Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Dependabot configuration.
#
# - Keeps GitHub Actions up to date.
# - Actions are pinned to commit SHAs in workflows; Dependabot still
# recognises and updates SHA-pinned uses, preserving the trailing
# "# vX.Y.Z" version comment when it opens an update PR.
# - The cooldown.default-days value gives 7 days between an upstream
# release and Dependabot raising a PR for it. This reduces exposure to
# compromised releases that get yanked or revoked shortly after publication
# (a common supply-chain attack pattern), while still keeping us current.
#
# Docs: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
commit-message:
prefix: "ci"
include: "scope"
18 changes: 15 additions & 3 deletions .github/workflows/python-publish.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,18 @@
# This workflow will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries

# Third-party GitHub Actions are pinned to a full 40-character commit SHA
# (with a `# vX.Y.Z` trailing comment for human readability). This protects
# against tag re-pointing supply-chain attacks: a tag like `v4` is mutable
# and can be silently rewritten to malicious code, but a commit SHA is not.
# Dependabot (see .github/dependabot.yml) recognises this pattern and keeps
# both the SHA and the version comment in sync when raising update PRs.
#
# Convention reference:
# https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
# Tooling that automates the pin/unpin cycle:
# https://github.com/mheap/pin-github-action

name: Upload Python Package

on:
Expand All @@ -12,15 +24,15 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.12"

- name: Cache pip
uses: actions/cache@v4
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('pyproject.toml', 'requirements.txt') }}
Expand Down
18 changes: 15 additions & 3 deletions .github/workflows/run-pytest-on-push-and-all-prs.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,17 @@
name: Run Pytest on pushes to main branches or PRs to any branch

# Third-party GitHub Actions are pinned to a full 40-character commit SHA
# (with a `# vX.Y.Z` trailing comment for human readability). This protects
# against tag re-pointing supply-chain attacks: a tag like `v4` is mutable
# and can be silently rewritten to malicious code, but a commit SHA is not.
# Dependabot (see .github/dependabot.yml) recognises this pattern and keeps
# both the SHA and the version comment in sync when raising update PRs.
#
# Convention reference:
# https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
# Tooling that automates the pin/unpin cycle:
# https://github.com/mheap/pin-github-action

on:
pull_request:
branches:
Expand All @@ -19,15 +31,15 @@ jobs:
python-version: ["3.9", "3.10", "3.11", "3.12"]

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}

- name: Cache pip
uses: actions/cache@v4
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('pyproject.toml', 'requirements.txt') }}
Expand Down
Loading