diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 4f48167f..03e71592 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -6,6 +6,9 @@ on: push: branches: [master] +permissions: + contents: read + jobs: pre-commit: name: pre-commit-hooks @@ -18,4 +21,4 @@ jobs: - uses: actions/setup-python@v6 with: python-version: "3.13" - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 diff --git a/.github/workflows/publish_pypi.yml b/.github/workflows/publish_pypi.yml index c7facf91..c50427ee 100644 --- a/.github/workflows/publish_pypi.yml +++ b/.github/workflows/publish_pypi.yml @@ -1,4 +1,4 @@ -name: Publish to PyPI +name: Builid Wheel and Release on: pull_request: @@ -17,24 +17,23 @@ on: tags: - '[0-9]+.[0-9]+.[0-9]+*' -permissions: {} +permissions: + contents: read jobs: build-artifacts: runs-on: ubuntu-latest - permissions: - contents: read defaults: run: shell: bash -l {0} steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.9" - name: Install build dependencies @@ -43,7 +42,7 @@ jobs: python -m pip install build twine - name: Build wheel and sdist run: python -m build - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: releases path: dist @@ -60,16 +59,15 @@ jobs: name: test-pypi url: https://test.pypi.org/p/toolz permissions: - contents: read id-token: write steps: - - uses: actions/download-artifact@v5 + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: releases path: dist - name: Publish to Test-PyPI - uses: pypa/gh-action-pypi-publish@v1.13.0 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: repository-url: https://test.pypi.org/legacy/ print-hash: true @@ -84,16 +82,23 @@ jobs: name: pypi url: https://pypi.org/p/toolz permissions: - contents: read id-token: write + attestations: write steps: - - uses: actions/download-artifact@v5 + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: releases path: dist + + - name: Generate artifact attestation for sdist and wheel + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + with: + subject-path: "dist/toolz-*" + - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@v1.13.0 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: + attestations: true print-hash: true verbose: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 485cd6fe..6ae02df0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -5,6 +5,9 @@ on: branches: [master] pull_request: +permissions: + contents: read + jobs: test: runs-on: ${{ matrix.os }} @@ -50,6 +53,6 @@ jobs: coverage xml - name: codecov if: (! contains(matrix.python-version, 'pypy')) - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 745e602d..9896e92d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,3 +1,6 @@ +ci: + autofix_prs: false + skip: [no-commit-to-branch] fail_fast: false default_language_version: python: python3 @@ -13,6 +16,7 @@ repos: # Checks based on file type - id: check-ast - id: check-toml + - id: check-yaml # Detect mistakes - id: check-vcs-permalinks - id: debug-statements @@ -44,6 +48,19 @@ repos: additional_dependencies: - tomli; python_version<'3.11' files: ^(toolz|tlz|docs)/ + - repo: https://github.com/rhysd/actionlint + rev: v1.7.8 + hooks: + - id: actionlint + - repo: https://github.com/adrienverge/yamllint + rev: v1.37.1 + hooks: + - id: yamllint + args: [-d, "{extends: default, rules: {line-length: disable}}"] + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.15.2 + hooks: + - id: zizmor - repo: https://github.com/pre-commit/pygrep-hooks rev: v1.10.0 hooks: @@ -64,3 +81,8 @@ repos: hooks: - id: check-hooks-apply - id: check-useless-excludes + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v6.0.0 + hooks: + - id: no-commit-to-branch + args: [--branch, master] diff --git a/conda.recipe/bld.bat b/conda.recipe/bld.bat deleted file mode 100644 index a8cb1eb3..00000000 --- a/conda.recipe/bld.bat +++ /dev/null @@ -1,2 +0,0 @@ -cd %RECIPE_DIR%\.. -%PYTHON% setup.py install diff --git a/conda.recipe/build.sh b/conda.recipe/build.sh deleted file mode 100644 index abebc130..00000000 --- a/conda.recipe/build.sh +++ /dev/null @@ -1,2 +0,0 @@ -cd $RECIPE_DIR/.. -$PYTHON setup.py install diff --git a/conda.recipe/meta.yaml b/conda.recipe/meta.yaml deleted file mode 100644 index b83f0fa1..00000000 --- a/conda.recipe/meta.yaml +++ /dev/null @@ -1,26 +0,0 @@ -package: - name: toolz - version: "0.10.0" - -build: - number: {{environ.get('BINSTAR_BUILD', 1)}} - -requirements: - build: - - setuptools - - python - - run: - - python - -test: - requires: - - pytest - imports: - - toolz - commands: - - py.test -x --doctest-modules --pyargs toolz - -about: - home: https://toolz.readthedocs.io/ - license: BSD