From 02f2d828956e2213ee639370a5f6e64baa077f4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20K=C3=BChn?= Date: Thu, 2 Apr 2026 22:41:19 +0200 Subject: [PATCH 01/11] cooldown for pulling in new dependencies --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9af1e9f..364ac84 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,3 +6,5 @@ updates: interval: "weekly" reviewers: - "maxfischer2781" + cooldown: + default-days: 7 From edc8bbbeb128fc5d9b3791c5063126481f578b39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20K=C3=BChn?= Date: Thu, 2 Apr 2026 22:43:07 +0200 Subject: [PATCH 02/11] reduce credential availability --- .github/workflows/codeql.yml | 2 ++ .github/workflows/python-publish.yml | 2 ++ .github/workflows/unittests.yml | 2 ++ .github/workflows/verification.yml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7d71ae8..9cffd50 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v4 diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 72c0fd1..312d586 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -19,6 +19,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/unittests.yml b/.github/workflows/unittests.yml index bf61a1d..090ea6f 100644 --- a/.github/workflows/unittests.yml +++ b/.github/workflows/unittests.yml @@ -18,6 +18,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v6 with: diff --git a/.github/workflows/verification.yml b/.github/workflows/verification.yml index fd358a4..a79a7e2 100644 --- a/.github/workflows/verification.yml +++ b/.github/workflows/verification.yml @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v6 with: From 9e9d7e23a60556574562e7976680c2a42b9dfd23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20K=C3=BChn?= Date: Thu, 2 Apr 2026 22:59:04 +0200 Subject: [PATCH 03/11] use dedicated environment for publishing --- .github/workflows/python-publish.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 312d586..77b39a5 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -16,6 +16,8 @@ jobs: deploy: runs-on: ubuntu-latest + environment: + name: pypi-publish steps: - uses: actions/checkout@v6 From 79558072f08696b8969f37c925af41a73b2038fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20K=C3=BChn?= Date: Thu, 2 Apr 2026 23:10:30 +0200 Subject: [PATCH 04/11] limit GITHUB_TOKEN permissions --- .github/workflows/python-publish.yml | 3 +++ .github/workflows/unittests.yml | 3 +++ .github/workflows/verification.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 77b39a5..669a173 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -7,6 +7,7 @@ # documentation. name: Upload Python Package +permissions: {} on: release: @@ -16,6 +17,8 @@ jobs: deploy: runs-on: ubuntu-latest + permissions: + contents: read environment: name: pypi-publish diff --git a/.github/workflows/unittests.yml b/.github/workflows/unittests.yml index 090ea6f..06a1ffa 100644 --- a/.github/workflows/unittests.yml +++ b/.github/workflows/unittests.yml @@ -1,4 +1,5 @@ name: Unit Tests +permissions: {} on: push: @@ -9,6 +10,8 @@ on: jobs: build: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: python-version: [ diff --git a/.github/workflows/verification.yml b/.github/workflows/verification.yml index a79a7e2..f60e773 100644 --- a/.github/workflows/verification.yml +++ b/.github/workflows/verification.yml @@ -1,4 +1,5 @@ name: Static Checks +permissions: {} on: push: @@ -9,6 +10,8 @@ on: jobs: build: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v6 with: From 01595b5bdb782b9540df8378bc76959aa8f59195 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20K=C3=BChn?= Date: Fri, 3 Apr 2026 19:41:18 +0200 Subject: [PATCH 05/11] use Trusted Publishing --- .github/workflows/python-publish.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 669a173..57d3694 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -1,11 +1,3 @@ -# This workflow will upload a Python Package using Twine when a release is created -# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - name: Upload Python Package permissions: {} @@ -21,6 +13,9 @@ jobs: contents: read environment: name: pypi-publish + permissions: + # IMPORTANT: this permission is mandatory for Trusted Publishing + id-token: write steps: - uses: actions/checkout@v6 @@ -38,6 +33,3 @@ jobs: run: python -m build - name: Publish package uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e - with: - user: __token__ - password: ${{ secrets.PYPI_API_TOKEN }} From 833c0d1978b5de75ca8de6f4529c5a9338db1075 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20K=C3=BChn?= Date: Fri, 3 Apr 2026 20:07:32 +0200 Subject: [PATCH 06/11] use specific GitHub action states --- .github/workflows/codeql.yml | 2 +- .github/workflows/python-publish.yml | 4 ++-- .github/workflows/unittests.yml | 6 +++--- .github/workflows/verification.yml | 6 +++--- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9cffd50..b88fd61 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 57d3694..29b474f 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -18,11 +18,11 @@ jobs: id-token: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: '3.x' - name: Install dependencies diff --git a/.github/workflows/unittests.yml b/.github/workflows/unittests.yml index 06a1ffa..d46c6ca 100644 --- a/.github/workflows/unittests.yml +++ b/.github/workflows/unittests.yml @@ -20,11 +20,11 @@ jobs: ] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: ${{ matrix.python-version }} allow-prereleases: true @@ -36,4 +36,4 @@ jobs: run: | pytest --durations=0 --cov=./ - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 diff --git a/.github/workflows/verification.yml b/.github/workflows/verification.yml index f60e773..672de86 100644 --- a/.github/workflows/verification.yml +++ b/.github/workflows/verification.yml @@ -13,11 +13,11 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: '3.x' - name: Install dependencies @@ -34,4 +34,4 @@ jobs: run: | mypy --pretty - name: Verify with PyRight - uses: jakebailey/pyright-action@v3 + uses: jakebailey/pyright-action@8ec14b5cfe41f26e5f41686a31eb6012758217ef From 9b64a257fc53d06c06d9cb30e353197b137da8f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20K=C3=BChn?= Date: Fri, 3 Apr 2026 20:11:57 +0200 Subject: [PATCH 07/11] use specific GitHub action states and cleanup --- .github/workflows/codeql.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b88fd61..6eaa2d3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,15 +29,12 @@ jobs: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 with: languages: ${{ matrix.language }} queries: +security-and-quality - - name: Autobuild - uses: github/codeql-action/autobuild@v4 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 with: category: "/language:${{ matrix.language }}" From f4c7a1214f194cf2229883ba4853e1c4d3a3be79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20K=C3=BChn?= Date: Fri, 3 Apr 2026 20:21:45 +0200 Subject: [PATCH 08/11] add zizmor verification for actions --- .github/workflows/gha-verification.yml | 28 ++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/gha-verification.yml diff --git a/.github/workflows/gha-verification.yml b/.github/workflows/gha-verification.yml new file mode 100644 index 0000000..fd984da --- /dev/null +++ b/.github/workflows/gha-verification.yml @@ -0,0 +1,28 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read # only needed for private or internal repos + actions: read # only needed for private or internal repos + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + with: + inputs: | + .github From 48f7ee40ecaa84608931e76ec79d7da2e7e9e9b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20K=C3=BChn?= Date: Fri, 3 Apr 2026 20:28:09 +0200 Subject: [PATCH 09/11] merge permissions --- .github/workflows/python-publish.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 29b474f..77a2ac3 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -11,11 +11,10 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - environment: - name: pypi-publish - permissions: # IMPORTANT: this permission is mandatory for Trusted Publishing id-token: write + environment: + name: pypi-publish steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd From be2cdc9108c960e36423218488045908de724cb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20K=C3=BChn?= Date: Fri, 3 Apr 2026 20:31:12 +0200 Subject: [PATCH 10/11] remove global permissions --- .github/workflows/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6eaa2d3..f2ddd23 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,6 +8,8 @@ on: schedule: - cron: "4 9 * * 4" +permissions: {} + jobs: analyze: name: Analyze From 0393fe618c8fa56475b61f1740fa780b4a9e5bf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20K=C3=BChn?= Date: Fri, 3 Apr 2026 20:43:53 +0200 Subject: [PATCH 11/11] more descriptive workflow idenfitifers --- .github/workflows/unittests.yml | 2 +- .github/workflows/verification.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/unittests.yml b/.github/workflows/unittests.yml index d46c6ca..09f75c5 100644 --- a/.github/workflows/unittests.yml +++ b/.github/workflows/unittests.yml @@ -8,7 +8,7 @@ on: - cron: '0 10 * * 3,6' jobs: - build: + pytest: runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/verification.yml b/.github/workflows/verification.yml index 672de86..7206cf6 100644 --- a/.github/workflows/verification.yml +++ b/.github/workflows/verification.yml @@ -8,7 +8,7 @@ on: - cron: '0 10 * * 3,6' jobs: - build: + verify: runs-on: ubuntu-latest permissions: contents: read