From aedd0c85d00a843f4208e9002eed89ec2d8337e6 Mon Sep 17 00:00:00 2001 From: jdegenstein Date: Thu, 23 Apr 2026 15:11:31 -0500 Subject: [PATCH] incorporate zizmor github action security recommendations add linux-aarch64 to benchmark and test test most on python 3.14, one test on 3.10 + linux-x86_64 --- .github/actions/setup/action.yml | 2 +- .github/workflows/benchmark.yml | 14 ++++++++++---- .github/workflows/coverage.yml | 12 ++++++++++-- .github/workflows/lint.yml | 8 +++++++- .github/workflows/publish.yml | 16 ++++++++++------ .github/workflows/test.yml | 25 ++++++++++++++++++------- .github/workflows/type.yml | 8 +++++++- 7 files changed, 63 insertions(+), 22 deletions(-) diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index ebcdd8cb..68bf3f32 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -11,7 +11,7 @@ runs: using: "composite" steps: - name: Setup Python - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b #v8.1.0 with: enable-cache: false python-version: ${{ env.PYTHON_INPUT_VER }} diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index b090396c..3a19a8e5 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -1,8 +1,12 @@ name: benchmarks on: [push, pull_request, workflow_dispatch] -jobs: +permissions: + contents: read + actions: write + +jobs: benchmarks: strategy: fail-fast: false @@ -10,11 +14,13 @@ jobs: python-version: [ "3.12", ] - os: [macos-15-intel, macos-14, ubuntu-latest, windows-latest] + os: [macos-15-intel, macos-14, ubuntu-latest, windows-latest, ubuntu-24.04-arm] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup/ with: python-version: ${{ matrix.python-version }} @@ -24,7 +30,7 @@ jobs: python -m pytest --benchmark-only --benchmark-autosave pytest-benchmark compare --csv="results.csv" cat results.csv - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1 with: name: benchmark-results-${{ matrix.os }} path: results.csv diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index f72d50f1..2e4321ea 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -1,11 +1,19 @@ name: Upload coverage reports to Codecov + on: [push, pull_request] + +permissions: + contents: read + actions: write + jobs: run: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + with: + persist-credentials: false - name: Setup uses: ./.github/actions/setup/ with: @@ -14,4 +22,4 @@ jobs: - name: Run tests and collect coverage run: pytest --cov=build123d - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 #v6.0.0 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d706e119..8474b303 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,6 +1,10 @@ name: pylint on: [push, pull_request] + +permissions: + contents: read + jobs: lint: strategy: @@ -8,7 +12,9 @@ jobs: python-version: [ "3.10" ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e873f0bf..1a607cd2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -2,17 +2,22 @@ name: Wheel building and publishing on: [push, pull_request, workflow_dispatch] # TODO: update this later +permissions: {} + jobs: build_wheel: # This does the actual wheel building or if triggered manually via the workflow dispatch, or for a tag. # this job does NOT publish the wheel name: Build wheel on ubuntu-latest runs-on: ubuntu-latest - #if: github.event_name == 'workflow_dispatch' + permissions: + contents: read + actions: write if: (github.repository == 'gumyr/build123d' && ( startsWith(github.ref, 'refs/tags/v'))) || github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: + persist-credentials: false fetch-depth: 0 # get all history for setuptools_scm - name: Build sdist and wheel @@ -28,7 +33,7 @@ jobs: python3 -m pip freeze ls -lR - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1 with: path: ./wheelhouse/build123d*.* # store the build123d wheel and sdist @@ -40,18 +45,17 @@ jobs: url: https://pypi.org/p/build123d permissions: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing - # if: github.event_name == 'release' && github.event.action == 'published' # or, alternatively, upload to PyPI on every tag starting with 'v' (remove on: release above to use this) if: needs.build_wheel.result == 'success' #if: (github.repository == 'gumyr/build123d' && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) steps: - - uses: actions/download-artifact@v7 + - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0 with: # unpacks default artifact into dist/ # if `name: artifact` is omitted, the action will create extra parent dir name: artifact path: dist - - uses: pypa/gh-action-pypi-publish@release/v1 + - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b #v1.14.0 # with: # for testing with test.pypi.org # To test: repository-url: https://test.pypi.org/legacy/ diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index df1e2d82..3697713d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,21 +1,32 @@ name: tests on: [push, pull_request, workflow_dispatch] -jobs: +permissions: + contents: read + +jobs: tests: strategy: fail-fast: false matrix: - python-version: [ - "3.10", - "3.14", - ] - os: [macos-15-intel, macos-14, ubuntu-latest, windows-latest] + python-version: ["3.14"] + os: [ + macos-15-intel, + macos-14, + ubuntu-latest, + windows-latest, + ubuntu-24.04-arm + ] + include: + - python-version: "3.10" + os: ubuntu-latest runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup/ with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/type.yml b/.github/workflows/type.yml index fabd3841..05630e2d 100644 --- a/.github/workflows/type.yml +++ b/.github/workflows/type.yml @@ -1,6 +1,10 @@ name: Run type checking on: [push, pull_request] + +permissions: + contents: read + jobs: typecheck: strategy: @@ -13,7 +17,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + with: + persist-credentials: false - name: Setup uses: ./.github/actions/setup with: