directory: "/"
schedule:
interval: "daily"
+ cooldown:
+ default-days: 7
commit-message:
prefix: ⬆
# Python
directory: "/"
schedule:
interval: "daily"
+ cooldown:
+ default-days: 7
+ commit-message:
+ prefix: ⬆
+ # pre-commit
+ - package-ecosystem: "pre-commit"
+ directory: "/"
+ schedule:
+ interval: "daily"
+ cooldown:
+ default-days: 7
commit-message:
prefix: ⬆
name: Add to Project
on:
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers]
issues:
types:
- opened
- reopened
+permissions: {}
+
jobs:
add-to-project:
name: Add to project
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
with:
project-url: https://github.com/orgs/fastapi/projects/2
- github-token: ${{ secrets.PROJECTS_TOKEN }}
+ github-token: ${{ secrets.PROJECTS_TOKEN }} # zizmor: ignore[secrets-outside-env]
- opened
- synchronize
+permissions: {}
+
jobs:
changes:
runs-on: ubuntu-latest
# Required permissions
permissions:
pull-requests: read
+ timeout-minutes: 5
# Set job outputs to values from filter step
outputs:
docs: ${{ steps.filter.outputs.docs }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# For pull requests it's not necessary to checkout the code but for the main branch it is
+ with:
+ persist-credentials: false
- uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
id: filter
with:
- changes
if: ${{ needs.changes.outputs.docs == 'true' }}
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
- name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
+ # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+ # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
needs:
- build-docs
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
name: Deploy Docs
on:
- workflow_run:
+ workflow_run: # zizmor: ignore[dangerous-triggers]
workflows:
- Build Docs
types:
- completed
-permissions:
- deployments: write
- issues: write
- pull-requests: write
- statuses: write
+permissions: {}
jobs:
deploy-docs:
runs-on: ubuntu-latest
+ permissions:
+ deployments: write
+ issues: write
+ pull-requests: write
+ statuses: write
+ timeout-minutes: 5
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
- name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
- enable-cache: true
- cache-dependency-glob: |
- pyproject.toml
- uv.lock
+ # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+ # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
+ version: "0.11.4"
+ enable-cache: false
- name: Install GitHub Actions dependencies
run: uv sync --locked --no-dev --group github-actions
- name: Deploy Docs Status Pending
BRANCH: ${{ ( github.event.workflow_run.head_repository.full_name == github.repository && github.event.workflow_run.head_branch == 'main' && 'main' ) || ( github.event.workflow_run.head_sha ) }}
uses: cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3.15.0
with:
- apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
- accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+ apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} # zizmor: ignore[secrets-outside-env]
+ accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} # zizmor: ignore[secrets-outside-env]
command: pages deploy ./site --project-name=${{ env.PROJECT_NAME }} --branch=${{ env.BRANCH }}
- name: Deploy Docs Status Error
if: failure()
name: "Conflict detector"
on:
push:
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers]
types: [synchronize]
+permissions: {}
+
jobs:
main:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- name: Check if PRs have merge conflicts
uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
issues:
types:
- labeled
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers]
types:
- labeled
workflow_dispatch:
-permissions:
- issues: write
- pull-requests: write
+permissions: {}
jobs:
issue-manager:
if: github.repository_owner == 'fastapi'
runs-on: ubuntu-latest
+ permissions:
+ issues: write
+ pull-requests: write
+ timeout-minutes: 5
steps:
- name: Dump GitHub context
env:
name: Labels
on:
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers]
types:
- opened
- synchronize
- labeled
- unlabeled
+permissions: {}
+
jobs:
labeler:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
if: ${{ github.event.action != 'labeled' && github.event.action != 'unlabeled' }}
permissions:
pull-requests: read
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65
with:
name: Latest Changes
on:
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers]
branches:
- main
types:
required: false
default: 'false'
+permissions: {}
+
jobs:
latest-changes:
runs-on: ubuntu-latest
+ if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true
+ timeout-minutes: 5
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# To allow latest-changes to commit to the main branch
- token: ${{ secrets.SQLMODEL_LATEST_CHANGES }}
+ token: ${{ secrets.SQLMODEL_LATEST_CHANGES }} # zizmor: ignore[secrets-outside-env]
+ persist-credentials: true # required by tiangolo/latest-changes
# Allow debugging with tmate
- name: Setup tmate session
uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
- opened
- synchronize
+permissions: {}
+
env:
# Forks and Dependabot don't have access to secrets
HAS_SECRETS: ${{ secrets.PRE_COMMIT != '' }}
jobs:
pre-commit:
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- name: Dump GitHub context
env:
# And it needs the full history to be able to compute diffs
fetch-depth: 0
# A token other than the default GITHUB_TOKEN is needed to be able to trigger CI
- token: ${{ secrets.PRE_COMMIT }}
+ token: ${{ secrets.PRE_COMMIT }} # zizmor: ignore[secrets-outside-env]
+ persist-credentials: true # Required for `git push` command
# pre-commit lite ci needs the default checkout configs to work
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
name: Checkout PR for fork
# To be able to commit it needs the head branch of the PR, the remote one
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
+ persist-credentials: false
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
- name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
+ # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+ # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
+ version: "0.11.4"
cache-dependency-glob: |
pyproject.toml
uv.lock
run: uv sync --locked
- name: Run prek - pre-commit
id: precommit
- run: uvx prek run --from-ref origin/${GITHUB_BASE_REF} --to-ref HEAD --show-diff-on-failure
+ run: uv run prek run --from-ref origin/${GITHUB_BASE_REF} --to-ref HEAD --show-diff-on-failure
continue-on-error: true
- name: Commit and push changes
if: env.HAS_SECRETS == 'true'
needs:
- pre-commit
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- name: Dump GitHub context
env:
required: false
default: 'false'
+permissions: {}
+
jobs:
publish:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
+ timeout-minutes: 5
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+ with:
+ # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+ # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
+ version: "0.11.4"
- name: Build distribution
run: uv build
- name: Publish
name: Smokeshow
on:
- workflow_run:
+ workflow_run: # zizmor: ignore[dangerous-triggers]
workflows: [Test]
types: [completed]
-permissions:
- statuses: write
+permissions: {}
jobs:
smokeshow:
runs-on: ubuntu-latest
+ permissions:
+ statuses: write
+ timeout-minutes: 5
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
+ # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+ # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
+ version: "0.11.4"
cache-dependency-glob: |
pyproject.toml
uv.lock
SMOKESHOW_GITHUB_CONTEXT: coverage
SMOKESHOW_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SMOKESHOW_GITHUB_PR_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
- SMOKESHOW_AUTH_KEY: ${{ secrets.SMOKESHOW_AUTH_KEY }}
+ SMOKESHOW_AUTH_KEY: ${{ secrets.SMOKESHOW_AUTH_KEY }} # zizmor: ignore[secrets-outside-env]
- opened
- synchronize
+permissions: {}
+
jobs:
test-redistribute:
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
needs:
- test-redistribute
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
# cron every week on monday
- cron: "0 0 * * 1"
+permissions: {}
+
env:
UV_NO_SYNC: true
uv-resolution: highest
fail-fast: false
runs-on: ${{ matrix.os }}
+ timeout-minutes: 5
env:
UV_PYTHON: ${{ matrix.python-version }}
UV_RESOLUTION: ${{ matrix.uv-resolution }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
- name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
+ # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+ # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
needs:
- test
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
+ # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+ # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
needs:
- coverage-combine
runs-on: ubuntu-latest
+ timeout-minutes: 5
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
--- /dev/null
+name: Zizmor
+
+on:
+ push:
+ branches:
+ - main
+ workflow_dispatch:
+
+permissions: {}
+
+jobs:
+ zizmor:
+ name: Run zizmor
+ runs-on: ubuntu-latest
+ permissions:
+ security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+ timeout-minutes: 5
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+ - name: Run zizmor
+ uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
entry: uv run ./scripts/docs.py generate-readme
files: ^docs/index\.md|scripts/docs\.py$
pass_filenames: false
+
+ - id: zizmor
+ name: zizmor
+ language: python
+ entry: uv run zizmor .
+ files: ^\.github\/workflows\/
+ require_serial: true
+ pass_filenames: false
{ include-group = "docs" },
{ include-group = "tests" },
"prek>=0.2.24,<1.0.0",
+ "zizmor >=1.23.1",
]
docs = [
"black >=24.1.0",
{ name = "ty" },
{ name = "typer" },
{ name = "typing-extensions" },
+ { name = "zizmor" },
]
docs = [
{ name = "black" },
{ name = "ty", specifier = ">=0.0.25" },
{ name = "typer", specifier = ">=0.24.1" },
{ name = "typing-extensions", specifier = ">=4.15.0" },
+ { name = "zizmor", specifier = ">=1.23.1" },
]
docs = [
{ name = "black", specifier = ">=24.1.0" },
wheels = [
{ url = "https://files.pythonhosted.org/packages/f4/24/2a3e3df732393fed8b3ebf2ec078f05546de641fe1b667ee316ec1dcf3b7/webencodings-0.5.1-py2.py3-none-any.whl", hash = "sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78", size = 11774, upload-time = "2017-04-05T20:21:32.581Z" },
]
+
+[[package]]
+name = "zizmor"
+version = "1.24.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/27/98/21be481ab5c08d976e59409828cfcb460a32a737415cf4e9c3f3280acc0b/zizmor-1.24.1.tar.gz", hash = "sha256:54ebb7a7061ebaa3a373126dcbafe970c9228fe274cfc40776a9714d2095b5e6", size = 501427, upload-time = "2026-04-13T18:01:34.666Z" }
+wheels = [
+ { url = "https://files.pythonhosted.org/packages/6a/0d/c932a14dfe7d3fed5dbf26a7bf1b7b9dbf277cef1d0b76fbcddae386442d/zizmor-1.24.1-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:fd7c4953aa438aae599db69ed70ac687995e9e3314208bf1be5336479d556c8e", size = 9123014, upload-time = "2026-04-13T18:01:28.834Z" },
+ { url = "https://files.pythonhosted.org/packages/5c/cc/f87ff2ccb9c57f4a1e5e9bd0351f9c84dc724fbd61b8ef70bc7e8abc1e0e/zizmor-1.24.1-py3-none-macosx_11_0_arm64.whl", hash = "sha256:f44379019188b1a18d560614ab8abac7ce10553ad2ab57d519fa1c214881ff95", size = 8664275, upload-time = "2026-04-13T18:01:24.588Z" },
+ { url = "https://files.pythonhosted.org/packages/d2/64/1dfa166dea03ddff23ee3d6c6ebce8322766f7188e008aa0d3612af3e709/zizmor-1.24.1-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:9b0689c55854edb0f3e6430321a93ca0081d8e34028cdcb47b9504f8a8559c27", size = 8837100, upload-time = "2026-04-13T18:01:18.708Z" },
+ { url = "https://files.pythonhosted.org/packages/65/67/cc411d605fec63b70558d572eb3fc2dbe4e596753e747b74daf5b795c1ed/zizmor-1.24.1-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:61f39674d5ea29640c4b09f3c239b3c9824c646bc790fa3680022e7bb569b375", size = 8430633, upload-time = "2026-04-13T18:01:20.757Z" },
+ { url = "https://files.pythonhosted.org/packages/76/86/f8dfffc7a5348c41bc17dea1f1796ac1a56d5e448f26a4193bc65996f571/zizmor-1.24.1-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:73083efc7a65e5a58f4439dd781cdcb0394b05a3750e664c7f7e414589dc49b1", size = 9263074, upload-time = "2026-04-13T18:01:31.403Z" },
+ { url = "https://files.pythonhosted.org/packages/14/62/db19dd027b412e92bbea8bd311b733d7726402ee3c734033c714125348f1/zizmor-1.24.1-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:d36a2ba3b6d839acd4542f1a8f42bc34ff902cbff302cdf7916cb4e49dc8c5cc", size = 8863996, upload-time = "2026-04-13T18:01:35.929Z" },
+ { url = "https://files.pythonhosted.org/packages/8d/28/c4f220a14cb100ecc965ea0faed1c1229139861a55e792522274221988b3/zizmor-1.24.1-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:ff5acdd10c66ac27396c0fe14e4604933f6c622ffda38a6aa2857b99c75f5108", size = 8382934, upload-time = "2026-04-13T18:01:27.014Z" },
+ { url = "https://files.pythonhosted.org/packages/a1/df/9593e8851424738a3b682be8958abf0e6a2c170e0c880d7b3bfb5d9eaf15/zizmor-1.24.1-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b2d873816137296ca5633ad240a574ce49374009a39d43f78a1675e2dba1ab52", size = 9352624, upload-time = "2026-04-13T18:01:16.672Z" },
+ { url = "https://files.pythonhosted.org/packages/ee/b9/2c4fe526fc02926206903bfc72dbfbc215f01728eccef8135363d57890c9/zizmor-1.24.1-py3-none-win32.whl", hash = "sha256:c87812173fef2a3449d269e50e93b67b2f40826d10464c7add0c0fd7f0523a2c", size = 7496962, upload-time = "2026-04-13T18:01:22.773Z" },
+ { url = "https://files.pythonhosted.org/packages/ed/24/710149e5d64d474103165b9eef6f7698827ef2fbb762b034ebc02b11a816/zizmor-1.24.1-py3-none-win_amd64.whl", hash = "sha256:9a0e552bf84f146699a0231dc42cf2cd5cfe140e3f08ff867ac154f62fc1ac2e", size = 8550658, upload-time = "2026-04-13T18:01:33.13Z" },
+]
projects / thirdparty / fastapi / sqlmodel.git / commitdiff
