diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5d7dbb2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,14 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "quarterly" + groups: + actions: + patterns: + - "*" + cooldown: + # Actions should still be inspected manually, as currently this cooldown + # can be bypassed: https://github.com/dependabot/dependabot-core/issues/13078 + default-days: 14 diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml index c218712..6d225e8 100644 --- a/.github/workflows/cron.yml +++ b/.github/workflows/cron.yml @@ -5,20 +5,25 @@ on: schedule: - cron: "0 * * * *" +permissions: + contents: read + jobs: cron: runs-on: ubuntu-latest name: "Run PSRT Advisory Bot" steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Set up uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: true - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version-file: "pyproject.toml" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..e0f714d --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,19 @@ +name: Lint + +on: [push, pull_request, workflow_dispatch] + +env: + FORCE_COLOR: 1 + +permissions: + contents: read + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # v1.1.1 diff --git a/.github/workflows/ci.yml b/.github/workflows/tests.yml similarity index 69% rename from .github/workflows/ci.yml rename to .github/workflows/tests.yml index 84ae75f..ba56356 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/tests.yml @@ -1,25 +1,14 @@ -name: CI +name: Run tests on: [push, pull_request, workflow_dispatch] env: FORCE_COLOR: 1 -jobs: - lint: - name: Lint - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - - name: Run ruff lint - uses: astral-sh/ruff-action@v3 - - - name: Run ruff format check - uses: astral-sh/ruff-action@v3 - with: - args: "format --check --diff" +permissions: + contents: read +jobs: test: name: Test on Python ${{ matrix.python-version }} runs-on: ubuntu-latest @@ -29,15 +18,17 @@ jobs: python-version: ["3.14"] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Set up uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: true - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: ${{ matrix.python-version }} @@ -55,10 +46,10 @@ jobs: - name: Upload coverage reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: test-results-${{ matrix.python-version }} path: | .coverage htmlcov/ - retention-days: 30 \ No newline at end of file + retention-days: 30 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..3794b76 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,4 @@ +rules: + secrets-outside-env: + ignore: + - cron.yml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..0a1f5c5 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,35 @@ +repos: + - repo: https://github.com/astral-sh/ruff-pre-commit + rev: e05c5c0818279e5ac248ac9e954431ba58865e61 # frozen: v0.15.7 + hooks: + - id: ruff-check + name: Run Ruff (lint) + args: [--exit-non-zero-on-fix] + - id: ruff-format + name: Run Ruff (format) + args: [--exit-non-zero-on-fix] + + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0 + hooks: + - id: check-case-conflict + - id: check-merge-conflict + - id: end-of-file-fixer + - id: mixed-line-ending + args: [--fix=auto] + - id: trailing-whitespace + + - repo: https://github.com/rhysd/actionlint + rev: 393031adb9afb225ee52ae2ccd7a5af5525e03e8 # frozen: v1.7.11 + hooks: + - id: actionlint + + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: b546b77c44c466a54a42af5499dcc0dcc1a3193f # frozen: v1.22.0 + hooks: + - id: zizmor + + - repo: meta + hooks: + - id: check-hooks-apply + - id: check-useless-excludes diff --git a/.python-version b/.python-version index 3767b4b..6324d40 100644 --- a/.python-version +++ b/.python-version @@ -1 +1 @@ -3.14 \ No newline at end of file +3.14 diff --git a/LICENSE b/LICENSE index 0378184..a474852 100644 --- a/LICENSE +++ b/LICENSE @@ -51,4 +51,4 @@ products or services of Licensee, or any third party. 8. By copying, installing or otherwise using Python Security Response Team GitHub Security Advisory Bot, Licensee agrees to be bound by the terms and conditions of this License -Agreement. \ No newline at end of file +Agreement. diff --git a/Makefile b/Makefile index f0f29b8..7ea8bba 100644 --- a/Makefile +++ b/Makefile @@ -26,4 +26,4 @@ test: ## Run tests ci: lint fmt type-check test ## Run everything app: ## Run the app - @uv run python src/psrt_ghsa_bot/app.py \ No newline at end of file + @uv run python src/psrt_ghsa_bot/app.py