From 9c810bc91df5af9be559fa9cf2cf3445223310c9 Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Mon, 29 Dec 2025 13:07:32 +0000 Subject: [PATCH 1/4] Add zizmor for GitHub Actions security linting --- .pre-commit-config.yaml | 10 ++++++++++ pyproject.toml | 1 + 2 files changed, 11 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3e4a58ce..b449e60e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,6 +37,7 @@ ci: - vulture - vulture-docs - yamlfix + - zizmor - pyrefly - pyrefly-docs @@ -369,6 +370,15 @@ repos: additional_dependencies: [uv==0.9.5] stages: [pre-commit] + - id: zizmor + name: zizmor + entry: uv run --extra=dev zizmor .github + language: python + pass_filenames: false + types_or: [yaml] + additional_dependencies: [uv==0.9.5] + stages: [pre-commit] + - id: sphinx-lint name: sphinx-lint entry: uv run --extra=dev sphinx-lint --enable=all --disable=line-too-long diff --git a/pyproject.toml b/pyproject.toml index 4e0d44e4..5c24587e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -78,6 +78,7 @@ optional-dependencies.dev = [ "vws-python-mock==2025.3.10.1", "vws-test-fixtures==2023.3.5", "yamlfix==1.19.1", + "zizmor==1.19.0", ] optional-dependencies.release = [ "check-wheel-contents==0.6.3", From 2ef3c441fb05b16a83328647b20a88742735895e Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Mon, 29 Dec 2025 16:30:50 +0000 Subject: [PATCH 2/4] Add zizmor config and ignore in check-manifest --- pyproject.toml | 1 + zizmor.yml | 12 ++++++++++++ 2 files changed, 13 insertions(+) create mode 100644 zizmor.yml diff --git a/pyproject.toml b/pyproject.toml index 5c24587e..05ff66ae 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -289,6 +289,7 @@ ignore = [ "bin", "bin/*", "src/*/_setuptools_scm_version.py", + "zizmor.yml", ] [tool.deptry] diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 00000000..f63e179d --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,12 @@ +--- +rules: + unpinned-uses: + disable: true + cache-poisoning: + disable: true + bot-conditions: + disable: true + dependabot-cooldown: + disable: true + template-injection: + disable: true From ba613a95838be43b831bea3060e26a03c6a85c9d Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Mon, 29 Dec 2025 17:01:46 +0000 Subject: [PATCH 3/4] Fix zizmor issues in GitHub workflows --- .github/workflows/ci.yml | 4 ++++ .github/workflows/lint.yml | 7 +++++-- .github/workflows/publish-site.yml | 5 +++-- .github/workflows/release.yml | 1 + 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 73e37063..48043e9d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,8 @@ on: # Run at 1:00 every day - cron: 0 1 * * * +permissions: {} + jobs: build: @@ -24,6 +26,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v7 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ebae620a..12a3ef1d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,6 +12,8 @@ on: # Run at 1:00 every day - cron: 0 1 * * * +permissions: {} + jobs: build: @@ -23,10 +25,11 @@ jobs: runs-on: ${{ matrix.platform }} steps: - - uses: actions/checkout@v6 - # We need our tags in order to calculate the version + - uses: actions/checkout@v6 # We need our tags in order to calculate the version # in the Sphinx setup. + with: + persist-credentials: false fetch-depth: 0 fetch-tags: true diff --git a/.github/workflows/publish-site.yml b/.github/workflows/publish-site.yml index 390fb01f..f57fa641 100644 --- a/.github/workflows/publish-site.yml +++ b/.github/workflows/publish-site.yml @@ -17,10 +17,11 @@ jobs: pages: write id-token: write steps: - - uses: actions/checkout@v6 - # We need our tags in order to calculate the version + - uses: actions/checkout@v6 # We need our tags in order to calculate the version # in the Sphinx setup. + with: + persist-credentials: false fetch-depth: 0 fetch-tags: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8eb65a76..746593a7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,6 +23,7 @@ jobs: steps: - uses: actions/checkout@v6 with: + persist-credentials: false # See # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#push-to-protected-branches token: ${{ secrets.RELEASE_PAT }} From 04c8ed085d4f0dc3ea6e1b4581568e7fa0541a7a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci-lite[bot]" <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com> Date: Mon, 29 Dec 2025 17:03:09 +0000 Subject: [PATCH 4/4] [pre-commit.ci lite] apply automatic fixes --- .github/workflows/lint.yml | 2 +- .github/workflows/publish-site.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 12a3ef1d..86fd82a7 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -25,7 +25,7 @@ jobs: runs-on: ${{ matrix.platform }} steps: - - uses: actions/checkout@v6 # We need our tags in order to calculate the version + - uses: actions/checkout@v6 # We need our tags in order to calculate the version # in the Sphinx setup. with: diff --git a/.github/workflows/publish-site.yml b/.github/workflows/publish-site.yml index f57fa641..75d3a6af 100644 --- a/.github/workflows/publish-site.yml +++ b/.github/workflows/publish-site.yml @@ -17,7 +17,7 @@ jobs: pages: write id-token: write steps: - - uses: actions/checkout@v6 # We need our tags in order to calculate the version + - uses: actions/checkout@v6 # We need our tags in order to calculate the version # in the Sphinx setup. with: