues: write steps: - name: Add issue to project id: add-to-project - uses: actions/add-to-project@v1.0.2 + uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/pyOpenSci/projects/3 # This is a organization level token so it can be used across all repos in our org diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index de59807..71b247f 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -7,21 +7,26 @@ on: push: branches: - main + +permissions: {} + env: # `BASE_URL` determines the website is served from, including CSS & JS assets # You may need to change this to `BASE_URL: ''` BASE_URL: /${{ github.event.repository.name }} # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages -permissions: - contents: read - pages: write - id-token: write +#permissions: +# contents: read +# pages: write +# id-token: write + # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: 'pages' cancel-in-progress: false + jobs: build: runs-on: ubuntu-latest @@ -31,30 +36,32 @@ jobs: id-token: write steps: - name: Checkout Repo - uses: actions/checkout@v4 + with: + persist-credentials: false + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0 # Download latest version of Python - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: - python-version: '3.11' + python-version: '3.11' cache: 'pip' - name: Install Dependencies - run: | + run: | pip install -r requirements.txt - name: Setup Quarto - uses: quarto-dev/quarto-actions/setup@v2 + uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2 with: version: "release" - + - name: Render dashboard website - uses: quarto-dev/quarto-actions/render@v2 + uses: quarto-dev/quarto-actions/render@8a96df13519ee81fd526f2dfca5962811136661b # v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 # Only deploy on pyOpenSci owned repo / when pushed to main branch deploy: @@ -70,4 +77,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 \ No newline at end of file + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/update-pr-data.yml b/.github/workflows/update-pr-data.yml index 6e016d5..36c8d6e 100644 --- a/.github/workflows/update-pr-data.yml +++ b/.github/workflows/update-pr-data.yml @@ -9,6 +9,8 @@ on: # Runs at 11pm on December 31st every year - cron: "0 23 31 12 *" +permissions: {} + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -18,9 +20,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + with: + persist-credentials: false + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0 with: python-version: "3.10" - name: Upgrade pip @@ -70,9 +74,11 @@ jobs: if: github.ref == 'refs/heads/main' steps: - name: Check out the code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + with: + persist-credentials: false + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download metrics - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: metrics path: _data From b0754858ec157c53d7b8a1801b1e475f941d021c Mon Sep 17 00:00:00 2001 From: Carol Willing Date: Wed, 15 Apr 2026 17:39:27 -0700 Subject: [PATCH 3/3] Add zizmor config to ignore org token warnings --- .github/zizmor.yml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..fc94c98 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,6 @@ +rules: + secrets-outside-env: + ignore: + - add-to-help-project.yml:23:29 + - deploy.yml:76:29 + - update-pr-data.yml:99:29