File tree Expand file tree Collapse file tree 6 files changed +74
-14
lines changed Expand file tree Collapse file tree 6 files changed +74
-14
lines changed Original file line number Diff line number Diff line change 12
12
13
13
permissions: {}
14
14
15
+
15
16
jobs:
16
17
docset:
17
18
runs-on: ubuntu-latest
18
19
steps:
19
20
- uses: actions/checkout@v4
20
21
with:
21
22
fetch-depth: 0
23
+ persist-credentials: false
22
24
- uses: actions/setup-python@v5
23
25
with:
24
26
python-version: "3.x"
27
+ - uses: hynek/setup-cached-uv@v2
25
28
26
- - run: python -Im pip install tox
27
-
28
- - run: python -Im tox run -e docset
29
+ - run: uvx --with=tox-uv tox run -e docset
29
30
30
31
- uses: actions/upload-artifact@v4
31
32
with:
Original file line number Diff line number Diff line change 16
16
17
17
permissions: {}
18
18
19
+
19
20
jobs:
20
21
build-package:
21
22
name: Build & verify package
25
26
- uses: actions/checkout@v4
26
27
with:
27
28
fetch-depth: 0
29
+ persist-credentials: false
28
30
29
31
- uses: hynek/build-and-inspect-python-package@v2
30
32
id: baipp
59
61
- uses: hynek/setup-cached-uv@v2
60
62
61
63
- name: Prepare tox
64
+ env:
65
+ V: ${{ matrix.python-version }}
62
66
run: |
63
- V=${{ matrix.python-version }}
64
67
DO_MYPY=1
65
68
66
69
if [[ "$V" == "3.8" ]]; then
73
76
- run: >
74
77
uvx --with=tox-uv
75
78
tox run
76
- -e ${{ env. TOX_PYTHON }} -mypy
79
+ -e $TOX_PYTHON-mypy
77
80
if: env.DO_MYPY == '1'
78
81
79
82
- name: Remove src to ensure tests run against wheel
83
86
uvx --with=tox-uv
84
87
tox run
85
88
--installpkg dist/*.whl
86
- -e ${{ env. TOX_PYTHON }} -tests
89
+ -e $TOX_PYTHON-tests
87
90
88
91
- name: Upload coverage data
89
92
uses: actions/upload-artifact@v4
@@ -192,6 +195,8 @@ jobs:
192
195
runs-on: ubuntu-latest
193
196
steps:
194
197
- uses: actions/checkout@v4
198
+ with:
199
+ persist-credentials: false
195
200
- uses: actions/setup-python@v5
196
201
with:
197
202
python-version-file: .python-version-default
@@ -205,6 +210,8 @@ jobs:
205
210
206
211
steps:
207
212
- uses: actions/checkout@v4
213
+ with:
214
+ persist-credentials: false
208
215
- uses: actions/setup-python@v5
209
216
with:
210
217
python-version-file: .python-version-default
Original file line number Diff line number Diff line change @@ -25,11 +25,16 @@ jobs:
25
25
steps:
26
26
- name: Checkout repository
27
27
uses: actions/checkout@v4
28
+ with:
29
+ persist-credentials: false
28
30
29
31
- name: Initialize CodeQL
30
32
uses: github/codeql-action/init@v3
31
33
with:
32
34
languages: ${{ matrix.language }}
33
35
36
+ - name: Autobuild
37
+ uses: github/codeql-action/autobuild@v3
38
+
34
39
- name: Perform CodeQL Analysis
35
40
uses: github/codeql-action/analyze@v3
Original file line number Diff line number Diff line change @@ -31,14 +31,15 @@ jobs:
31
31
32
32
steps:
33
33
- uses: actions/checkout@v4
34
+ with:
35
+ persist-credentials: false
34
36
- uses: actions/setup-python@v5
35
37
with:
36
38
python-version-file: .python-version-default
37
- cache: pip
38
- - run: python -Im pip install tox-uv
39
+ - uses: hynek/setup-cached-uv@v2
39
40
40
41
- name: Run CodSpeed benchmarks
41
42
uses: CodSpeedHQ/action@v3
42
43
with:
43
44
token: ${{ secrets.CODSPEED_TOKEN }}
44
- run: tox run -e codspeed
45
+ run: uvx --with tox-uv tox run -e codspeed
Original file line number Diff line number Diff line change 1
1
---
2
- name: Build & maybe upload PyPI package
2
+ name: Build & upload PyPI package
3
3
4
4
on:
5
5
push:
10
10
- published
11
11
workflow_dispatch:
12
12
13
- permissions:
14
- attestations: write
15
- contents: read
16
- id-token: write
17
13
18
14
jobs:
19
15
# Always build & lint package.
20
16
build-package:
21
17
name: Build & verify package
22
18
runs-on: ubuntu-latest
19
+ permissions:
20
+ attestations: write
21
+ id-token: write
23
22
24
23
steps:
25
24
- uses: actions/checkout@v4
26
25
with:
27
26
fetch-depth: 0
27
+ persist-credentials: false
28
28
29
29
- uses: hynek/build-and-inspect-python-package@v2
30
30
with:
31
31
attest-build-provenance-github: 'true'
32
32
33
+
33
34
# Upload to Test PyPI on every commit on main.
34
35
release-test-pypi:
35
36
name: Publish in-dev package to test.pypi.org
38
39
runs-on: ubuntu-latest
39
40
needs: build-package
40
41
42
+ permissions:
43
+ id-token: write
44
+
41
45
steps:
42
46
- name: Download packages built by build-and-inspect-python-package
43
47
uses: actions/download-artifact@v4
51
55
attestations: true
52
56
repository-url: https://test.pypi.org/legacy/
53
57
58
+
54
59
# Upload to real PyPI on GitHub Releases.
55
60
release-pypi:
56
61
name: Publish released package to pypi.org
59
64
runs-on: ubuntu-latest
60
65
needs: build-package
61
66
67
+ permissions:
68
+ id-token: write
69
+
62
70
steps:
63
71
- name: Download packages built by build-and-inspect-python-package
64
72
uses: actions/download-artifact@v4
Original file line number Diff line number Diff line change
1
+ # https://github.com/woodruffw/zizmor
2
+ name: Zizmor
3
+
4
+ on:
5
+ push:
6
+ branches: ["main"]
7
+ pull_request:
8
+ branches: ["*"]
9
+
10
+ permissions:
11
+ contents: read
12
+
13
+
14
+ jobs:
15
+ zizmor:
16
+ name: Zizmor latest via Cargo
17
+ runs-on: ubuntu-latest
18
+ permissions:
19
+ security-events: write
20
+ steps:
21
+ - name: Checkout repository
22
+ uses: actions/checkout@v4
23
+ with:
24
+ persist-credentials: false
25
+ - name: Setup Rust
26
+ uses: actions-rust-lang/setup-rust-toolchain@v1
27
+ - name: Get zizmor
28
+ run: cargo install zizmor
29
+ - name: Run zizmor
30
+ run: zizmor --format sarif . > results.sarif
31
+ - name: Upload SARIF file
32
+ uses: github/codeql-action/upload-sarif@v3
33
+ with:
34
+ # Path to SARIF file relative to the root of the repository
35
+ sarif_file: results.sarif
36
+ # Optional category for the results
37
+ # Used to differentiate multiple results for one commit
38
+ category: zizmor
You can’t perform that action at this time.
0 commit comments