From 61c30f17b744a044d930e1fb6e5c05a6397270fd Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Mon, 1 Jun 2026 21:57:31 +0200 Subject: [PATCH 1/4] Use `persist-credentials: false` on checkout GHA --- .github/workflows/ci.yml | 2 ++ .github/workflows/purge-cache.yml | 1 + .github/workflows/static.yml | 2 ++ 3 files changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 905a6c200..3a3a4b91d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,6 +21,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-python@v6 with: diff --git a/.github/workflows/purge-cache.yml b/.github/workflows/purge-cache.yml index f7f85c2d4..328dd786f 100644 --- a/.github/workflows/purge-cache.yml +++ b/.github/workflows/purge-cache.yml @@ -23,6 +23,7 @@ jobs: if: github.event_name == 'push' with: fetch-depth: 0 + persist-credentials: false - name: Resolve keys id: keys diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index edb234a97..51f1e1030 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -11,6 +11,8 @@ jobs: steps: - name: Check out repository uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-python@v6 with: From 854f984210a34f8f8487b0cf1986a4729eeb97d6 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Mon, 1 Jun 2026 21:57:42 +0200 Subject: [PATCH 2/4] Pin GitHub actions --- .github/workflows/ci.yml | 14 ++++++++------ .github/workflows/lint.yml | 6 +++--- .github/workflows/purge-cache.yml | 2 +- .github/workflows/static.yml | 6 +++--- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3a3a4b91d..9f57674ca 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,16 +20,16 @@ jobs: options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version-file: '.python-version' - name: Cache pip - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cache/pip key: ${{ runner.os }}-pip-${{ hashFiles('pyproject.toml') }} @@ -58,7 +58,9 @@ jobs: options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install platform dependencies run: | @@ -74,12 +76,12 @@ jobs: wget https://github.com/jgm/pandoc/releases/download/2.17.1.1/pandoc-2.17.1.1-1-amd64.deb sudo dpkg -i pandoc-2.17.1.1-1-amd64.deb - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version-file: '.python-version' - name: Cache pip - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cache/pip key: ${{ runner.os }}-pip-${{ hashFiles('pyproject.toml') }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 68c6f22a9..40326b651 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,12 +13,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" - - uses: j178/prek-action@v2 + - uses: j178/prek-action@bdca6f102f98e2b4c7029491a53dfd366469e33d # v2.0.4 diff --git a/.github/workflows/purge-cache.yml b/.github/workflows/purge-cache.yml index 328dd786f..c5f14efb8 100644 --- a/.github/workflows/purge-cache.yml +++ b/.github/workflows/purge-cache.yml @@ -19,7 +19,7 @@ jobs: purge: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: github.event_name == 'push' with: fetch-depth: 0 diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 51f1e1030..e51ab5270 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -10,15 +10,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version-file: '.python-version' - name: Cache Python dependencies - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 env: cache-name: pythondotorg-cache-pip with: From fc7962a3959fd7fe0190a68751d1ab8af958103f Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Mon, 1 Jun 2026 22:05:39 +0200 Subject: [PATCH 3/4] Fix template-injection zizmor warning --- .github/workflows/purge-cache.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/purge-cache.yml b/.github/workflows/purge-cache.yml index c5f14efb8..a3e3ac10a 100644 --- a/.github/workflows/purge-cache.yml +++ b/.github/workflows/purge-cache.yml @@ -37,8 +37,10 @@ jobs: fi - name: Purge ${{ steps.keys.outputs.keys || 'pydotorg-app' }} + env: + PURGE_KEYS: ${{ steps.keys.outputs.keys || 'pydotorg-app' }} run: | - for KEY in ${{ steps.keys.outputs.keys || 'pydotorg-app' }}; do + for KEY in ${PURGE_KEYS}; do curl -fsS -X POST \ "https://api.fastly.com/service/${{ secrets.FASTLY_SERVICE_ID }}/purge/$KEY" \ -H "Fastly-Key: ${{ secrets.FASTLY_API_KEY }}" From 657f73d8f45d914a3a93ad35fb451e1f545a4ffd Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Mon, 1 Jun 2026 22:06:22 +0200 Subject: [PATCH 4/4] Add zizmor workflow --- .github/workflows/zizmor.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..d66032fec --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,25 @@ + +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6