directory: "/"
schedule:
interval: "daily"
+ cooldown:
+ default-days: 7
commit-message:
prefix: ⬆
# Python
- package-ecosystem: "uv"
directory: "/"
schedule:
- interval: "monthly"
+ interval: "daily"
+ cooldown:
+ default-days: 7
+ commit-message:
+ prefix: ⬆
+ # pre-commit
+ - package-ecosystem: "pre-commit"
+ directory: "/"
+ schedule:
+ interval: "daily"
+ cooldown:
+ default-days: 7
commit-message:
prefix: ⬆
name: Add to Project
on:
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers]
issues:
types:
- opened
- reopened
+permissions: {}
+
jobs:
add-to-project:
name: Add to project
runs-on: ubuntu-latest
steps:
- - uses: actions/add-to-project@v1.0.2
+ - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with:
project-url: https://github.com/orgs/fastapi/projects/2
- github-token: ${{ secrets.PROJECTS_TOKEN }}
+ github-token: ${{ secrets.PROJECTS_TOKEN }} # zizmor: ignore[secrets-outside-env]
- opened
- synchronize
+permissions: {}
+
jobs:
changes:
runs-on: ubuntu-latest
outputs:
docs: ${{ steps.filter.outputs.docs }}
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
# For pull requests it's not necessary to checkout the code but for the main branch it is
- - uses: dorny/paths-filter@v4
+ - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
id: filter
with:
filters: |
outputs:
langs: ${{ steps.show-langs.outputs.langs }}
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
run: uv sync --locked --no-dev --group docs
- name: Update Languages
run: uv run ./scripts/docs.py update-languages
- - uses: actions/cache@v5
+ - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
key: mkdocs-cards-${{ matrix.lang }}-${{ github.ref }}
path: docs/${{ matrix.lang }}/.cache
- name: Build Docs
- run: uv run ./scripts/docs.py build-lang ${{ matrix.lang }}
- - uses: actions/upload-artifact@v7
+ run: | # zizmor: ignore[template-injection] - comes from trusted source
+ uv run ./scripts/docs.py build-lang ${{ matrix.lang }}
+ - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: docs-site-${{ matrix.lang }}
path: ./site/**
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
- uses: re-actors/alls-green@release/v1
+ uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
jobs: ${{ toJSON(needs) }}
allowed-skips: build-docs
required: false
default: "false"
+permissions: {}
+
jobs:
job:
if: github.repository_owner == 'fastapi'
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: true # Required for `git push` in `contributors.py`
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
run: uv sync --locked --no-dev --group github-actions
# Allow debugging with tmate
- name: Setup tmate session
- uses: mxschmitt/action-tmate@v3
+ uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with:
limit-access-to-actor: true
env:
- GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }}
+ GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} # zizmor: ignore[secrets-outside-env]
- name: FastAPI People Contributors
run: uv run ./scripts/contributors.py
env:
- GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }}
+ GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} # zizmor: ignore[secrets-outside-env]
name: Deploy Docs
on:
- workflow_run:
+ workflow_run: # zizmor: ignore[dangerous-triggers]
workflows:
- Build Docs
types:
- completed
-permissions:
- deployments: write
- issues: write
- pull-requests: write
- statuses: write
+permissions: {}
jobs:
deploy-docs:
runs-on: ubuntu-latest
+ permissions:
+ deployments: write
+ issues: write
+ pull-requests: write
+ statuses: write
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
- enable-cache: true
- cache-dependency-glob: |
- pyproject.toml
- uv.lock
+ version: "0.11.4"
+ enable-cache: false
- name: Install GitHub Actions dependencies
run: uv sync --locked --no-dev --group github-actions
- name: Deploy Docs Status Pending
run: |
rm -rf ./site
mkdir ./site
- - uses: actions/download-artifact@v8
+ - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: ./site/
pattern: docs-site-*
env:
PROJECT_NAME: fastapitiangolo
BRANCH: ${{ ( github.event.workflow_run.head_repository.full_name == github.repository && github.event.workflow_run.head_branch == 'master' && 'main' ) || ( github.event.workflow_run.head_sha ) }}
- uses: cloudflare/wrangler-action@v3
+ uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3.14.1
with:
- apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
- accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+ apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} # zizmor: ignore[secrets-outside-env]
+ accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} # zizmor: ignore[secrets-outside-env]
command: pages deploy ./site --project-name=${{ env.PROJECT_NAME }} --branch=${{ env.BRANCH }}
- name: Deploy Docs Status Error
if: failure()
name: "Conflict detector"
on:
push:
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers]
types: [synchronize]
+permissions: {}
+
jobs:
main:
permissions:
runs-on: ubuntu-latest
steps:
- name: Check if PRs have merge conflicts
- uses: eps1lon/actions-label-merge-conflict@v3
+ uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
with:
dirtyLabel: "conflicts"
repoToken: "${{ secrets.GITHUB_TOKEN }}"
issues:
types:
- labeled
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers]
types:
- labeled
workflow_dispatch:
-permissions:
- issues: write
- pull-requests: write
+permissions: {}
jobs:
issue-manager:
if: github.repository_owner == 'fastapi'
runs-on: ubuntu-latest
+ permissions:
+ issues: write
+ pull-requests: write
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: tiangolo/issue-manager@0.6.0
+ - uses: tiangolo/issue-manager@2fb3484ec9279485df8659e8ec73de262431737d # 0.6.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
config: >
- cron: "0 12 * * *"
workflow_dispatch:
-permissions:
- pull-requests: write
+permissions: {}
jobs:
label-approved:
if: github.repository_owner == 'fastapi'
runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
name: Labels
on:
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers]
types:
- opened
- synchronize
- labeled
- unlabeled
+permissions: {}
+
jobs:
labeler:
permissions:
pull-requests: write
runs-on: ubuntu-latest
steps:
- - uses: actions/labeler@v6
+ - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
if: ${{ github.event.action != 'labeled' && github.event.action != 'unlabeled' }}
- run: echo "Done adding labels"
# Run this after labeler applied labels
pull-requests: read
runs-on: ubuntu-latest
steps:
- - uses: docker://agilepathway/pull-request-label-checker:latest
+ - uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65
with:
one_of: breaking,security,feature,bug,refactor,upgrade,docs,lang-all,internal
repo_token: ${{ secrets.GITHUB_TOKEN }}
name: Latest Changes
on:
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers]
branches:
- master
types:
required: false
default: 'false'
+permissions: {}
+
jobs:
latest-changes:
runs-on: ubuntu-latest
+ if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- # pin to actions/checkout@v5 for compatibility with latest-changes
- # Ref: https://github.com/actions/checkout/issues/2313
- - uses: actions/checkout@v5
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# To allow latest-changes to commit to the main branch
- token: ${{ secrets.FASTAPI_LATEST_CHANGES }}
+ token: ${{ secrets.FASTAPI_LATEST_CHANGES }} # zizmor: ignore[secrets-outside-env]
+ persist-credentials: true # required by tiangolo/latest-changes
# Allow debugging with tmate
- name: Setup tmate session
- uses: mxschmitt/action-tmate@v3
+ uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with:
limit-access-to-actor: true
- - uses: tiangolo/latest-changes@0.4.1
+ - uses: tiangolo/latest-changes@c9d329cb147f0ddf4fb631214e3f838ff17ccbbd # 0.4.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
latest_changes_file: docs/en/docs/release-notes.md
name: Notify Translations
on:
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers]
types:
- labeled
- closed
+ branches:
+ - master
workflow_dispatch:
inputs:
number:
required: false
default: 'false'
+permissions: {}
+
jobs:
job:
runs-on: ubuntu-latest
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
run: uv sync --locked --no-dev --group github-actions
# Allow debugging with tmate
- name: Setup tmate session
- uses: mxschmitt/action-tmate@v3
+ uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with:
limit-access-to-actor: true
required: false
default: "false"
+permissions: {}
+
jobs:
job:
if: github.repository_owner == 'fastapi'
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: true # Required for `git push` in `people.py`
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
run: uv sync --locked --no-dev --group github-actions
# Allow debugging with tmate
- name: Setup tmate session
- uses: mxschmitt/action-tmate@v3
+ uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with:
limit-access-to-actor: true
env:
- GITHUB_TOKEN: ${{ secrets.FASTAPI_PEOPLE }}
+ GITHUB_TOKEN: ${{ secrets.FASTAPI_PEOPLE }} # zizmor: ignore[secrets-outside-env]
- name: FastAPI People Experts
run: uv run ./scripts/people.py
env:
- GITHUB_TOKEN: ${{ secrets.FASTAPI_PEOPLE }}
+ GITHUB_TOKEN: ${{ secrets.FASTAPI_PEOPLE }} # zizmor: ignore[secrets-outside-env]
SLEEP_INTERVAL: ${{ vars.PEOPLE_SLEEP_INTERVAL }}
- opened
- synchronize
+permissions: {}
+
env:
# Forks and Dependabot don't have access to secrets
HAS_SECRETS: ${{ secrets.PRE_COMMIT != '' }}
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v5
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
name: Checkout PR for own repo
if: env.HAS_SECRETS == 'true'
with:
# And it needs the full history to be able to compute diffs
fetch-depth: 0
# A token other than the default GITHUB_TOKEN is needed to be able to trigger CI
- token: ${{ secrets.PRE_COMMIT }}
+ token: ${{ secrets.PRE_COMMIT }} # zizmor: ignore[secrets-outside-env]
+ persist-credentials: true # Required for `git push` command
# pre-commit lite ci needs the default checkout configs to work
- - uses: actions/checkout@v5
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
name: Checkout PR for fork
if: env.HAS_SECRETS == 'false'
with:
# To be able to commit it needs the head branch of the PR, the remote one
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
cache-dependency-glob: |
pyproject.toml
uv.lock
run: uv sync --locked --extra all
- name: Run prek - pre-commit
id: precommit
- run: uvx prek run --from-ref origin/${GITHUB_BASE_REF} --to-ref HEAD --show-diff-on-failure
+ run: uv run prek run --from-ref origin/${GITHUB_BASE_REF} --to-ref HEAD --show-diff-on-failure
continue-on-error: true
- name: Commit and push changes
if: env.HAS_SECRETS == 'true'
git commit -m "🎨 Auto format"
git push
fi
- - uses: pre-commit-ci/lite-action@v1.1.0
+ - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0
if: env.HAS_SECRETS == 'false'
with:
msg: 🎨 Auto format
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- name: Decide whether the needed jobs succeeded or failed
- uses: re-actors/alls-green@release/v1
+ uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
jobs: ${{ toJSON(needs) }}
types:
- created
+permissions: {}
+
jobs:
publish:
runs-on: ubuntu-latest
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Install uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+ with:
+ version: "0.11.4"
- name: Build distribution
run: uv build
- name: Publish
name: Smokeshow
on:
- workflow_run:
+ workflow_run: # zizmor: ignore[dangerous-triggers]
workflows: [Test]
types: [completed]
-permissions:
- statuses: write
+permissions: {}
jobs:
smokeshow:
runs-on: ubuntu-latest
+ permissions:
+ statuses: write
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
- - uses: actions/setup-python@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+ - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
cache-dependency-glob: |
pyproject.toml
uv.lock
- run: uv sync --locked --no-dev --group github-actions
- - uses: actions/download-artifact@v8
+ - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: coverage-html
path: htmlcov
SMOKESHOW_GITHUB_CONTEXT: coverage
SMOKESHOW_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SMOKESHOW_GITHUB_PR_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
- SMOKESHOW_AUTH_KEY: ${{ secrets.SMOKESHOW_AUTH_KEY }}
+ SMOKESHOW_AUTH_KEY: ${{ secrets.SMOKESHOW_AUTH_KEY }} # zizmor: ignore[secrets-outside-env]
required: false
default: "false"
+permissions: {}
+
jobs:
job:
if: github.repository_owner == 'fastapi'
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: true # Required for `git push` in `sponsors.py`
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
run: uv sync --locked --no-dev --group github-actions
# Allow debugging with tmate
- name: Setup tmate session
- uses: mxschmitt/action-tmate@v3
+ uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with:
limit-access-to-actor: true
- name: FastAPI People Sponsors
run: uv run ./scripts/sponsors.py
env:
- SPONSORS_TOKEN: ${{ secrets.SPONSORS_TOKEN }}
- PR_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }}
+ SPONSORS_TOKEN: ${{ secrets.SPONSORS_TOKEN }} # zizmor: ignore[secrets-outside-env]
+ PR_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} # zizmor: ignore[secrets-outside-env]
- opened
- synchronize
+permissions: {}
+
jobs:
test-redistribute:
runs-on: ubuntu-latest
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Install build dependencies
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
- uses: re-actors/alls-green@release/v1
+ uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
jobs: ${{ toJSON(needs) }}
# cron every week on monday
- cron: "0 0 * * 1"
+permissions: {}
+
env:
UV_NO_SYNC: true
INLINE_SNAPSHOT_DEFAULT_FLAGS: review
outputs:
src: ${{ steps.filter.outputs.src }}
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
# For pull requests it's not necessary to checkout the code but for the main branch it is
- - uses: dorny/paths-filter@v4
+ - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
id: filter
with:
filters: |
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
# Do not store coverage for all possible combinations to avoid file size max errors in Smokeshow
- name: Store coverage files
if: matrix.coverage == 'coverage'
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-${{ runner.os }}-${{ matrix.python-version }}-${{ matrix.deprecated-tests}}-${{ hashFiles('**/coverage/.coverage.*') }}
path: coverage
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.13"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
- name: Install Dependencies
run: uv sync --no-dev --group tests --extra all
- name: CodSpeed benchmarks
- uses: CodSpeedHQ/action@v4
+ uses: CodSpeedHQ/action@1c8ae4843586d3ba879736b7f6b7b0c990757fab # v4.12.1
with:
mode: simulation
run: uv run --no-sync pytest tests/benchmarks --codspeed
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
- - uses: actions/setup-python@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+ - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
- name: Install Dependencies
run: uv sync --locked --no-dev --group tests --extra all
- name: Get coverage files
- uses: actions/download-artifact@v8
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: coverage-*
path: coverage
- run: uv run coverage combine coverage
- run: uv run coverage html --title "Coverage for ${{ github.sha }}"
- name: Store coverage HTML
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-html
path: htmlcov
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- name: Decide whether the needed jobs succeeded or failed
- uses: re-actors/alls-green@release/v1
+ uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
jobs: ${{ toJSON(needs) }}
allowed-skips: coverage-combine,test,benchmark
- cron: "0 12 1 * *"
workflow_dispatch:
+permissions: {}
+
jobs:
topic-repos:
if: github.repository_owner == 'fastapi'
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: true # Required for `git push` in `topic_repos.py`
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
enable-cache: true
cache-dependency-glob: |
pyproject.toml
- name: Update Topic Repos
run: uv run ./scripts/topic_repos.py
env:
- GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }}
+ GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} # zizmor: ignore[secrets-outside-env]
required: false
default: 10
+permissions: {}
+
jobs:
langs:
runs-on: ubuntu-latest
langs: ${{ steps.show-langs.outputs.langs }}
commands: ${{ steps.show-langs.outputs.commands }}
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
cache-dependency-glob: |
pyproject.toml
uv.lock
matrix:
lang: ${{ fromJson(needs.langs.outputs.langs) }}
command: ${{ fromJson(needs.langs.outputs.commands) }}
- permissions:
- contents: write
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
+ persist-credentials: false
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: ".python-version"
- name: Setup uv
- uses: astral-sh/setup-uv@v7
+ uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
+ version: "0.11.4"
cache-dependency-glob: |
pyproject.toml
uv.lock
run: uv sync --locked --no-dev --group github-actions --group translations
# Allow debugging with tmate
- name: Setup tmate session
- uses: mxschmitt/action-tmate@v3
+ uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with:
limit-access-to-actor: true
env:
- GITHUB_TOKEN: ${{ secrets.FASTAPI_TRANSLATIONS }}
- OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+ GITHUB_TOKEN: ${{ secrets.FASTAPI_TRANSLATIONS }} # zizmor: ignore[secrets-outside-env]
+ OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} # zizmor: ignore[secrets-outside-env]
- name: FastAPI Translate
run: |
- uv run ./scripts/translate.py ${{ matrix.command }}
+ uv run ./scripts/translate.py "$COMMAND"
uv run ./scripts/translate.py make-pr
env:
- GITHUB_TOKEN: ${{ secrets.FASTAPI_TRANSLATIONS }}
- OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+ GITHUB_TOKEN: ${{ secrets.FASTAPI_TRANSLATIONS }} # zizmor: ignore[secrets-outside-env]
+ OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} # zizmor: ignore[secrets-outside-env]
LANGUAGE: ${{ matrix.lang }}
EN_PATH: ${{ github.event.inputs.en_path }}
COMMAND: ${{ matrix.command }}
# See https://pre-commit.com/hooks.html for more hooks
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v6.0.0
+ rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0
hooks:
- id: check-added-large-files
args: ['--maxkb=750']
entry: uv run python scripts/add_latest_release_date.py
files: ^docs/en/docs/release-notes\.md$
pass_filenames: false
+
+ - id: zizmor
+ name: zizmor
+ language: python
+ entry: uv run zizmor .
+ files: ^\.github\/workflows\/
+ require_serial: true
+ pass_filenames: false
{ include-group = "translations" },
"playwright >=1.57.0",
"prek >=0.2.22",
+ "zizmor >=1.23.1",
]
docs = [
{ include-group = "docs-tests" },
{ name = "strawberry-graphql" },
{ name = "ty" },
{ name = "typer" },
+ { name = "zizmor" },
]
docs = [
{ name = "black" },
{ name = "strawberry-graphql", specifier = ">=0.200.0,<1.0.0" },
{ name = "ty", specifier = ">=0.0.9" },
{ name = "typer", specifier = ">=0.21.1" },
+ { name = "zizmor", specifier = ">=1.23.1" },
]
docs = [
{ name = "black", specifier = ">=25.1.0" },
wheels = [
{ url = "https://files.pythonhosted.org/packages/2e/54/647ade08bf0db230bfea292f893923872fd20be6ac6f53b2b936ba839d75/zipp-3.23.0-py3-none-any.whl", hash = "sha256:071652d6115ed432f5ce1d34c336c0adfd6a884660d1e9712a256d3d3bd4b14e", size = 10276, upload-time = "2025-06-08T17:06:38.034Z" },
]
+
+[[package]]
+name = "zizmor"
+version = "1.23.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/9e/58/d0228b1332f001f905d3cdd288a878d339e740ef8a92c321696a7359bdcd/zizmor-1.23.1.tar.gz", hash = "sha256:eb9871f1de004d8c6e35ff403bd6a41c495062736e78b9c4a98988970c598639", size = 463942, upload-time = "2026-03-08T16:57:29.065Z" }
+wheels = [
+ { url = "https://files.pythonhosted.org/packages/49/57/32893d3370aa39f140934ee346a77aff1bc38d1de5248b9385dfcea612b7/zizmor-1.23.1-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:85f222eb610379aeeea76e4dc616621fdae9f21db77d1b006820452cafa739eb", size = 9085239, upload-time = "2026-03-08T16:57:32.241Z" },
+ { url = "https://files.pythonhosted.org/packages/e3/43/037b68a2d173a44286f27c5c47e219d8beba758a323e1642770956831732/zizmor-1.23.1-py3-none-macosx_11_0_arm64.whl", hash = "sha256:82a7925bbdbc69713cbeb19ec90012cba3b92e3ace65ae60088e9604c5724182", size = 8657180, upload-time = "2026-03-08T16:57:23.078Z" },
+ { url = "https://files.pythonhosted.org/packages/e5/37/322ec0e8b8d39a7de30290b754bd564c0b1c432d72f7b7aa011eca87cc7b/zizmor-1.23.1-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:19af913bb4bcd6dfeea41477fcf203d69e053f4b14a2b35690485c44ffa6c4a7", size = 8788247, upload-time = "2026-03-08T16:57:18.477Z" },
+ { url = "https://files.pythonhosted.org/packages/3f/e7/5ca6f7d56741b190c6d7d3721eb98c66e23fb68d64e6886c92993e049f36/zizmor-1.23.1-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:08ae0d8f4d665f6cf9b475913c64d2193d52ffc6f02ce66d4dcfd1b92daf4f82", size = 8374212, upload-time = "2026-03-08T16:57:25.437Z" },
+ { url = "https://files.pythonhosted.org/packages/d4/a5/a3784392aeaca14d65c5e5efa2795d887ba24db4871a942e06a99f90a3c8/zizmor-1.23.1-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:08233d0d25947e43ac92374f22383c04e43f351f44bc44d60b3c0695157c0f3e", size = 9230697, upload-time = "2026-03-08T16:57:34.425Z" },
+ { url = "https://files.pythonhosted.org/packages/b6/0d/4475ded1664262af70525700e158c3156653391770159d65cd80245fb68e/zizmor-1.23.1-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:795e04dff47ca1d1b0af2d7a5d3a96909a18d5fa80548534951efb24af6ec83e", size = 8820009, upload-time = "2026-03-08T16:57:36.865Z" },
+ { url = "https://files.pythonhosted.org/packages/a8/ef/818c68d9b407e3d02fbe7e39ad73750846d19afad50c4c9ad86455214fc2/zizmor-1.23.1-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:c62059c75100d0bc1a19cd95a6dce9b93ac5ab2e7d7bcdd974c51b2c5eb503e3", size = 8331336, upload-time = "2026-03-08T16:57:20.825Z" },
+ { url = "https://files.pythonhosted.org/packages/28/bb/1c984e1474fcf5f08e5847838007668d2682e1fcbc109d481967736ab18f/zizmor-1.23.1-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:cf0dc93171e9ae7b822041471715ea7a9f5ebefa6865ceb6d1a39729a982d770", size = 9314682, upload-time = "2026-03-08T16:57:27.361Z" },
+ { url = "https://files.pythonhosted.org/packages/fb/26/10f597f9b19ecd7bece2a1eb7d1ca1bd09d089d750d70365c76118056ec1/zizmor-1.23.1-py3-none-win32.whl", hash = "sha256:229c6b275941a18b03eef0ba5d24089dfbbe4fc34633a6b22bf924294ef69cde", size = 7464678, upload-time = "2026-03-08T16:57:30.569Z" },
+ { url = "https://files.pythonhosted.org/packages/04/25/14071ea8ab5ebde85391d27e9de060d8a31a44eea448aba8d8bdd30693b3/zizmor-1.23.1-py3-none-win_amd64.whl", hash = "sha256:dc9befe3c08fea7d0fa3a0bc98073fadf31a77f0572b1f7931e1ff300337fe11", size = 8506938, upload-time = "2026-03-08T16:57:15.787Z" },
+]
projects / thirdparty / fastapi / fastapi.git / commitdiff
