From 3fd6d0c69c9dd90741a87f5299e8209db6d0adf4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 25 Jan 2025 12:18:14 +0000 Subject: [PATCH 1/3] chore(deps): update pre-commit hook woodruffw/zizmor-pre-commit to v1.2.2 --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 446cb962..5d73cd0a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -53,6 +53,6 @@ repos: pass_filenames: false - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: "v1.1.1" + rev: "v1.2.2" hooks: - id: zizmor From 248eba8ac98fb03171915e9192308b0ca8b069b9 Mon Sep 17 00:00:00 2001 From: Mathieu Kniewallner Date: Sat, 25 Jan 2025 14:03:37 +0100 Subject: [PATCH 2/3] ci: set permissions explicitely --- .github/workflows/main.yml | 2 ++ .github/workflows/release.yml | 2 ++ .github/workflows/validate-codecov-config.yml | 2 ++ .github/workflows/validate-renovate-config.yml | 2 ++ zizmor.yml | 2 +- 5 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 96c3a855..2a6b15dc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,6 +15,8 @@ env: # renovate: datasource=pypi depName=uv UV_VERSION: '0.5.24' +permissions: {} + jobs: quality: runs-on: ubuntu-24.04 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6d41b8b5..f531c994 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,8 @@ env: # renovate: datasource=pypi depName=uv UV_VERSION: '0.5.24' +permissions: {} + jobs: set-version: runs-on: ubuntu-24.04 diff --git a/.github/workflows/validate-codecov-config.yml b/.github/workflows/validate-codecov-config.yml index 1578715a..537f7a07 100644 --- a/.github/workflows/validate-codecov-config.yml +++ b/.github/workflows/validate-codecov-config.yml @@ -8,6 +8,8 @@ on: push: branches: [main] +permissions: {} + jobs: validate-codecov-config: runs-on: ubuntu-24.04 diff --git a/.github/workflows/validate-renovate-config.yml b/.github/workflows/validate-renovate-config.yml index 15589324..159b4554 100644 --- a/.github/workflows/validate-renovate-config.yml +++ b/.github/workflows/validate-renovate-config.yml @@ -12,6 +12,8 @@ env: # renovate: datasource=node depName=node versioning=node NODE_VERSION: "22" +permissions: {} + jobs: validate-renovate-config: runs-on: ubuntu-24.04 diff --git a/zizmor.yml b/zizmor.yml index 1d5668bb..37f3f81e 100644 --- a/zizmor.yml +++ b/zizmor.yml @@ -2,4 +2,4 @@ rules: artipacked: ignore: # Required for publishing documentation to `gh-pages` branch. - - release.yml:220 + - release.yml:222 From e6e8710730ca9ba064ee6b77e341fc91735623ce Mon Sep 17 00:00:00 2001 From: Mathieu Kniewallner Date: Sat, 25 Jan 2025 14:04:11 +0100 Subject: [PATCH 3/3] chore: move zizmor config to `.github` --- zizmor.yml => .github/zizmor.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename zizmor.yml => .github/zizmor.yml (100%) diff --git a/zizmor.yml b/.github/zizmor.yml similarity index 100% rename from zizmor.yml rename to .github/zizmor.yml