diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bea4893..1974bcd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,9 +4,9 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" + interval: "monthly" groups: - actions: + github-actions: patterns: - "*" cooldown: diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 19f6978..ac620e7 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -17,11 +17,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: hynek/build-and-inspect-python-package@v2 + - uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df # v2.18.0 webapp-make: name: Build Webapp Artifact @@ -29,14 +29,15 @@ jobs: needs: [dist] if: github.event_name == 'release' && github.event.action == 'published' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest + no-cache: true - name: Install dependencies run: bun install --frozen-lockfile @@ -52,7 +53,7 @@ jobs: zip -r ../repo-review-app.zip ./* - name: Upload webapp artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: repo-review-app path: repo-review-app.zip @@ -68,17 +69,17 @@ jobs: id-token: write # needed for attest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: true # needed for release - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: repo-review-app path: . - name: Attest - uses: actions/attest@v4 + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 with: subject-path: "${{ github.workspace }}/repo-review-app.zip" @@ -96,9 +97,9 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'release' && github.event.action == 'published' steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: Packages path: dist - - uses: pypa/gh-action-pypi-publish@release/v1 + - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7ea091f..93e34a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,16 +24,17 @@ jobs: name: Format runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" - - uses: oven-sh/setup-bun@v2 + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - - uses: pre-commit/action@v3.0.1 + no-cache: true + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 - name: Run PyLint run: pipx run --python=python hatch run pylint:lint --output-format=github - name: Install with cache @@ -54,13 +55,13 @@ jobs: runs-on: [ubuntu-latest, macos-latest, windows-latest] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false # Last one is activated # yaml circular import issue on 3.14t on ubuntu - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: | 3.10 @@ -72,7 +73,9 @@ jobs: allow-prereleases: true - name: Setup uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + with: + enable-cache: false - name: Install hatch run: uv pip install --system hatch @@ -85,33 +88,36 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: hynek/build-and-inspect-python-package@v2 + - uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df # v2.18.0 docs: name: Docs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + with: + enable-cache: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.12" - name: Install hatch run: uv pip install --system hatch - - uses: oven-sh/setup-bun@v2 + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest + no-cache: true - name: Install with cache run: bun install --frozen-lockfile @@ -134,7 +140,7 @@ jobs: name: Action runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 3abb256..ee63117 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -19,16 +19,16 @@ jobs: contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" allow-prereleases: true - - uses: astral-sh/setup-uv@v8.1.0 + - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Install tooling run: | @@ -40,7 +40,7 @@ jobs: prek prepare-hooks - name: Setup bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest diff --git a/.github/workflows/deploy-pages.yml b/.github/workflows/deploy-pages.yml index ced847d..e9cd76c 100644 --- a/.github/workflows/deploy-pages.yml +++ b/.github/workflows/deploy-pages.yml @@ -20,12 +20,12 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest @@ -36,7 +36,7 @@ jobs: run: bun run build-html - name: Upload artifact for Pages - uses: actions/upload-pages-artifact@v5 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: out @@ -53,8 +53,8 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Configure Pages - uses: actions/configure-pages@v6 + uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0 - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 323528f..1e9364f 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,7 +1,7 @@ rules: - unpinned-uses: - disable: true - concurrency-limits: ignore: - copilot-setup-steps.yml + artipacked: + ignore: + - cd.yml:72 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a78ed28..8522e42 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,25 +5,25 @@ ci: repos: - repo: https://github.com/adamchainz/blacken-docs - rev: 1.20.0 + rev: fda77690955e9b63c6687d8806bafd56a526e45f # frozen: 1.20.0 hooks: - id: blacken-docs additional_dependencies: [black==24.*] - repo: https://github.com/astral-sh/ruff-pre-commit - rev: "v0.15.12" + rev: "6fec9b7edb08fd9989088709d864a7826dc74e80" # frozen: v0.15.12 hooks: - id: ruff-check args: ["--fix", "--show-fixes"] - id: ruff-format - repo: https://github.com/rbubley/mirrors-prettier - rev: "v3.8.3" + rev: "515f543f5718ebfd6ce22e16708bb32c68ff96e1" # frozen: v3.8.3 hooks: - id: prettier - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v6.0.0 + rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0 hooks: - id: check-added-large-files - id: check-case-conflict @@ -37,14 +37,14 @@ repos: - id: trailing-whitespace - repo: https://github.com/pre-commit/pygrep-hooks - rev: v1.10.0 + rev: 3a6eb0fadf60b3cccfd80bad9dbb6fae7e47b316 # frozen: v1.10.0 hooks: - id: rst-backticks - id: rst-directive-colons - id: rst-inline-touching-normal - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.20.2 + rev: d2823d321df3af8f878f7ee3414dc94d037145b9 # frozen: v2.1.0 hooks: - id: mypy files: (src|web|tests) @@ -59,13 +59,13 @@ repos: - types-PyYAML - repo: https://github.com/codespell-project/codespell - rev: v2.4.2 + rev: 2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a # frozen: v2.4.2 hooks: - id: codespell args: ["-Lhist,absense", "-w"] - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.11.0.1 + rev: 745eface02aef23e168a8afb6b5737818efbea95 # frozen: v0.11.0.1 hooks: - id: shellcheck @@ -78,26 +78,25 @@ repos: exclude: .pre-commit-config.yaml - repo: https://github.com/henryiii/validate-pyproject-schema-store - rev: 2026.04.26 + rev: a18e62629cfba1fb2d16eb417e5442cd7b962a67 # frozen: 2026.05.13 hooks: - id: validate-pyproject - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.37.2 + rev: f805888065fdb6162e1f800e50bb9460cbd223d6 # frozen: 0.37.2 hooks: - id: check-dependabot - id: check-github-workflows - id: check-readthedocs - repo: https://github.com/zizmorcore/zizmor-pre-commit - rev: v1.24.1 + rev: a4727cbbcd26d7098e96b9cb738169b59711ae51 # frozen: v1.24.1 hooks: - id: zizmor files: "^\\.github" - exclude: "^\\.github/(zizmor.yml|release.yml)" - args: [--persona=pedantic] + args: [--persona=auditor] - repo: https://github.com/rhysd/actionlint - rev: v1.7.12 + rev: 914e7df21a07ef503a81201c76d2b11c789d3fca # frozen: v1.7.12 hooks: - id: actionlint diff --git a/action.yml b/action.yml index c5696f3..c189b22 100644 --- a/action.yml +++ b/action.yml @@ -23,7 +23,7 @@ inputs: runs: using: composite steps: - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 id: python with: python-version: "3.13" diff --git a/pyproject.toml b/pyproject.toml index ea5e3af..da1d9d3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -99,6 +99,9 @@ docs = [ [tool.hatch.envs.default] installer = "uv" +[tool.uv] +exclude-newer = "7 days" + [tool.hatch.envs.hatch-test] features = ["cli"] dependency-groups = ["test"]