From 1328b1cdc15611329eb5a67d2cd941bc4754df22 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:25:13 -0400 Subject: [PATCH 1/9] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/main.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 8ea3441..0415f5a 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -1,4 +1,6 @@ name: CI +permissions: + contents: write on: [push, pull_request] From 08b5a555b4e59b6e169168830d27d9a9455f0061 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:36:36 -0400 Subject: [PATCH 2/9] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/main.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 0415f5a..2e8c7f1 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -1,11 +1,11 @@ name: CI -permissions: - contents: write - on: [push, pull_request] jobs: pre-commit: + permissions: + contents: read + runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v4 @@ -13,6 +13,9 @@ jobs: - uses: pre-commit/action@v3.0.1 build: runs-on: ubuntu-20.04 + permissions: + contents: write + steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 From 042eff83a68a499dfa0d73c3bbebc974e7fcd4cd Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 14:37:50 -0400 Subject: [PATCH 3/9] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/main.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 2e8c7f1..dcb0048 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -10,7 +10,7 @@ jobs: steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 build: runs-on: ubuntu-20.04 permissions: @@ -79,7 +79,7 @@ jobs: >> $GITHUB_STEP_SUMMARY - name: Publish cheatsheets and handouts if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/_build/html/ From 25791eb3b5f7b62f64d9d2c0c459be268883f7e8 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 14:39:36 -0400 Subject: [PATCH 4/9] CI: apply zizmor auto-fixes --- .github/workflows/main.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index dcb0048..727becd 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -9,6 +9,8 @@ jobs: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 build: @@ -18,6 +20,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: "3.10" @@ -75,8 +79,10 @@ jobs: - name: Output artifacts URL run: | echo 'Artifact URL:' \ - '${{ steps.diffs-artifact-upload.outputs.artifact-url }}' \ + '${STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL}' \ >> $GITHUB_STEP_SUMMARY + env: + STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL: ${{ steps.diffs-artifact-upload.outputs.artifact-url }} - name: Publish cheatsheets and handouts if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 From bc88c6d250b7a382ad5858c6b86d8af27ab287f0 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 22 Jul 2025 09:16:53 -0400 Subject: [PATCH 5/9] CI: update version string Co-authored-by: Elliott Sales de Andrade --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 727becd..2f98d8c 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -85,7 +85,7 @@ jobs: STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL: ${{ steps.diffs-artifact-upload.outputs.artifact-url }} - name: Publish cheatsheets and handouts if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/_build/html/ From c9e8440803c767449a20a9b4c9d3d43a410f0bef Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Wed, 23 Jul 2025 22:00:27 -0400 Subject: [PATCH 6/9] CI: try latest image --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 2f98d8c..a6d87da 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -6,7 +6,7 @@ jobs: permissions: contents: read - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: From b7c2b53eeaba9bdb5ca0c99f2b3d552697685c78 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Wed, 23 Jul 2025 22:01:10 -0400 Subject: [PATCH 7/9] CI: remove redundant step --- .github/workflows/main.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index a6d87da..133b040 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -76,13 +76,6 @@ jobs: name: diffs path: | diffs/ - - name: Output artifacts URL - run: | - echo 'Artifact URL:' \ - '${STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL}' \ - >> $GITHUB_STEP_SUMMARY - env: - STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL: ${{ steps.diffs-artifact-upload.outputs.artifact-url }} - name: Publish cheatsheets and handouts if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 From 75491efe80a75262f54f37d0185cd33613a67c2e Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Wed, 23 Jul 2025 22:05:17 -0400 Subject: [PATCH 8/9] CI: try bumping the flake8 version --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b940132..3e80b24 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,6 +10,6 @@ repos: - id: end-of-file-fixer - id: trailing-whitespace - repo: https://github.com/pycqa/flake8 - rev: 4.0.1 + rev: 7.3.0 hooks: - id: flake8 From f25b7afda549feaa969a2dc9f09ff801391998da Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Wed, 23 Jul 2025 22:12:03 -0400 Subject: [PATCH 9/9] CI: bump the other job to ubuntu-latest --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 133b040..76361fe 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -14,7 +14,7 @@ jobs: - uses: actions/setup-python@v5 - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: contents: write