chore(ci): bump actions/setup-python from 5 to 6 #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Public-mirror CI (fork-safe). Runs on every push + community PR. | |
| # | |
| # SECURITY POSTURE (do not weaken): | |
| # * permissions: contents: read ONLY — no write scope. | |
| # * NO secrets are referenced — so a fork PR can never exfiltrate one. | |
| # * trigger is `pull_request` (NOT `pull_request_target`) — the classic | |
| # fork-secret footgun is intentionally avoided. | |
| # | |
| # The internal-vocabulary (blackbox) gate + contract/conformance run in the | |
| # UPSTREAM monorepo when a community PR is upstreamed — deliberately NOT here: | |
| # shipping the internal-term blocklist into a public repo would itself leak | |
| # internal architecture vocabulary. So this CI covers lint / format / test / | |
| # secret-scan; every PR is vocabulary-checked at the upstream step, and the | |
| # mirror is only ever refreshed from the (already-clean) monorepo. | |
| name: ci | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.12' | |
| - name: Install (editable + dev extras) | |
| run: python -m pip install -e ".[dev]" | |
| - name: Lint (ruff) | |
| run: python -m ruff check . | |
| - name: Format check (ruff) | |
| run: python -m ruff format --check . | |
| - name: Tests | |
| run: python -m pytest | |
| secret-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.12' | |
| - name: detect-secrets (against the shipped baseline) | |
| run: | | |
| python -m pip install detect-secrets==1.5.0 | |
| # detect-secrets-hook exits non-zero ONLY on NEW, un-baselined secrets. | |
| # (A plain `scan --baseline` + `git diff --exit-code` would ALWAYS fail: | |
| # detect-secrets rewrites the baseline's `generated_at` timestamp every | |
| # run, so the diff is never empty even with zero findings.) | |
| git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline |