From 0ab85f72e3f90c00ffc3f071cbfdc5e7ca9de721 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Sat, 13 Jun 2026 20:37:47 +0100 Subject: [PATCH 01/10] Set up `pre-commit` (w/ Zizmor and misc.), Dependabot and tidy up workflows --- .github/dependabot.yml | 18 +++++++++++++ .github/workflows/cron.yml | 10 ++++--- .github/workflows/lint.yml | 18 +++++++++++++ .github/workflows/{ci.yml => tests.yml} | 32 ++++++++-------------- .github/zizmor.yml | 4 +++ .pre-commit-config.yaml | 35 +++++++++++++++++++++++++ .python-version | 2 +- Makefile | 2 +- 8 files changed, 95 insertions(+), 26 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/lint.yml rename .github/workflows/{ci.yml => tests.yml} (61%) create mode 100644 .github/zizmor.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..b54a8ba --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "quarterly" + ignore: + - dependency-name: "*" + update-types: + - "version-update:semver-minor" + - "version-update:semver-patch" + groups: + actions: + patterns: + - "*" + cooldown: + # This is currently broken: https://github.com/dependabot/dependabot-core/issues/13078 + default-days: 14 diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml index c218712..37417ae 100644 --- a/.github/workflows/cron.yml +++ b/.github/workflows/cron.yml @@ -5,20 +5,24 @@ on: schedule: - cron: "0 * * * *" +permissions: {} + jobs: cron: runs-on: ubuntu-latest name: "Run PSRT Advisory Bot" steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + persist-credentials: false - name: Set up uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 with: enable-cache: true - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: "pyproject.toml" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..6ba66c9 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,18 @@ +name: Lint + +on: [push, pull_request, workflow_dispatch] + +env: + FORCE_COLOR: 1 + +permissions: {} + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + persist-credentials: false + - uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # v1.1.1 diff --git a/.github/workflows/ci.yml b/.github/workflows/tests.yml similarity index 61% rename from .github/workflows/ci.yml rename to .github/workflows/tests.yml index 3bb26c7..f2f72a3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/tests.yml @@ -1,43 +1,33 @@ -name: CI +name: Run tests on: [push, pull_request, workflow_dispatch] env: FORCE_COLOR: 1 -jobs: - lint: - name: Lint - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - - name: Run ruff lint - uses: astral-sh/ruff-action@v3 - - - name: Run ruff format check - uses: astral-sh/ruff-action@v3 - with: - args: "format --check --diff" +permissions: {} +jobs: test: name: Test on Python ${{ matrix.python-version }} runs-on: ubuntu-latest strategy: fail-fast: false matrix: - python-version: ["3.14"] + python-version: ["3"] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + persist-credentials: false - name: Set up uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 with: enable-cache: true - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} @@ -49,10 +39,10 @@ jobs: - name: Upload coverage reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: test-results-${{ matrix.python-version }} path: | .coverage htmlcov/ - retention-days: 30 \ No newline at end of file + retention-days: 30 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..3794b76 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,4 @@ +rules: + secrets-outside-env: + ignore: + - cron.yml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..0a1f5c5 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,35 @@ +repos: + - repo: https://github.com/astral-sh/ruff-pre-commit + rev: e05c5c0818279e5ac248ac9e954431ba58865e61 # frozen: v0.15.7 + hooks: + - id: ruff-check + name: Run Ruff (lint) + args: [--exit-non-zero-on-fix] + - id: ruff-format + name: Run Ruff (format) + args: [--exit-non-zero-on-fix] + + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0 + hooks: + - id: check-case-conflict + - id: check-merge-conflict + - id: end-of-file-fixer + - id: mixed-line-ending + args: [--fix=auto] + - id: trailing-whitespace + + - repo: https://github.com/rhysd/actionlint + rev: 393031adb9afb225ee52ae2ccd7a5af5525e03e8 # frozen: v1.7.11 + hooks: + - id: actionlint + + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: b546b77c44c466a54a42af5499dcc0dcc1a3193f # frozen: v1.22.0 + hooks: + - id: zizmor + + - repo: meta + hooks: + - id: check-hooks-apply + - id: check-useless-excludes diff --git a/.python-version b/.python-version index 3767b4b..6324d40 100644 --- a/.python-version +++ b/.python-version @@ -1 +1 @@ -3.14 \ No newline at end of file +3.14 diff --git a/Makefile b/Makefile index e4daae3..1adcf40 100644 --- a/Makefile +++ b/Makefile @@ -26,4 +26,4 @@ test: ## Run tests ci: lint fmt type-check test ## Run everything app: ## Run the app - @uv run python app.py \ No newline at end of file + @uv run python app.py From 2fe4e696c1b54872588b774c04bcdd2aadfc3a55 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Sat, 13 Jun 2026 20:44:44 +0100 Subject: [PATCH 02/10] Add back `read` permissions, don't run it twice on PRs --- .github/workflows/cron.yml | 3 ++- .github/workflows/lint.yml | 9 +++++++-- .github/workflows/tests.yml | 9 +++++++-- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml index 37417ae..bc37e06 100644 --- a/.github/workflows/cron.yml +++ b/.github/workflows/cron.yml @@ -5,7 +5,8 @@ on: schedule: - cron: "0 * * * *" -permissions: {} +permissions: + contents: read jobs: cron: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6ba66c9..ab432b5 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,11 +1,16 @@ name: Lint -on: [push, pull_request, workflow_dispatch] +on: + push: + branches: [main] + pull_request: + workflow_dispatch: env: FORCE_COLOR: 1 -permissions: {} +permissions: + contents: read jobs: lint: diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f2f72a3..e989bb0 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,11 +1,16 @@ name: Run tests -on: [push, pull_request, workflow_dispatch] +on: + push: + branches: [main] + pull_request: + workflow_dispatch: env: FORCE_COLOR: 1 -permissions: {} +permissions: + contents: read jobs: test: From 59fc5d2a455059b2a28b0c70445d3f2c42038906 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Sat, 13 Jun 2026 20:46:19 +0100 Subject: [PATCH 03/10] Keep it locked at 3.14 (for now) --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index e989bb0..c23a500 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -19,7 +19,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: ["3"] + python-version: ["3.14"] steps: - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 From 1b705fff0b5cdd12d32a695e710de579571743cc Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Mon, 15 Jun 2026 12:50:11 +0100 Subject: [PATCH 04/10] Workaround for Hugo --- .github/workflows/tests.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index c23a500..0f06727 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,10 +1,6 @@ name: Run tests -on: - push: - branches: [main] - pull_request: - workflow_dispatch: +on: [push, pull_request, workflow_dispatch] env: FORCE_COLOR: 1 @@ -16,6 +12,7 @@ jobs: test: name: Test on Python ${{ matrix.python-version }} runs-on: ubuntu-latest + if: github.event_name != 'push' || github.event.repository.fork == true strategy: fail-fast: false matrix: From 5f1b3523baad2b7d14e474200afde7aa53b65d72 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Mon, 15 Jun 2026 12:51:22 +0100 Subject: [PATCH 05/10] Workaround for Hugo on `lint.yml` too, it works! --- .github/workflows/lint.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ab432b5..57645e0 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,10 +1,6 @@ name: Lint -on: - push: - branches: [main] - pull_request: - workflow_dispatch: +on: [push, pull_request, workflow_dispatch] env: FORCE_COLOR: 1 @@ -16,6 +12,7 @@ jobs: lint: name: Lint runs-on: ubuntu-latest + if: github.event_name != 'push' || github.event.repository.fork == true steps: - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: From 5d3e1c364bb143f929745bdd1048fb8e2b1dc7e8 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Mon, 15 Jun 2026 16:22:26 +0100 Subject: [PATCH 06/10] Bump Actions Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- .github/workflows/cron.yml | 6 +++--- .github/workflows/lint.yml | 2 +- .github/workflows/tests.yml | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml index bc37e06..6d225e8 100644 --- a/.github/workflows/cron.yml +++ b/.github/workflows/cron.yml @@ -13,17 +13,17 @@ jobs: runs-on: ubuntu-latest name: "Run PSRT Advisory Bot" steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - name: Set up uv - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: true - name: Set up Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version-file: "pyproject.toml" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 57645e0..2166d55 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest if: github.event_name != 'push' || github.event.repository.fork == true steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # v1.1.1 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 0f06727..6397e43 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -19,7 +19,7 @@ jobs: python-version: ["3.14"] steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -29,7 +29,7 @@ jobs: enable-cache: true - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: ${{ matrix.python-version }} @@ -41,7 +41,7 @@ jobs: - name: Upload coverage reports if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: test-results-${{ matrix.python-version }} path: | From 3425a9ba136aab11e5c74461c4b93c1141ce6422 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Mon, 15 Jun 2026 16:24:21 +0100 Subject: [PATCH 07/10] Rework dependabot config --- .github/dependabot.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b54a8ba..5d7dbb2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,15 +4,11 @@ updates: directory: "/" schedule: interval: "quarterly" - ignore: - - dependency-name: "*" - update-types: - - "version-update:semver-minor" - - "version-update:semver-patch" groups: actions: patterns: - "*" cooldown: - # This is currently broken: https://github.com/dependabot/dependabot-core/issues/13078 + # Actions should still be inspected manually, as currently this cooldown + # can be bypassed: https://github.com/dependabot/dependabot-core/issues/13078 default-days: 14 From c01705e4170346932b07c46ac12679200ea6751a Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Mon, 15 Jun 2026 16:33:12 +0100 Subject: [PATCH 08/10] Revert that workaround --- .github/workflows/lint.yml | 1 - .github/workflows/tests.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 2166d55..e0f714d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,7 +12,6 @@ jobs: lint: name: Lint runs-on: ubuntu-latest - if: github.event_name != 'push' || github.event.repository.fork == true steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6397e43..b6c2775 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -12,7 +12,6 @@ jobs: test: name: Test on Python ${{ matrix.python-version }} runs-on: ubuntu-latest - if: github.event_name != 'push' || github.event.repository.fork == true strategy: fail-fast: false matrix: From 597e831baa8a9970b312b469eb1a6ea8477305c3 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Mon, 15 Jun 2026 16:35:38 +0100 Subject: [PATCH 09/10] Make linter happy with license --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 0378184..a474852 100644 --- a/LICENSE +++ b/LICENSE @@ -51,4 +51,4 @@ products or services of Licensee, or any third party. 8. By copying, installing or otherwise using Python Security Response Team GitHub Security Advisory Bot, Licensee agrees to be bound by the terms and conditions of this License -Agreement. \ No newline at end of file +Agreement. From 281c298f95d581cbdb94e4a3f34419995d559c7c Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Mon, 15 Jun 2026 19:46:58 +0100 Subject: [PATCH 10/10] Update .github/workflows/tests.yml Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b6c2775..39db9ac 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -23,7 +23,7 @@ jobs: persist-credentials: false - name: Set up uv - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: enable-cache: true