From 8a557a4b05ac330bb506e087214a91dbabef5898 Mon Sep 17 00:00:00 2001 From: Maciej Olko Date: Tue, 2 Jun 2026 09:26:00 +0200 Subject: [PATCH 1/3] Add zizmor as pre-commit hook --- .github/workflows/pre-commit.yml | 2 +- .github/workflows/update-lint-and-build.yml | 8 +++++++- .pre-commit-config.yaml | 8 +++++++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index cb561fb94..c308400f2 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -4,7 +4,7 @@ on: - cron: '0 0 * * 1,5' env: FORCE_COLOR: 1 - +permissions: {} jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/update-lint-and-build.yml b/.github/workflows/update-lint-and-build.yml index efa6cd520..19aae657c 100644 --- a/.github/workflows/update-lint-and-build.yml +++ b/.github/workflows/update-lint-and-build.yml @@ -7,7 +7,7 @@ on: branches: - '*' workflow_dispatch: - +permissions: {} jobs: update: runs-on: ubuntu-latest @@ -15,6 +15,8 @@ jobs: fail-fast: false matrix: version: [3.15, 3.14, 3.13, 3.12, 3.11, '3.10'] + permissions: + contents: write # commit and push steps: - uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66 # 0.13.1 with: @@ -32,6 +34,7 @@ jobs: with: ref: ${{ matrix.version }} fetch-depth: 0 + persist-credentials: false - name: Recreate Transifex config run: ./manage_translation.py recreate_tx_config env: @@ -81,6 +84,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ matrix.version }} + persist-credentials: false - uses: rffontenelle/sphinx-lint-problem-matcher@4270bf50b2c93640a7cbb231c09f8e694699af9f # v1.0.0 - run: sphinx-lint @@ -100,12 +104,14 @@ jobs: with: repository: python/cpython ref: ${{ matrix.version }} + persist-credentials: false - run: make venv working-directory: ./Doc - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ matrix.version }} path: Doc/locales/pl/LC_MESSAGES + persist-credentials: false - run: git pull working-directory: ./Doc/locales/pl/LC_MESSAGES - run: sudo apt-get update && sudo apt-get install -y librsvg2-bin diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bd1ceb0e1..05de7afd3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ repos: - repo: https://github.com/astral-sh/ruff-pre-commit rev: 0c7b6c989466a93942def1f84baf36ddfcd60c83 # frozen: v0.15.14 hooks: - - id: ruff + - id: ruff-check args: [--fix, --exit-non-zero-on-fix] - id: ruff-format @@ -34,5 +34,11 @@ repos: - id: check-hooks-apply - id: check-useless-excludes + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: 9257c6050c0261b8c57e712f632dc4a8010109a9 # frozen: v1.25.2 + hooks: + - id: zizmor + args: [--fix] + ci: autoupdate_schedule: quarterly From e5f047e5f41596f3be1de114755fe3e045f1b6fc Mon Sep 17 00:00:00 2001 From: Maciej Olko Date: Wed, 3 Jun 2026 19:53:59 +0200 Subject: [PATCH 2/3] Apply suggestion from @StanFromIreland Co-authored-by: Stan Ulbrych --- .github/workflows/update-lint-and-build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/update-lint-and-build.yml b/.github/workflows/update-lint-and-build.yml index 19aae657c..b402de887 100644 --- a/.github/workflows/update-lint-and-build.yml +++ b/.github/workflows/update-lint-and-build.yml @@ -7,7 +7,11 @@ on: branches: - '*' workflow_dispatch: + workflow_dispatch: + permissions: {} + +jobs: jobs: update: runs-on: ubuntu-latest From 10f6ae6ad1eb269c8f0be06556649d787a12f67e Mon Sep 17 00:00:00 2001 From: Maciej Olko Date: Wed, 3 Jun 2026 19:54:27 +0200 Subject: [PATCH 3/3] Fix workflow syntax in update-lint-and-build.yml --- .github/workflows/update-lint-and-build.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/update-lint-and-build.yml b/.github/workflows/update-lint-and-build.yml index b402de887..0bea2b82f 100644 --- a/.github/workflows/update-lint-and-build.yml +++ b/.github/workflows/update-lint-and-build.yml @@ -7,11 +7,9 @@ on: branches: - '*' workflow_dispatch: - workflow_dispatch: permissions: {} -jobs: jobs: update: runs-on: ubuntu-latest