Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion .github/workflows/_build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,18 @@ jobs:
Build:
runs-on: ${{ inputs.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com
files.pythonhosted.org:443
github.com:443
pypi.org:443
release-assets.githubusercontent.com:443

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
Expand Down Expand Up @@ -72,7 +84,7 @@ jobs:
run: python -m build

- name: Store the distribution packages
uses: actions/upload-artifact@v7.0.1
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
# upload artifacts with the oldest supported version
if: runner.os == 'linux' && inputs.python-version == '3.9'
with:
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/_build_doc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,13 @@ jobs:
Build:
runs-on: ${{ inputs.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
# sudo is required by the "Install dependencies" step below (apt-get pandoc)
disable-sudo: false

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/_codeql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,18 @@ jobs:
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4.36.2
uses: github/codeql-action/init@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
with:
languages: python
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -56,7 +62,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v4.36.2
uses: github/codeql-action/autobuild@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
Expand All @@ -69,6 +75,6 @@ jobs:
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4.36.2
uses: github/codeql-action/analyze@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
with:
category: "/language:python"
6 changes: 6 additions & 0 deletions .github/workflows/_pre_commit.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ jobs:
Pre-Commit:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: audit

- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
6 changes: 6 additions & 0 deletions .github/workflows/_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,12 @@ jobs:
OS: ${{ inputs.os }}
PYTHON: ${{ inputs.python-version }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Expand Down
41 changes: 37 additions & 4 deletions .github/workflows/cicd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -103,14 +103,30 @@ jobs:
name: testpypi
url: https://test.pypi.org/p/python-cmethods
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
fulcio.sigstore.dev
ghcr.io
github.com:443
pkg-containers.githubusercontent.com:443
rekor.sigstore.dev
test.pypi.org
tuf-repo-cdn.sigstore.dev
uploads.github.com:443

- name: Download all the distributions
uses: actions/download-artifact@v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: python-package-distributions
path: dist/

- name: Publish package distributions to Test PyPI
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
with:
repository-url: https://test.pypi.org/legacy/

Expand Down Expand Up @@ -138,13 +154,30 @@ jobs:
name: pypi
url: https://pypi.org/p/python-cmethods
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
fulcio.sigstore.dev
ghcr.io
github.com:443
pkg-containers.githubusercontent.com:443
pypi.org
rekor.sigstore.dev
tuf-repo-cdn.sigstore.dev
upload.pypi.org
uploads.github.com:443

- name: Download all the distributions
uses: actions/download-artifact@v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: python-package-distributions
path: dist/

- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
with:
repository-url: https://upload.pypi.org/legacy/
8 changes: 7 additions & 1 deletion .github/workflows/dependabot_auto_approve.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,15 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: audit

- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v3.1.0
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Approve a PR
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,12 @@ jobs:
# actions: read

steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: audit

- name: "Checkout code"
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
Expand Down