Kludex/uvicorn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: add zizmor (#2872)

Browse Source
This commit is contained in:
Marcelo Trylesinski 2026-03-28 10:39:39 +01:00 committed by GitHub
parent c61f9d4ebd
commit 042ffeb7d6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 54 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/benchmark.yml vendored
View File

@ -1,4 +1,3 @@
---
name: CodSpeed
on:
@ -17,11 +16,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
with:
persist-credentials: false
- name: Install uv
uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
with:
python-version: "3.13"
enable-cache: true
- name: Install dependencies
run: scripts/install

10
.github/workflows/main.yml vendored
View File

@ -1,4 +1,3 @@
---
name: Test Suite
on:
@ -13,6 +12,9 @@ jobs:
runs-on: "${{ matrix.os }}"
timeout-minutes: 10
permissions:
contents: read
strategy:
fail-fast: false
matrix:
@ -21,6 +23,8 @@ jobs:
steps:
- uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
with:
persist-credentials: false
- name: Install uv
uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
@ -53,6 +57,10 @@ jobs:
if: always()
needs: [tests]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2

18
.github/workflows/publish.yml vendored
View File

@ -10,14 +10,19 @@ jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install uv
uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
with:
python-version: "3.11"
enable-cache: true
enable-cache: false
- name: Install dependencies
run: scripts/install
@ -67,7 +72,9 @@ jobs:
contents: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# `mkdocs gh-deploy` pushes the built docs to `gh-pages`, so this job needs
# a real checkout with the authenticated origin remote preserved.
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked]
- name: Download artifacts
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
with:
@ -83,7 +90,7 @@ jobs:
uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
with:
python-version: "3.12"
enable-cache: true
enable-cache: false
- name: Install dependencies
run: scripts/install
@ -95,12 +102,17 @@ jobs:
runs-on: ubuntu-latest
needs: build
permissions:
contents: read
environment:
name: cloudflare
url: https://uvicorn.dev
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Download artifacts
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
with:

27
.github/workflows/zizmor.yml vendored Normal file
View File

@ -0,0 +1,27 @@
name: GitHub Actions Security Analysis
on:
push:
branches: ["main"]
pull_request:
branches: ["**"]
permissions: {}
jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
contents: read # Only needed for private repos. Needed to clone the repo.
actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info.
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run zizmor 🌈
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2