From 5b345de5a5203156a10004a6f399e82af1f35eca Mon Sep 17 00:00:00 2001 From: Bryce Boe Date: Mon, 15 Jun 2026 11:02:34 -0700 Subject: [PATCH 1/2] Resolve zizmor pedantic findings in workflows --- .github/dependabot.yml | 4 ++++ .github/workflows/ci.yml | 5 +++-- .github/workflows/pypi.yml | 5 ++++- .github/workflows/scorecard.yml | 10 +++++++--- 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index cb3c37a..9f93c2c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,9 +6,13 @@ updates: interval: monthly labels: - "Dependencies" + cooldown: + default-days: 1 - package-ecosystem: uv directory: / schedule: interval: monthly labels: - "Dependencies" + cooldown: + default-days: 1 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a31319f..d220634 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,7 +4,7 @@ concurrency: jobs: ci: name: CI - uses: praw-dev/.github/.github/workflows/ci.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0 + uses: praw-dev/.github/.github/workflows/ci.yml@ec3a733628adc5bd596def5294dae9fb4eb1e501 # v1.6.0 with: min_python: "3.10" python_versions: '["3.10", "3.11", "3.12", "3.13", "3.14"]' @@ -14,4 +14,5 @@ on: push: branches: ["main"] pull_request: -permissions: read-all +permissions: + contents: read diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index f999018..d654e12 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -1,9 +1,12 @@ +concurrency: + group: pypi-${{ github.ref }} + cancel-in-progress: false jobs: pypi-publish: environment: release name: Upload release to PyPI permissions: - id-token: write + id-token: write # required for PyPI trusted publishing runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1632c93..12ce6be 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -9,14 +9,18 @@ on: - cron: '36 1 * * 3' push: branches: ["main"] -permissions: read-all +concurrency: + group: scorecard-${{ github.ref }} + cancel-in-progress: true +# No workflow-level permissions; the analysis job grants its own. +permissions: {} jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest permissions: - security-events: write - id-token: write + security-events: write # upload results to the code-scanning dashboard + id-token: write # publish results and get a badge (see publish_results below) steps: - name: "Checkout code" uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 From ce666da4bd357556e9a3e22beafc6a4874a53d29 Mon Sep 17 00:00:00 2001 From: Bryce Boe Date: Mon, 15 Jun 2026 11:02:34 -0700 Subject: [PATCH 2/2] Bump praw-dev/.github reusable workflow pins to v1.6.0 --- .github/workflows/lint.yml | 2 +- .github/workflows/pre-commit_autoupdate.yml | 2 +- .github/workflows/prepare_release.yml | 2 +- .github/workflows/stale_action.yml | 2 +- .github/workflows/tag_release.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 0c77806..23eae19 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -6,7 +6,7 @@ jobs: name: Lint workflows permissions: contents: read # required to check out the repository - uses: praw-dev/.github/.github/workflows/lint.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0 + uses: praw-dev/.github/.github/workflows/lint.yml@ec3a733628adc5bd596def5294dae9fb4eb1e501 # v1.6.0 name: Lint workflows on: pull_request: diff --git a/.github/workflows/pre-commit_autoupdate.yml b/.github/workflows/pre-commit_autoupdate.yml index 6d4b279..b36ed44 100644 --- a/.github/workflows/pre-commit_autoupdate.yml +++ b/.github/workflows/pre-commit_autoupdate.yml @@ -4,7 +4,7 @@ jobs: secrets: APP_ID: ${{ secrets.APP_ID }} APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} - uses: praw-dev/.github/.github/workflows/pre-commit_autoupdate.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0 + uses: praw-dev/.github/.github/workflows/pre-commit_autoupdate.yml@ec3a733628adc5bd596def5294dae9fb4eb1e501 # v1.6.0 name: Update pre-commit hooks on: schedule: diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml index d1d3603..5094712 100644 --- a/.github/workflows/prepare_release.yml +++ b/.github/workflows/prepare_release.yml @@ -13,7 +13,7 @@ jobs: secrets: APP_ID: ${{ secrets.APP_ID }} APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} - uses: praw-dev/.github/.github/workflows/prepare_release.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0 + uses: praw-dev/.github/.github/workflows/prepare_release.yml@ec3a733628adc5bd596def5294dae9fb4eb1e501 # v1.6.0 with: package: codesorter version: ${{ inputs.version }} diff --git a/.github/workflows/stale_action.yml b/.github/workflows/stale_action.yml index fc7987c..d345bcc 100644 --- a/.github/workflows/stale_action.yml +++ b/.github/workflows/stale_action.yml @@ -4,7 +4,7 @@ jobs: permissions: issues: write # required to comment on and close stale issues pull-requests: write # required to comment on and close stale PRs - uses: praw-dev/.github/.github/workflows/stale_action.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0 + uses: praw-dev/.github/.github/workflows/stale_action.yml@ec3a733628adc5bd596def5294dae9fb4eb1e501 # v1.6.0 name: Close stale issues and PRs on: schedule: diff --git a/.github/workflows/tag_release.yml b/.github/workflows/tag_release.yml index b9b283e..5973f7f 100644 --- a/.github/workflows/tag_release.yml +++ b/.github/workflows/tag_release.yml @@ -8,4 +8,4 @@ jobs: name: Tag Release permissions: contents: write # required to push the release tag - uses: praw-dev/.github/.github/workflows/tag_release.yml@aa63811572338b6343772c542574909f1cbd8d78 # v1.5.0 + uses: praw-dev/.github/.github/workflows/tag_release.yml@ec3a733628adc5bd596def5294dae9fb4eb1e501 # v1.6.0