pyOpenSci · InessaPawson · May 6, 2026 · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026
diff --git a/.github/workflows/add-to-help-project.yml b/.github/workflows/add-to-help-project.yml
@@ -5,13 +5,19 @@ on:
     types:
       - labeled
 
+permissions: {}
+
 jobs:
   add-help-wanted:
     runs-on: ubuntu-latest
+    environment: help-wanted
+    permissions:
+      contents: read
+      issues: write
     steps:
       - name: Add issue to project
         id: add-to-project
-        uses: actions/add-to-project@v1.0.2
+        uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/pyOpenSci/projects/3
           # This is a organization level token so it can be used across all repos in our org

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -7,21 +7,26 @@ on:
   push:
     branches:
       - main
+
+permissions: {}
+
 env:
   # `BASE_URL` determines the website is served from, including CSS & JS assets
   # You may need to change this to `BASE_URL: ''`
   BASE_URL: /${{ github.event.repository.name }}
 
 # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+#permissions:
+#  contents: read
+#  pages: write
+#  id-token: write
+
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
 concurrency:
   group: 'pages'
   cancel-in-progress: false
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -31,30 +36,32 @@ jobs:
       id-token: write
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
       # Download latest version of Python
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: '3.11' 
+          python-version: '3.11'
           cache: 'pip'
       - name: Install Dependencies
-        run: | 
+        run: |
             pip install -r requirements.txt
 
       - name: Setup Quarto
-        uses: quarto-dev/quarto-actions/setup@v2
+        uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2
         with:
           version: "release"
-    
+
       - name: Render dashboard website
-        uses: quarto-dev/quarto-actions/render@v2
+        uses: quarto-dev/quarto-actions/render@8a96df13519ee81fd526f2dfca5962811136661b # v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
 
   # Only deploy on pyOpenSci owned repo / when pushed to main branch
   deploy:
@@ -70,4 +77,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
diff --git a/.github/workflows/update-pr-data.yml b/.github/workflows/update-pr-data.yml
@@ -9,6 +9,8 @@ on:
     # Runs at 11pm on December 31st every year
     - cron: "0 23 31 12 *"
 
+permissions: {}
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -18,9 +20,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the code
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+        with:
+          persist-credentials: false
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: "3.10"
       - name: Upgrade pip
@@ -70,9 +74,11 @@ jobs:
     if: github.ref == 'refs/heads/main'
     steps:
       - name: Check out the code
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+        with:
+          persist-credentials: false
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Download metrics
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: metrics
           path: _data

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  secrets-outside-env:
+    ignore:
+      - add-to-help-project.yml:23:29
+      - deploy.yml:76:29
+      - update-pr-data.yml:99:29
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,65 @@
+# pre-commit (https://pre-commit.com/) is a tool that runs source code checks
+# such as linting, formatting, and code style.
+
+# CI
+# pyosMeta uses pre-commit with the precommit.ci bot to check pull requests.
+# Configuration reference doc: https://pre-commit.com/#pre-commit-configyaml---top-level
+
+# Developers
+# You may want to install pre-commit to run locally on each minimum_pre_commit_version
+# See https://pre-commit.com/#install
+# To set up pre-commit hooks: pre-commit install
+# To run on all files: pre-commit run --all-files
+
+ci:
+  autofix_prs: false
+  autofix_commit_msg: |
+    '[pre-commit.ci 🤖] Apply code format tools to PR'
+  autoupdate_schedule: monthly
+
+repos:
+  # Out of the box hooks for pre-commit https://github.com/pre-commit/pre-commit-hooks
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      # Makes sure files end in a newline and only a newline.
+      - id: end-of-file-fixer
+      # Check for files with names that would conflict on a case-insensitive filesystem like MacOS HFS+ or Windows FAT.
+      - id: check-case-conflict
+      # Remove trailing whitespace on code lines
+      - id: trailing-whitespace
+
+  # Spelling hook
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.4.2
+    hooks:
+      - id: codespell
+        exclude_types:
+          - javascript
+          - scss
+          - yaml
+        additional_dependencies:
+          - tomli
+
+  # Linting and formatting for Python code (see pyproject.toml for config)
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    # Ruff version.
+    rev: v0.15.10
+    hooks:
+      # Run the linter.
+      - id: ruff
+        args: [ --fix ]
+      # Run the formatter.
+      - id: ruff-format
+
+  # Ensure GitHub workflows match the expected schema.
+  - repo: https://github.com/sirosen/check-jsonschema
+    rev: 0.37.1
+    hooks:
+      - id: check-github-workflows
+
+  # Find common security issues in GitHub Actions workflows
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.24.1
+    hooks:
+      - id: zizmor