🔒️ Improve GitHub actions security (#15607)

diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
index 318c3c2fb01382a87e7445511c4701c3a63bfb40..35d089860c07306cb8c912c67f60c5679b5d3094 100644 (file)
--- a/.github/workflows/add-to-project.yml
+++ b/.github/workflows/add-to-project.yml
@@ -13,6 +13,7 @@ jobs:
   add-to-project:
     name: Add to project
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
         with:

diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
index f30ea3bef921acf45ea2ef6fb0587b054bd6284e..128b69e94d372c2ea1999afced0b8a19d7208585 100644 (file)
--- a/.github/workflows/build-docs.yml
+++ b/.github/workflows/build-docs.yml
@@ -16,6 +16,7 @@ jobs:
     # Required permissions
     permissions:
       pull-requests: read
+    timeout-minutes: 5
     # Set job outputs to values from filter step
     outputs:
       docs: ${{ steps.filter.outputs.docs }}
@@ -42,6 +43,7 @@ jobs:
       - changes
     if: ${{ needs.changes.outputs.docs == 'true' }}
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     outputs:
       langs: ${{ steps.show-langs.outputs.langs }}
     steps:
@@ -55,6 +57,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: true
           cache-dependency-glob: |
@@ -73,6 +77,7 @@ jobs:
       - langs
     if: ${{ needs.changes.outputs.docs == 'true' }}
     runs-on: ubuntu-latest
+    timeout-minutes: 7
     strategy:
       matrix:
         lang: ${{ fromJson(needs.langs.outputs.langs) }}
@@ -91,6 +96,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: true
           cache-dependency-glob: |

diff --git a/.github/workflows/contributors.yml b/.github/workflows/contributors.yml
index 17649a653d9ad461f23eead089b537d93473414e..cc963ee55bd88c4e38913c8a8d2a0d39683729c6 100644 (file)
--- a/.github/workflows/contributors.yml
+++ b/.github/workflows/contributors.yml
@@ -33,6 +33,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: true
           cache-dependency-glob: |

diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
index be1d93b305a7951d8d0729f9886656fc51e471c7..1009ec6aafbd5e068665c039dba5c921e12171aa 100644 (file)
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -16,6 +16,7 @@ jobs:
       issues: write
       pull-requests: write
       statuses: write
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:
@@ -31,6 +32,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: false
       - name: Install GitHub Actions dependencies

diff --git a/.github/workflows/detect-conflicts.yml b/.github/workflows/detect-conflicts.yml
index 38d526bd9bedab168e6bbcbc2b87de2993bc76e7..b824f8ae3a6ef3e45a1e85ae5c9c9ac95b985b75 100644 (file)
--- a/.github/workflows/detect-conflicts.yml
+++ b/.github/workflows/detect-conflicts.yml
@@ -12,6 +12,7 @@ jobs:
       contents: read
       pull-requests: write
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: Check if PRs have merge conflicts
         uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3

diff --git a/.github/workflows/guard-dependencies.yml b/.github/workflows/guard-dependencies.yml
index c3f97c37525a6d1f942680eb0f8a20be8ac338f2..142c7e50edebb6068a1cf6ea24638db683ef25a6 100644 (file)
--- a/.github/workflows/guard-dependencies.yml
+++ b/.github/workflows/guard-dependencies.yml
@@ -15,6 +15,7 @@ permissions:
 jobs:
   check-author:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: Check if author is org member or allowed bot
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0

diff --git a/.github/workflows/issue-manager.yml b/.github/workflows/issue-manager.yml
index c0ffd7ac7000a460be5f3f9b61b1ee0e42a16310..fca3f1f2f8eb223d0f8aefc42cee96dbf8bc847c 100644 (file)
--- a/.github/workflows/issue-manager.yml
+++ b/.github/workflows/issue-manager.yml
@@ -23,6 +23,7 @@ jobs:
     permissions:
       issues: write
       pull-requests: write
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:

diff --git a/.github/workflows/label-approved.yml b/.github/workflows/label-approved.yml
index e8ad87439c934901e16513c668bdabc05985d971..55ec5c1c14770c6eb90cd5c28bb78b1864900da5 100644 (file)
--- a/.github/workflows/label-approved.yml
+++ b/.github/workflows/label-approved.yml
@@ -13,6 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
+    timeout-minutes: 7
     steps:
     - name: Dump GitHub context
       env:
@@ -28,6 +29,8 @@ jobs:
     - name: Setup uv
       uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       with:
+        # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+        # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
         version: "0.11.4"
         enable-cache: true
         cache-dependency-glob: |

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 2072a3f0b9124133126ea736b82135341c879cfe..5b7524f25efbc49ef9495da412e2214b1383a8e8 100644 (file)
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -17,6 +17,7 @@ jobs:
       contents: read
       pull-requests: write
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
     - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
       if: ${{ github.event.action != 'labeled' && github.event.action != 'unlabeled' }}
@@ -28,6 +29,7 @@ jobs:
     permissions:
       pull-requests: read
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65
         with:

diff --git a/.github/workflows/latest-changes.yml b/.github/workflows/latest-changes.yml
index aaa12c17d576727e547e0d1442bcd3e08e451143..12bc6768652ff4b296700f36ab6a94407e87337c 100644 (file)
--- a/.github/workflows/latest-changes.yml
+++ b/.github/workflows/latest-changes.yml
@@ -22,6 +22,7 @@ jobs:
   latest-changes:
     runs-on: ubuntu-latest
     if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:

diff --git a/.github/workflows/notify-translations.yml b/.github/workflows/notify-translations.yml
index 9b8c6d7f1e60daa3036a6e3b62ae5a3c708b5a8c..820ac704060f80f0cf11f09238386c5e073c3153 100644 (file)
--- a/.github/workflows/notify-translations.yml
+++ b/.github/workflows/notify-translations.yml
@@ -24,6 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       discussions: write
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:
@@ -39,6 +40,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: true
           cache-dependency-glob: |

diff --git a/.github/workflows/people.yml b/.github/workflows/people.yml
index d3baec1d06ed300b7539b99b119fa76c541afad0..b9c0502a526f0c6eb37e216597e041785ab6e351 100644 (file)
--- a/.github/workflows/people.yml
+++ b/.github/workflows/people.yml
@@ -33,6 +33,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: true
           cache-dependency-glob: |

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 5e358e8f27c48d978038887bed32f80c73b81ad9..1e156b2499c9ed017a90cd484421f319a695eec8 100644 (file)
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -15,6 +15,7 @@ env:
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:
@@ -48,6 +49,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           cache-dependency-glob: |
             pyproject.toml
@@ -84,6 +87,7 @@ jobs:
     needs:
       - pre-commit
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f7f180e8e2b6b571294c333bc57e84937639c58f..307b3cb3c08c965a0464b258b82af623b5df6e99 100644 (file)
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -13,6 +13,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:
@@ -28,6 +29,8 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: "false"
       - name: Build distribution

diff --git a/.github/workflows/smokeshow.yml b/.github/workflows/smokeshow.yml
index c177b7390b06a9b2da7e97c32cbafc9b67edf485..27bb8b195c62e9b662b7998b17d6e7724ddc97ff 100644 (file)
--- a/.github/workflows/smokeshow.yml
+++ b/.github/workflows/smokeshow.yml
@@ -12,6 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       statuses: write
+    timeout-minutes: 5
 
     steps:
       - name: Dump GitHub context
@@ -27,6 +28,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           cache-dependency-glob: |
             pyproject.toml

diff --git a/.github/workflows/sponsors.yml b/.github/workflows/sponsors.yml
index b1ab7f11d8b74981e71e8bd7f36df98308eed586..f1538caef1c0800d6006d7f70d5341eb280f3cb5 100644 (file)
--- a/.github/workflows/sponsors.yml
+++ b/.github/workflows/sponsors.yml
@@ -18,6 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:
@@ -33,6 +34,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: true
           cache-dependency-glob: |

diff --git a/.github/workflows/test-redistribute.yml b/.github/workflows/test-redistribute.yml
index fad16fb2cd270b0ec8d970714ded2c7632f28061..c78fbff56533d8f2cb32eb2d96c6fcaee3bc62e2 100644 (file)
--- a/.github/workflows/test-redistribute.yml
+++ b/.github/workflows/test-redistribute.yml
@@ -14,6 +14,7 @@ permissions: {}
 jobs:
   test-redistribute:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:
@@ -57,6 +58,7 @@ jobs:
     needs:
       - test-redistribute
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: Decide whether the needed jobs succeeded or failed
         uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index edcc49b309a68ccc75b2007932fd18666ae1c4a7..c0c2bd540a4af229bfe7722f8d58a6f639966a50 100644 (file)
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -25,6 +25,7 @@ jobs:
     permissions:
       pull-requests: read
     # Set job outputs to values from filter step
+    timeout-minutes: 5
     outputs:
       src: ${{ steps.filter.outputs.src }}
     steps:
@@ -50,6 +51,7 @@ jobs:
     needs:
       - changes
     if: needs.changes.outputs.src == 'true' || github.ref == 'refs/heads/master'
+    timeout-minutes: 10
     strategy:
       matrix:
         os: [ windows-latest, macos-latest ]
@@ -118,6 +120,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: true
           cache-dependency-glob: |
@@ -161,6 +165,7 @@ jobs:
       - changes
     if: needs.changes.outputs.src == 'true' || github.ref == 'refs/heads/master'
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     env:
       UV_PYTHON: "3.13"
       UV_RESOLUTION: highest
@@ -179,6 +184,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: true
           cache-dependency-glob: |
@@ -196,6 +203,7 @@ jobs:
     needs:
       - test
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:
@@ -210,6 +218,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: true
           cache-dependency-glob: |
@@ -241,6 +251,7 @@ jobs:
       - coverage-combine
       - benchmark
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:

diff --git a/.github/workflows/topic-repos.yml b/.github/workflows/topic-repos.yml
index 69bfdaff9dd3a539264851ba688827c2afa89fc4..1b34f1f58f1692030204e4a01e8a12eceab4abe0 100644 (file)
--- a/.github/workflows/topic-repos.yml
+++ b/.github/workflows/topic-repos.yml
@@ -13,6 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+    timeout-minutes: 5
     steps:
       - name: Dump GitHub context
         env:
@@ -28,6 +29,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           enable-cache: true
           cache-dependency-glob: |

diff --git a/.github/workflows/translate.yml b/.github/workflows/translate.yml
index 87023623ed0d77ea15f6c2f8d890be3853d62fa5..4c624c93c8bdee8fd8f433753ac0f0fa7fcd2538 100644 (file)
--- a/.github/workflows/translate.yml
+++ b/.github/workflows/translate.yml
@@ -60,6 +60,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           cache-dependency-glob: |
             pyproject.toml
@@ -101,6 +103,8 @@ jobs:
       - name: Setup uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
+          # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
+          # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
           version: "0.11.4"
           cache-dependency-glob: |
             pyproject.toml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644 (file)
index 0000000..1ce7c7b
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,24 @@
+name: Zizmor
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d304b78e8c417c6db74b191c9c1e541ecd9df32f..b53e2c9ea8f502dc1190848ffb16a0478dfdba18 100644 (file)
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -96,6 +96,6 @@ repos:
         name: zizmor
         language: python
         entry: uv run zizmor .
-        files: ^\.github\/workflows\/
+        files: ^\.github/workflows/|^uv\.lock$
         require_serial: true
         pass_filenames: false