diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 5207cfb7..5e9ad82a 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -1,4 +1,3 @@ ---- name: CodSpeed on: @@ -17,11 +16,14 @@ jobs: runs-on: ubuntu-latest steps: - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: python-version: "3.13" + enable-cache: true - name: Install dependencies run: scripts/install diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 70807e1f..82d77727 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,4 +1,3 @@ ---- name: Test Suite on: @@ -13,6 +12,9 @@ jobs: runs-on: "${{ matrix.os }}" timeout-minutes: 10 + permissions: + contents: read + strategy: fail-fast: false matrix: @@ -21,6 +23,8 @@ jobs: steps: - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 @@ -53,6 +57,10 @@ jobs: if: always() needs: [tests] runs-on: ubuntu-latest + + permissions: + contents: read + steps: - name: Decide whether the needed jobs succeeded or failed uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a252a87f..a369d210 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -10,14 +10,19 @@ jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: python-version: "3.11" - enable-cache: true + enable-cache: false - name: Install dependencies run: scripts/install @@ -67,7 +72,9 @@ jobs: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + # `mkdocs gh-deploy` pushes the built docs to `gh-pages`, so this job needs + # a real checkout with the authenticated origin remote preserved. + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] - name: Download artifacts uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: @@ -83,7 +90,7 @@ jobs: uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: python-version: "3.12" - enable-cache: true + enable-cache: false - name: Install dependencies run: scripts/install @@ -95,12 +102,17 @@ jobs: runs-on: ubuntu-latest needs: build + permissions: + contents: read + environment: name: cloudflare url: https://uvicorn.dev steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download artifacts uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..0950d527 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,27 @@ +name: GitHub Actions Security Analysis + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + contents: read # Only needed for private repos. Needed to clone the repo. + actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. + + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2