Skip to content

Commit

Permalink
ci: harden github actions according to "zizmor" recommendations (#13062)
Browse files Browse the repository at this point in the history
Fix all issues reported by zizmor 0.9.2 running locally.

See: https://woodruffw.github.io/zizmor/
(cherry picked from commit ee8f98d)
  • Loading branch information
bluetech authored and patchback[bot] committed Dec 16, 2024
1 parent 64e0f23 commit 197bede
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 7 deletions.
12 changes: 9 additions & 3 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ jobs:
contents: write
steps:
- uses: actions/checkout@v4
with:
persist-credentials: true

- name: Download Package
uses: actions/download-artifact@v4
Expand All @@ -59,11 +61,13 @@ jobs:
attestations: true

- name: Push tag
env:
VERSION: ${{ github.event.inputs.version }}
run: |
git config user.name "pytest bot"
git config user.email "pytestbot@gmail.com"
git tag --annotate --message=v${{ github.event.inputs.version }} ${{ github.event.inputs.version }} ${{ github.sha }}
git push origin ${{ github.event.inputs.version }}
git tag --annotate --message=v"$VERSION" "$VERSION" ${{ github.sha }}
git push origin "$VERSION"
release-notes:

Expand Down Expand Up @@ -98,9 +102,11 @@ jobs:
pip install --upgrade tox
- name: Generate release notes
env:
VERSION: ${{ github.event.inputs.version }}
run: |
sudo apt-get install pandoc
tox -e generate-gh-release-notes -- ${{ github.event.inputs.version }} scripts/latest-release-notes.md
tox -e generate-gh-release-notes -- "$VERSION" scripts/latest-release-notes.md
- name: Publish GitHub Release
uses: softprops/action-gh-release@v2
Expand Down
11 changes: 9 additions & 2 deletions .github/workflows/prepare-release-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false

- name: Set up Python
uses: actions/setup-python@v5
Expand All @@ -43,10 +44,16 @@ jobs:
- name: Prepare release PR (minor/patch release)
if: github.event.inputs.major == 'no'
env:
BRANCH: ${{ github.event.inputs.branch }}
PRERELEASE: ${{ github.event.inputs.prerelease }}
run: |
tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }} --prerelease='${{ github.event.inputs.prerelease }}'
tox -e prepare-release-pr -- "$BRANCH" ${{ github.token }} --prerelease="$PRERELEASE"
- name: Prepare release PR (major release)
if: github.event.inputs.major == 'yes'
env:
BRANCH: ${{ github.event.inputs.branch }}
PRERELEASE: ${{ github.event.inputs.prerelease }}
run: |
tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }} --major --prerelease='${{ github.event.inputs.prerelease }}'
tox -e prepare-release-pr -- "$BRANCH" ${{ github.token }} --major --prerelease="$PRERELEASE"
6 changes: 4 additions & 2 deletions .github/workflows/update-plugin-list.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,14 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false

- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: pip

- name: requests-cache
uses: actions/cache@v4
with:
Expand All @@ -41,7 +43,6 @@ jobs:
python -m pip install --upgrade pip
pip install packaging requests tabulate[widechars] tqdm requests-cache platformdirs
- name: Update Plugin List
run: python scripts/update-plugin-list.py

Expand All @@ -61,8 +62,9 @@ jobs:
- name: Instruct the maintainers to trigger CI by undrafting the PR
env:
GITHUB_TOKEN: ${{ github.token }}
PULL_REQUEST_NUMBER: ${{ steps.pr.outputs.pull-request-number }}
run: >-
gh pr comment
--body 'Please mark the PR as ready for review to trigger PR checks.'
--repo '${{ github.repository }}'
'${{ steps.pr.outputs.pull-request-number }}'
"$PULL_REQUEST_NUMBER"

0 comments on commit 197bede

Please sign in to comment.