From caa957f210303eac4f1333ea914cdb6f072f7663 Mon Sep 17 00:00:00 2001 From: Oscar Benjamin Date: Sat, 4 Apr 2026 12:20:29 +0100 Subject: [PATCH 1/9] actions: pin all actions by SHA --- .github/workflows/buildwheel.yml | 76 ++++++++++++++++---------------- .github/workflows/lint.yml | 4 +- 2 files changed, 40 insertions(+), 40 deletions(-) diff --git a/.github/workflows/buildwheel.yml b/.github/workflows/buildwheel.yml index 7925f437..446fa1ab 100644 --- a/.github/workflows/buildwheel.yml +++ b/.github/workflows/buildwheel.yml @@ -62,23 +62,23 @@ jobs: cibw_platform: pyodide steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - if: ${{ matrix.kind == 'native' }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' # -------------- Windows stuff ---------------- # - if: ${{ matrix.os == 'windows-2022' }} - uses: msys2/setup-msys2@v2.31.0 + uses: msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d # v2.31.0 with: msystem: ucrt64 update: true - if: ${{ matrix.os == 'windows-11-arm' }} - uses: msys2/setup-msys2@v2.31.0 + uses: msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d # v2.31.0 with: msystem: clangarm64 update: true @@ -107,7 +107,7 @@ jobs: - if: ${{ matrix.kind == 'pyodide' }} name: Check out Emscripten patches for Pyodide - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: pyodide/pyodide ref: ${{ env.PYODIDE_VERSION }} @@ -126,7 +126,7 @@ jobs: # override setting in pyproject.toml to use msys2 instead of msys64 bash CIBW_BEFORE_ALL_WINDOWS: ${{ matrix.os == 'windows-11-arm' && 'msys2 -c bin/cibw_before_all_windows_arm64.sh' || 'msys2 -c bin/cibw_before_all_windows_amd64.sh' }} - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ matrix.artifact_name }} path: wheelhouse/*.whl @@ -136,9 +136,9 @@ jobs: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYODIDE_PYTHON_VERSION }} @@ -146,7 +146,7 @@ jobs: - run: pip install build - run: python -m build --sdist - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sdist path: dist/*.tar.gz @@ -176,11 +176,11 @@ jobs: python-version: pypy3.11 steps: - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} allow-prereleases: true - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: wheelhouse merge-multiple: true @@ -202,18 +202,18 @@ jobs: runs-on: ubuntu-22.04 steps: - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYODIDE_PYTHON_VERSION }} - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: '22' - run: pip install pyodide-build - run: pyodide xbuildenv install "${{ env.PYODIDE_VERSION }}" - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: wheels-pyodide path: wheelhouse @@ -234,8 +234,8 @@ jobs: matrix: os: [ubuntu-24.04] steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: sudo apt-get update @@ -247,8 +247,8 @@ jobs: name: Test docs (build and doctest) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: bin/install_latest_flint_ubuntu.sh @@ -262,8 +262,8 @@ jobs: name: 'Test old Cython/meson-python' runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: sudo apt-get update @@ -289,8 +289,8 @@ jobs: # Supported Flint versions: flint-tag: ['v3.0.1', 'v3.1.3-p1', 'v3.2.2', 'v3.3.1'] steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: bin/install_flint_ubuntu.sh ${{ matrix.flint-tag }} @@ -302,8 +302,8 @@ jobs: name: Test flint main Linux x86-64 runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: bin/install_flint_ubuntu.sh main @@ -316,8 +316,8 @@ jobs: name: Test flint main Linux ARM runs-on: ubuntu-24.04-arm steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: bin/install_flint_ubuntu.sh main @@ -330,8 +330,8 @@ jobs: name: Test coverage setuptools build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: sudo apt-get update @@ -344,8 +344,8 @@ jobs: name: Test coverage meson build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' # does not work with 3.13 - run: sudo apt-get update @@ -362,8 +362,8 @@ jobs: matrix: sympy-version: ['1.13.1', '1.14.0'] steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: sudo apt-get update @@ -378,8 +378,8 @@ jobs: name: Test SymPy master runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: sudo apt-get update @@ -404,7 +404,7 @@ jobs: steps: # Downloads all artifacts - name: Download release artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: wheelhouse merge-multiple: true @@ -437,7 +437,7 @@ jobs: steps: # Downloads all artifacts - name: Download release artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: wheelhouse merge-multiple: true @@ -465,10 +465,10 @@ jobs: contents: write steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download sdist - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: sdist path: dist diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 235d0f9a..bc2776d2 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,10 +9,10 @@ jobs: matrix: python-version: ["3.12"] steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} From bdc39a2cc80288b3112f9291ea44457cb05300ac Mon Sep 17 00:00:00 2001 From: Oscar Benjamin Date: Sat, 4 Apr 2026 12:47:01 +0100 Subject: [PATCH 2/9] actions: use env to avoid shell injection --- .github/workflows/buildwheel.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/buildwheel.yml b/.github/workflows/buildwheel.yml index 446fa1ab..1c605ce8 100644 --- a/.github/workflows/buildwheel.yml +++ b/.github/workflows/buildwheel.yml @@ -476,7 +476,8 @@ jobs: - name: Create GitHub release env: GH_TOKEN: ${{ github.token }} - run: > - gh release create ${{ github.ref_name }} dist/* - --title "python-flint ${{ github.ref_name }}" - --notes "https://github.com/flintlib/python-flint?tab=readme-ov-file#changelog" + REF_NAME: ${{ github.ref_name }} + run: | + gh release create "$REF_NAME" dist/* \ + --title "python-flint $REF_NAME" \ + --notes "https://github.com/flintlib/python-flint?tab=readme-ov-file#changelog" From 9979b578dc2dff078cd04723f1bbbdd45e38620b Mon Sep 17 00:00:00 2001 From: Oscar Benjamin Date: Sat, 4 Apr 2026 12:49:45 +0100 Subject: [PATCH 3/9] actions: restrict permissions in jobs --- .github/workflows/buildwheel.yml | 6 ++++++ .github/workflows/lint.yml | 3 +++ 2 files changed, 9 insertions(+) diff --git a/.github/workflows/buildwheel.yml b/.github/workflows/buildwheel.yml index 1c605ce8..7a8a442f 100644 --- a/.github/workflows/buildwheel.yml +++ b/.github/workflows/buildwheel.yml @@ -2,6 +2,9 @@ name: Build on: [push, pull_request] +permissions: + contents: read + env: # These four values need to be kept in sync. Each pyodide version pins an # emscripten version and a CPython version. @@ -155,6 +158,7 @@ jobs: needs: build_wheels name: Test ${{ matrix.python-version }} wheel on ${{ matrix.os }} runs-on: ${{ matrix.os }} + permissions: {} strategy: fail-fast: false matrix: @@ -200,6 +204,7 @@ jobs: needs: build_wheels name: Test Pyodide wheel runs-on: ubuntu-22.04 + permissions: {} steps: - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -400,6 +405,7 @@ jobs: # Run on push/merge to main if: github.event_name == 'push' && github.ref == 'refs/heads/main' runs-on: ubuntu-latest + permissions: {} steps: # Downloads all artifacts diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index bc2776d2..fae94c97 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,6 +2,9 @@ name: Linting on: [push, pull_request] +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest From c6bee29ccd9546da3c7a8bfd44d9d01d519b4564 Mon Sep 17 00:00:00 2001 From: Oscar Benjamin Date: Sat, 4 Apr 2026 12:51:47 +0100 Subject: [PATCH 4/9] actions: set persist-credentials to false --- .github/workflows/buildwheel.yml | 27 +++++++++++++++++++++++++++ .github/workflows/lint.yml | 2 ++ 2 files changed, 29 insertions(+) diff --git a/.github/workflows/buildwheel.yml b/.github/workflows/buildwheel.yml index 7a8a442f..78f3a3c4 100644 --- a/.github/workflows/buildwheel.yml +++ b/.github/workflows/buildwheel.yml @@ -66,6 +66,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - if: ${{ matrix.kind == 'native' }} uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -117,6 +119,7 @@ jobs: path: pyodide-patches sparse-checkout: | emsdk/patches/ + persist-credentials: false # ------------- actual build ------------- # @@ -140,6 +143,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: @@ -240,6 +245,8 @@ jobs: os: [ubuntu-24.04] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' @@ -253,6 +260,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' @@ -268,6 +277,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' @@ -295,6 +306,8 @@ jobs: flint-tag: ['v3.0.1', 'v3.1.3-p1', 'v3.2.2', 'v3.3.1'] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' @@ -308,6 +321,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' @@ -322,6 +337,8 @@ jobs: runs-on: ubuntu-24.04-arm steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' @@ -336,6 +353,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' @@ -350,6 +369,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' # does not work with 3.13 @@ -368,6 +389,8 @@ jobs: sympy-version: ['1.13.1', '1.14.0'] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' @@ -384,6 +407,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' @@ -472,6 +497,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download sdist uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index fae94c97..8fd7a074 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,6 +13,8 @@ jobs: python-version: ["3.12"] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 From b57a58a5649f4838af179809dba104d5907494e1 Mon Sep 17 00:00:00 2001 From: Oscar Benjamin Date: Sat, 4 Apr 2026 12:53:39 +0100 Subject: [PATCH 5/9] actions: add zizmor ignore for nightly wheels token --- .github/workflows/buildwheel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/buildwheel.yml b/.github/workflows/buildwheel.yml index 78f3a3c4..d0234227 100644 --- a/.github/workflows/buildwheel.yml +++ b/.github/workflows/buildwheel.yml @@ -449,7 +449,7 @@ jobs: artifacts_path: dist # This token is generated from anaconda.org # https://github.com/scientific-python/upload-nightly-action/issues/111 - anaconda_nightly_upload_token: ${{ secrets.ANACONDA_ORG_UPLOAD_TOKEN }} + anaconda_nightly_upload_token: ${{ secrets.ANACONDA_ORG_UPLOAD_TOKEN }} # zizmor: ignore[secrets-outside-env] # Deploy wheels and sdist to PyPI From b14657939b6bb46e880d8d4c0586e9912c93d7f1 Mon Sep 17 00:00:00 2001 From: Oscar Benjamin Date: Sat, 4 Apr 2026 12:56:55 +0100 Subject: [PATCH 6/9] actions: set cancel-in-progress to true --- .github/workflows/buildwheel.yml | 4 ++++ .github/workflows/lint.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/buildwheel.yml b/.github/workflows/buildwheel.yml index d0234227..9ea03628 100644 --- a/.github/workflows/buildwheel.yml +++ b/.github/workflows/buildwheel.yml @@ -2,6 +2,10 @@ name: Build on: [push, pull_request] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8fd7a074..6c337621 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,6 +2,10 @@ name: Linting on: [push, pull_request] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read From 3dd70e133aa5af0bc502020b52e4e2fd12c3864d Mon Sep 17 00:00:00 2001 From: Oscar Benjamin Date: Sat, 4 Apr 2026 13:00:57 +0100 Subject: [PATCH 7/9] actions: remove all template injection --- .github/workflows/buildwheel.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/buildwheel.yml b/.github/workflows/buildwheel.yml index 9ea03628..8c3a212d 100644 --- a/.github/workflows/buildwheel.yml +++ b/.github/workflows/buildwheel.yml @@ -101,7 +101,7 @@ jobs: # This is probably something to do with \ vs / in paths... - if: ${{ startsWith( matrix.os , 'windows' ) }} run: | - $pkgConfigPath = "${{ github.workspace }}/.local/lib/pkgconfig" + $pkgConfigPath = "$env:GITHUB_WORKSPACE/.local/lib/pkgconfig" $pkgConfigPath = $pkgConfigPath.Replace('\', '/') echo "PKG_CONFIG_PATH=$pkgConfigPath" >> $env:GITHUB_ENV @@ -225,7 +225,7 @@ jobs: node-version: '22' - run: pip install pyodide-build - - run: pyodide xbuildenv install "${{ env.PYODIDE_VERSION }}" + - run: pyodide xbuildenv install "$PYODIDE_VERSION" - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -315,7 +315,9 @@ jobs: - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - - run: bin/install_flint_ubuntu.sh ${{ matrix.flint-tag }} + - env: + FLINT_TAG: ${{ matrix.flint-tag }} + run: bin/install_flint_ubuntu.sh "$FLINT_TAG" - run: pip install . - run: python -m flint.test --verbose @@ -402,7 +404,9 @@ jobs: - run: sudo apt-get install libflint-dev - run: pip install . - run: pip install pytest pytest-xdist hypothesis - - run: pip install sympy==${{ matrix.sympy-version }} + - env: + SYMPY_VERSION: ${{ matrix.sympy-version }} + run: pip install "sympy==$SYMPY_VERSION" - run: python -c 'import sympy; sympy.test(parallel=True)' # Run SymPy master branch agains python-flint main From 651972bcb7e63401dde066e27587a1366b29d6e7 Mon Sep 17 00:00:00 2001 From: Oscar Benjamin Date: Sat, 4 Apr 2026 13:41:04 +0100 Subject: [PATCH 8/9] actions: minor tweaks for zizmor --- .github/workflows/buildwheel.yml | 4 ++-- .github/workflows/lint.yml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/buildwheel.yml b/.github/workflows/buildwheel.yml index 8c3a212d..efb69176 100644 --- a/.github/workflows/buildwheel.yml +++ b/.github/workflows/buildwheel.yml @@ -470,7 +470,7 @@ jobs: name: pypi url: https://pypi.org/p/python-flint permissions: - id-token: write + id-token: write # Required for trusted publishing to PyPI via OIDC. runs-on: ubuntu-latest steps: @@ -501,7 +501,7 @@ jobs: needs: pypi_release runs-on: ubuntu-latest permissions: - contents: write + contents: write # Required to create the GitHub release with the gh CLI. steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6c337621..55758fc4 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -11,6 +11,7 @@ permissions: jobs: lint: + name: Lint runs-on: ubuntu-latest strategy: matrix: From a1fb4f2b6a82fa57d15134ea02f7dd93b4460086 Mon Sep 17 00:00:00 2001 From: Oscar Benjamin Date: Sat, 4 Apr 2026 15:05:23 +0100 Subject: [PATCH 9/9] actions: add zizmor check in CI --- .github/workflows/zizmor.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..d58fd236 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,29 @@ +name: Zizmor + +on: [pull_request, push] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} + +jobs: + zizmor: + name: Audit GitHub Actions + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 + with: + advanced-security: false + annotations: true + persona: auditor + inputs: .github/workflows/