Merge branch 'main' into rm-x

Author: hugovk

.github/workflows/ci.yml

@@ -1,22 +1,25 @@
 name: CI
 
-on:
-  pull_request:
-    branches: [main]
-  push:
-    branches: [main]
+on: [push, pull_request, workflow_dispatch]
+
+permissions: {}
 
 concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  FORCE_COLOR: 1
+
 jobs:
   quality:
     name: Quality checks
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -26,29 +29,17 @@ jobs:
       - name: Install dependencies
         run: bun install --frozen-lockfile
 
-      - name: Lint
-        run: bunx oxlint src/
-
-      - name: Type check
-        run: bunx astro check
-
-  spellcheck:
-    name: Spell check
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Spell check
-        uses: crate-ci/typos@v1.44.0
+      - name: Run prek
+        uses: j178/prek-action@v1
 
   build:
     name: Build
     runs-on: ubuntu-latest
-    needs: [quality, spellcheck]
     steps:
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2

.github/workflows/deploy.yml

@@ -7,20 +7,24 @@ on:
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 concurrency:
   group: pages
   cancel-in-progress: false
 
+env:
+  FORCE_COLOR: 1
+
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -54,6 +58,9 @@ jobs:
     name: Deploy
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

.github/zizmor.yml

@@ -0,0 +1,7 @@
+# Configuration for the zizmor static analysis tool, run via prek in CI
+# https://docs.zizmor.sh/configuration/
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": ref-pin

.pre-commit-config.yaml

@@ -1,31 +1,53 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
-      - id: trailing-whitespace
-        args: [--markdown-linebreak-ext=md]
-      - id: end-of-file-fixer
-      - id: check-yaml
-      - id: check-json
-      - id: check-merge-conflict
       - id: check-added-large-files
         args: [--maxkb=500]
+      - id: check-case-conflict
+      - id: check-merge-conflict
+      - id: check-json
+      - id: check-yaml
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.37.0
+    hooks:
+      - id: check-dependabot
+      - id: check-github-workflows
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.11
+    hooks:
+      - id: actionlint
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.32.0
+    rev: v1.44.0
     hooks:
       - id: typos
 
-  - repo: local
+  - repo: https://github.com/oxc-project/mirrors-oxlint
+    rev: v1.55.0
     hooks:
-      - id: lint
-        name: lint
-        entry: bun run lint
-        language: system
-        pass_filenames: false
+      - id: oxlint
 
+  - repo: local
+    hooks:
       - id: typecheck
         name: typecheck
         entry: bun run typecheck
         language: system
         pass_filenames: false
+        files: ^src/.*\.(ts|tsx|astro)$
+
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes

content/posts/2012-language-summit-report/index.md

@@ -66,5 +66,5 @@ PEP [3154](http://www.python.org/dev/peps/pep-3154/), mentioned by Lukasz Langa,
 
 * * *
 
-  
+
 If you have any questions or comments, please post to [python-dev](http://mail.python.org/mailman/listinfo/python-dev). *Thanks to Eric Snow and Senthil Kumaran for contributing to this post.*

content/posts/announcing-defusedxml-fixes-for-xml/index.md

@@ -10,7 +10,7 @@ legacyUrl: /2013/02/announcing-defusedxml-fixes-for-xml.html
 ---
 
 *The following post was created on behalf of CPython contributor Christian Heimes using a subset of details found [here](https://bitbucket.org/tiran/defusedxml).* Christian Heimes announces the release of his [defusedxml](https://bitbucket.org/tiran/defusedxml) and [defusedexpat](https://bitbucket.org/tiran/defusedexpat) packages to address XML-related security issues which were reported to [security@python.org](mailto:security@python.org) over the last several months. Throughout the development of the patches, the security team has coordinated with other open source projects in order to make this announcement at 1500 UTC on Tuesday February 19. Details will follow once releases of CPython have been organized. ***Note: this post will be updated with more details as they switch from being private to publicly available, including links to the public bug reports on [http://bugs.python.org](http://bugs.python.org/).***  
-  
+
 defusedxml on PyPI: [https://pypi.python.org/pypi/defusedxml](https://pypi.python.org/pypi/defusedxml)  
 defusedexpat on PyPI: [https://pypi.python.org/pypi/defusedexpat](https://pypi.python.org/pypi/defusedexpat)  
 "XML vulnerabilities" on bug tracker: [http://bugs.python.org/issue17239](http://bugs.python.org/issue17239)  
@@ -92,7 +92,7 @@ vulnerabilities and features
 6.  Library has (limited) XInclude support but requires an additional step to process inclusion.
 7.  These are features but they may introduce exploitable holes
 
-  
+
 
 ## [How to avoid XML vulnerabilities](https://bitbucket.org/PSF/defusedxml#id24)