diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 155d61f2..caa91980 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Check out uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v4 @@ -39,7 +41,7 @@ jobs: run: rustup component add clippy rustfmt - name: Run pre-commit - run: uvx pre-commit@${{ env.PRE_COMMIT_VERSION }} run -a --show-diff-on-failure + run: uvx pre-commit@${PRE_COMMIT_VERSION} run -a --show-diff-on-failure env: # renovate: datasource=pypi depName=pre-commit PRE_COMMIT_VERSION: '4.0.1' @@ -64,6 +66,8 @@ jobs: steps: - name: Check out uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v4 @@ -101,6 +105,8 @@ jobs: steps: - name: Check out uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c658fcce..589f49d4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,6 +15,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Export tag id: vars @@ -44,6 +46,8 @@ jobs: steps: - name: Check out uses: actions/checkout@v4 + with: + persist-credentials: false - name: Download updated pyproject.toml uses: actions/download-artifact@v4 @@ -83,6 +87,8 @@ jobs: steps: - name: Check out uses: actions/checkout@v4 + with: + persist-credentials: false - name: Download updated pyproject.toml uses: actions/download-artifact@v4 @@ -118,6 +124,8 @@ jobs: steps: - name: Check out uses: actions/checkout@v4 + with: + persist-credentials: false - name: Download updated pyproject.toml uses: actions/download-artifact@v4 @@ -148,6 +156,8 @@ jobs: needs: [set-version] steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Python uses: actions/setup-python@v5 @@ -178,6 +188,8 @@ jobs: if: ${{ github.event_name == 'release' }} steps: - uses: actions/download-artifact@v4 + with: + persist-credentials: false - name: Install Python uses: actions/setup-python@v5 @@ -199,6 +211,8 @@ jobs: steps: - name: Check out uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v4 diff --git a/.github/workflows/validate-codecov-config.yml b/.github/workflows/validate-codecov-config.yml index 2e0e9711..1578715a 100644 --- a/.github/workflows/validate-codecov-config.yml +++ b/.github/workflows/validate-codecov-config.yml @@ -13,5 +13,7 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Validate codecov configuration run: curl -sSL --fail-with-body --data-binary @codecov.yaml https://codecov.io/validate diff --git a/.github/workflows/validate-renovate-config.yml b/.github/workflows/validate-renovate-config.yml index 2814604e..66fcf11a 100644 --- a/.github/workflows/validate-renovate-config.yml +++ b/.github/workflows/validate-renovate-config.yml @@ -17,6 +17,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index be59e221..f99cced0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -51,3 +51,8 @@ repos: language: system types: [rust] pass_filenames: false + + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: "v0.10.0" + hooks: + - id: zizmor