diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..fc9f8550e --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e99b14397..8b3317188 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,3 +1,5 @@ +permissions: + contents: read on: push: paths: @@ -16,6 +18,8 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 @@ -41,6 +45,8 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 @@ -67,6 +73,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 @@ -119,7 +127,7 @@ jobs: echo "SDIST_DIR=$extractedDir" | Out-File -FilePath $env:GITHUB_ENV -Append - name: Build basemap wheels from sdist - uses: pypa/cibuildwheel@v2.22.0 + uses: pypa/cibuildwheel@ee63bf16da6cddfb925f542f2c7b59ad50e93969 # v2.22.0 env: CIBW_ARCHS: "native" CIBW_BUILD: "cp39* cp310* cp311* cp312* cp313*" @@ -182,6 +190,8 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 @@ -270,7 +280,7 @@ jobs: merge-multiple: true - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 with: password: ${{ secrets.PYPI_TOKEN }} repository-url: ${{ secrets.PYPI_REPOSITORY_URL }}