From cb2468242c3ab6cab2f33c0ed94e4201a35e921e Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 21:02:01 -0400 Subject: [PATCH 1/6] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 913cc54..b0a3c7a 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -28,7 +28,7 @@ jobs: make -C docs html O="-t release" - name: Deploy - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/build/html From 76561d103d98e0004dbe854653fe97e4dfd2a2b7 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 22:53:44 -0400 Subject: [PATCH 2/6] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/circleci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml index 7efbbe6..c2c1291 100644 --- a/.github/workflows/circleci.yml +++ b/.github/workflows/circleci.yml @@ -9,7 +9,7 @@ jobs: name: Run CircleCI artifacts redirector steps: - name: GitHub Action step - uses: larsoner/circleci-artifacts-redirector-action@master + uses: scientific-python/circleci-artifacts-redirector-action@7eafdb60666f57706a5525a2f5eb76224dc8779b # v1.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} api-token: ${{ secrets.CIRCLECI_TOKEN }} From 8986fdf857768d84b13e4e18812bc6e6d515c825 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:07:54 -0400 Subject: [PATCH 3/6] CI: auto-fix via zizmor May include: - Avoids risky string interpolation. - Prevents checkout premissions from leaking --- .github/workflows/gh-pages.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index b0a3c7a..9bf99f7 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -13,6 +13,8 @@ jobs: steps: - name: checkout uses: actions/checkout@v3 + with: + persist-credentials: false - name: Install Python uses: actions/setup-python@v4 From 41a99dde988673ceb9da3124da66e275eec5362d Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:14:48 -0400 Subject: [PATCH 4/6] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/gh-pages.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 9bf99f7..226d726 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -1,4 +1,6 @@ name: GitHub Pages +permissions: + contents: read on: push: From a2e02489018e9ccbde56bf068ef717a9fbdafb31 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 11:31:18 -0400 Subject: [PATCH 5/6] CI: add dependabot config file for GHA --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fc9f855 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly From 2e765c70cbd73fb228ecae8ea2a7f198f3d7089c Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 22 Jul 2025 09:18:48 -0400 Subject: [PATCH 6/6] CI: update version string Co-authored-by: Elliott Sales de Andrade --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 226d726..90cf5cf 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -32,7 +32,7 @@ jobs: make -C docs html O="-t release" - name: Deploy - uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/build/html