orbit-oss/flask
4
4
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add zizmor to scan workflows (#5945)

Browse source
This commit is contained in:
David Lord 2026-03-08 16:15:00 -07:00 committed by GitHub
commit 4774385abd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 51 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.github/workflows/lock.yaml vendored
View file

@ -7,15 +7,17 @@ name: Lock inactive closed issues
on: on:
schedule: schedule:
- cron: '0 0 * * *' - cron: '0 0 * * *'
permissions: permissions: {}
issues: write
pull-requests: write
discussions: write
concurrency: concurrency:
group: lock group: lock
cancel-in-progress: true
jobs: jobs:
lock: lock:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
discussions: write
steps: steps:
- uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0 - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
with: with:

8
.github/workflows/pre-commit.yaml vendored
View file

@ -3,11 +3,17 @@ on:
pull_request: pull_request:
push: push:
branches: [main, stable] branches: [main, stable]
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
main: main:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
with: with:
enable-cache: true enable-cache: true
@ -21,5 +27,3 @@ jobs:
path: ~/.cache/pre-commit path: ~/.cache/pre-commit
key: pre-commit|${{ hashFiles('pyproject.toml', '.pre-commit-config.yaml') }} key: pre-commit|${{ hashFiles('pyproject.toml', '.pre-commit-config.yaml') }}
- run: uv run --locked --group pre-commit pre-commit run --show-diff-on-failure --color=always --all-files - run: uv run --locked --group pre-commit pre-commit run --show-diff-on-failure --color=always --all-files
- uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0
if: ${{ !cancelled() }}

8
.github/workflows/publish.yaml vendored
View file

@ -2,6 +2,10 @@ name: Publish
on: on:
push: push:
tags: ['*'] tags: ['*']
permissions: {}
concurrency:
group: publish-${{ github.event.push.ref }}
cancel-in-progress: true
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -13,7 +17,7 @@ jobs:
persist-credentials: false persist-credentials: false
- uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
with: with:
enable-cache: true enable-cache: false
prune-cache: false prune-cache: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
@ -37,7 +41,7 @@ jobs:
artifact-ids: ${{ needs.build.outputs.artifact-id }} artifact-ids: ${{ needs.build.outputs.artifact-id }}
path: dist/ path: dist/
- name: create release - name: create release
run: gh release create --draft --repo ${{ github.repository }} ${{ github.ref_name }} dist/* run: gh release create --draft --repo ${GITHUB_REPOSITORY} ${GITHUB_REF_NAME} dist/*
env: env:
GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }}
publish-pypi: publish-pypi:

12
.github/workflows/tests.yaml vendored
View file

@ -5,6 +5,10 @@ on:
push: push:
branches: [main, stable] branches: [main, stable]
paths-ignore: ['docs/**', 'README.md'] paths-ignore: ['docs/**', 'README.md']
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs: jobs:
tests: tests:
name: ${{ matrix.name || matrix.python }} name: ${{ matrix.name || matrix.python }}
@ -27,6 +31,8 @@ jobs:
- {name: Development Versions, python: '3.10', tox: tests-dev} - {name: Development Versions, python: '3.10', tox: tests-dev}
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
with: with:
enable-cache: true enable-cache: true
@ -34,11 +40,15 @@ jobs:
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version: ${{ matrix.python }} python-version: ${{ matrix.python }}
- run: uv run --locked tox run -e ${{ matrix.tox || format('py{0}', matrix.python) }} - run: uv run --locked tox run
env:
TOX_ENV: ${{ matrix.tox || format('py{0}', matrix.python) }}
typing: typing:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
with: with:
enable-cache: true enable-cache: true

22
.github/workflows/zizmor.yaml vendored Normal file
View file

@ -0,0 +1,22 @@
name: GitHub Actions security analysis with zizmor
on:
pull_request:
paths: ["**/*.yaml?"]
push:
branches: [main, stable]
paths: ["**/*.yaml?"]
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
zizmor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
with:
advanced-security: false
annotations: true