Skip to content

Commit e943986

Browse files
hynekhynek
committed
ci: make ci.yml pass pedantic Zizmor
1 parent dd13d25 commit e943986

2 files changed

Lines changed: 20 additions & 2 deletions

File tree

.github/workflows/ci.yml

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,12 @@ on:
77
pull_request:
88
workflow_dispatch:
99

10+
concurrency:
11+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
12+
cancel-in-progress: true
13+
14+
permissions: {}
15+
1016
env:
1117
FORCE_COLOR: "1" # Make tools pretty.
1218
SETUPTOOLS_SCM_PRETEND_VERSION: "1.0" # avoid warnings about shallow checkout
@@ -23,10 +29,12 @@ jobs:
2329
repository: hynek/argon2-cffi-bindings
2430
submodules: recursive
2531
path: hynek/argon2-cffi-bindings
32+
persist-credentials: false
2633

2734
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2835
with:
2936
path: action
37+
persist-credentials: false
3038

3139
- uses: ./action
3240
id: baipp
@@ -49,18 +57,20 @@ jobs:
4957
with:
5058
repository: hynek/structlog
5159
path: structlog
60+
persist-credentials: false
5261

5362
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
5463
with:
5564
path: action
65+
persist-credentials: false
5666

5767
- uses: ./action
5868
id: baipp
5969
with:
6070
path: structlog
6171
upload-name-suffix: "-structlog-${{ matrix.os }}"
6272

63-
- run: >
73+
- run: > # zizmor: ignore[template-injection] -- structlog is not gonna hack us
6474
echo "Packages for ${{ steps.baipp.outputs.package_name }} (${{ steps.baipp.outputs.package_version }})
6575
can be found at ${{ steps.baipp.outputs.dist }}
6676
and in artifact ${{ steps.baipp.outputs.artifact-name }}"
@@ -76,10 +86,12 @@ jobs:
7686
with:
7787
repository: python-attrs/attrs
7888
path: attrs
89+
persist-credentials: false
7990

8091
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
8192
with:
8293
path: action
94+
persist-credentials: false
8395

8496
- uses: ./action
8597
id: baipp
@@ -97,18 +109,23 @@ jobs:
97109
with:
98110
repository: pytest-dev/pytest
99111
path: pytest
112+
persist-credentials: false
100113

101114
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
102115
with:
103116
path: action
117+
persist-credentials: false
104118

105119
- uses: ./action
106120
id: baipp
107121
with:
108122
path: pytest
109123
upload-name-suffix: "-pytest"
110124

111-
- run: echo Packages can be found at ${{ steps.baipp.outputs.dist }} and in artifact ${{ steps.baipp.outputs.artifact-name }}
125+
- run: echo Packages can be found at ${STEPS_BAIPP_OUTPUTS_DIST} and in artifact ${STEPS_BAIPP_OUTPUTS_ARTIFACT_NAME}
126+
env:
127+
STEPS_BAIPP_OUTPUTS_DIST: ${{ steps.baipp.outputs.dist }}
128+
STEPS_BAIPP_OUTPUTS_ARTIFACT_NAME: ${{ steps.baipp.outputs.artifact-name }}
112129

113130
required-checks-pass:
114131
name: Ensure everything required is passing for branch protection

.github/workflows/zizmor.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ jobs:
3333
inputs: |
3434
action.yml
3535
.github/dependabot.yml
36+
.github/workflows/ci.yml
3637
.github/workflows/zizmor.yml
3738
.github/workflows/update-dependencies.yml
3839
...

0 commit comments

Comments
 (0)