diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 05acac8..017d475 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,3 +8,5 @@ updates: copier-actions: patterns: - "*" + cooldown: + default-days: 7 diff --git a/.github/workflows/ci-copier.yml b/.github/workflows/ci-copier.yml index f5d663d..b474387 100644 --- a/.github/workflows/ci-copier.yml +++ b/.github/workflows/ci-copier.yml @@ -91,10 +91,10 @@ jobs: git commit -m "Create pixi.lock" # Push the generated package's HEAD commit to a `ci/*` branch cid=$(git rev-parse HEAD) - git push -f "${GITHUB_SERVER_URL/https:\/\//git@}:$GITHUB_REPOSITORY" $cid:refs/heads/${{ steps.branch.outputs.name }} + git push -f "${GITHUB_SERVER_URL/https:\/\//git@}:$GITHUB_REPOSITORY" $cid:refs/heads/${STEPS_BRANCH_OUTPUTS_NAME} # Use the GitHub API to wait for the generated package's CI to complete (success or failure). # We look for a GitHub Actions run for the HEAD commit ID. - WORKFLOW_URL="$GITHUB_API_URL/repos/${GITHUB_REPOSITORY}/actions/runs?branch=${{ steps.branch.outputs.name }}&head_sha=${cid}" + WORKFLOW_URL="$GITHUB_API_URL/repos/${GITHUB_REPOSITORY}/actions/runs?branch=${STEPS_BRANCH_OUTPUTS_NAME}&head_sha=${cid}" echo "Waiting for inner CI to start" while (( $(curl -Ls --header "$AUTH" "$WORKFLOW_URL" | jq -r ".workflow_runs | length") < 1 )); do sleep 10 @@ -108,6 +108,8 @@ jobs: echo "CI pipeline failed" exit 1 fi + env: + STEPS_BRANCH_OUTPUTS_NAME: ${{ steps.branch.outputs.name }} - name: Clean up CI branch if: always() run: | diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8adad86..36d3f52 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -63,3 +63,10 @@ repos: language: system types: [text] require_serial: true + # zizmor + - id: zizmor + name: zizmor + entry: pixi run -e lint zizmor --no-progress --min-severity high --fix . + language: system + types: [yaml] + pass_filenames: false diff --git a/pixi.lock b/pixi.lock index 7627749..5098f98 100644 --- a/pixi.lock +++ b/pixi.lock @@ -412,6 +412,7 @@ environments: - conda: https://conda.anaconda.org/conda-forge/noarch/virtualenv-21.0.0-pyhcf101f3_0.conda - conda: https://conda.anaconda.org/conda-forge/linux-64/yaml-0.2.5-h280c20c_3.conda - conda: https://conda.anaconda.org/conda-forge/noarch/zipp-3.23.0-pyhcf101f3_1.conda + - conda: https://conda.anaconda.org/conda-forge/linux-64/zizmor-1.22.0-hb17b654_0.conda - conda: https://conda.anaconda.org/conda-forge/linux-64/zstd-1.5.7-hb78ec9c_6.conda osx-64: - conda: https://conda.anaconda.org/conda-forge/osx-64/_openmp_mutex-4.5-7_kmp_llvm.conda @@ -479,6 +480,7 @@ environments: - conda: https://conda.anaconda.org/conda-forge/noarch/virtualenv-21.0.0-pyhcf101f3_0.conda - conda: https://conda.anaconda.org/conda-forge/osx-64/yaml-0.2.5-h4132b18_3.conda - conda: https://conda.anaconda.org/conda-forge/noarch/zipp-3.23.0-pyhcf101f3_1.conda + - conda: https://conda.anaconda.org/conda-forge/osx-64/zizmor-1.22.0-ha9c3995_0.conda - conda: https://conda.anaconda.org/conda-forge/osx-64/zstd-1.5.7-h3eecb57_6.conda osx-arm64: - conda: https://conda.anaconda.org/conda-forge/osx-arm64/_openmp_mutex-4.5-7_kmp_llvm.conda @@ -546,6 +548,7 @@ environments: - conda: https://conda.anaconda.org/conda-forge/noarch/virtualenv-21.0.0-pyhcf101f3_0.conda - conda: https://conda.anaconda.org/conda-forge/osx-arm64/yaml-0.2.5-h925e9cb_3.conda - conda: https://conda.anaconda.org/conda-forge/noarch/zipp-3.23.0-pyhcf101f3_1.conda + - conda: https://conda.anaconda.org/conda-forge/osx-arm64/zizmor-1.22.0-h6fdd925_0.conda - conda: https://conda.anaconda.org/conda-forge/osx-arm64/zstd-1.5.7-hbf9d68e_6.conda win-64: - conda: https://conda.anaconda.org/conda-forge/win-64/bzip2-1.0.8-h0ad9c76_9.conda @@ -609,6 +612,7 @@ environments: - conda: https://conda.anaconda.org/conda-forge/noarch/virtualenv-21.0.0-pyhcf101f3_0.conda - conda: https://conda.anaconda.org/conda-forge/win-64/yaml-0.2.5-h6a83c73_3.conda - conda: https://conda.anaconda.org/conda-forge/noarch/zipp-3.23.0-pyhcf101f3_1.conda + - conda: https://conda.anaconda.org/conda-forge/win-64/zizmor-1.22.0-h18a1a76_0.conda packages: - conda: https://conda.anaconda.org/conda-forge/linux-64/_openmp_mutex-4.5-20_gnu.conda build_number: 20 @@ -4126,6 +4130,51 @@ packages: license_family: MIT size: 24194 timestamp: 1764460141901 +- conda: https://conda.anaconda.org/conda-forge/linux-64/zizmor-1.22.0-hb17b654_0.conda + sha256: f94f8af570f981bb527c25f3fd5e4126d69da95a38563fa316dfec314df42a09 + md5: 050118580d3038416e732519ab745df7 + depends: + - __glibc >=2.17,<3.0.a0 + - libgcc >=14 + constrains: + - __glibc >=2.17 + license: MIT + license_family: MIT + size: 6148512 + timestamp: 1769103851506 +- conda: https://conda.anaconda.org/conda-forge/osx-64/zizmor-1.22.0-ha9c3995_0.conda + sha256: aa02960ccca0825dee4184f545a903a3c1443457df14eb927234603848b28be6 + md5: 81241e2c9b6175822564769325c4ffe3 + depends: + - __osx >=10.13 + constrains: + - __osx >=10.13 + license: MIT + license_family: MIT + size: 6100818 + timestamp: 1769103899928 +- conda: https://conda.anaconda.org/conda-forge/osx-arm64/zizmor-1.22.0-h6fdd925_0.conda + sha256: 4742566768cc514f47486c4c40d3cb04d5e56fe44d679fd8b7c7342df4f6edf3 + md5: 2234b0aa988e6b15dedcc48187a22ff6 + depends: + - __osx >=11.0 + constrains: + - __osx >=11.0 + license: MIT + license_family: MIT + size: 5664639 + timestamp: 1769103879375 +- conda: https://conda.anaconda.org/conda-forge/win-64/zizmor-1.22.0-h18a1a76_0.conda + sha256: 13d73d4f524cc976ad98a16480a57d4636169c5cf28737a33985df587576ba7b + md5: 1d5ddc604a1b025dfca7f3fefd70915d + depends: + - vc >=14.3,<15 + - vc14_runtime >=14.44.35208 + - ucrt >=10.0.20348.0 + license: MIT + license_family: MIT + size: 6405261 + timestamp: 1769103902299 - conda: https://conda.anaconda.org/conda-forge/linux-64/zstd-1.5.7-hb78ec9c_6.conda sha256: 68f0206ca6e98fea941e5717cec780ed2873ffabc0e1ed34428c061e2c6268c7 md5: 4a13eeac0b5c8e5b8ab496e6c4ddd829 diff --git a/pixi.toml b/pixi.toml index a6a48f2..1274dda 100644 --- a/pixi.toml +++ b/pixi.toml @@ -31,6 +31,7 @@ prettier = "*" taplo = "*" pre-commit-hooks = "*" typos = "*" +zizmor = "*" [feature.lint.tasks] pre-commit-install = "pre-commit install" pre-commit-run = "pre-commit run -a" diff --git a/template/.github/dependabot.yml.jinja b/template/.github/dependabot.yml.jinja index 3891848..549c9f0 100644 --- a/template/.github/dependabot.yml.jinja +++ b/template/.github/dependabot.yml.jinja @@ -8,3 +8,5 @@ updates: gh-actions: patterns: - "*" + cooldown: + default-days: 7 diff --git a/template/.pre-commit-config.yaml b/template/.pre-commit-config.yaml index e8c3e32..cc60345 100644 --- a/template/.pre-commit-config.yaml +++ b/template/.pre-commit-config.yaml @@ -67,3 +67,10 @@ repos: language: system types: [text] require_serial: true + # zizmor + - id: zizmor + name: zizmor + entry: pixi run -e lint zizmor --no-progress --min-severity high --fix . + language: system + types: [yaml] + pass_filenames: false diff --git a/template/pixi.toml.jinja b/template/pixi.toml.jinja index 0ccdc30..c53e170 100644 --- a/template/pixi.toml.jinja +++ b/template/pixi.toml.jinja @@ -37,6 +37,7 @@ prettier = "*" taplo = "*" pre-commit-hooks = "*" typos = "*" +zizmor = "*" [feature.lint.tasks] pre-commit-install = "pre-commit install" pre-commit-run = "pre-commit run -a"