diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml index ab251ae..fbee359 100644 --- a/.github/workflows/python-package.yml +++ b/.github/workflows/python-package.yml @@ -2,8 +2,8 @@ name: Build Python Package on: pull_request: - paths: - - ".github/workflows/python-package.yml" + paths: + - ".github/workflows/python-package.yml" workflow_dispatch: inputs: incoming_ref: @@ -82,6 +82,7 @@ jobs: shell: python env: INCOMING_REF: "${{ inputs.incoming_ref || 'main' }}" + GH_TOKEN: ${{ github.token }} - name: Post the status to the upstream commit id: set-the-status if: steps.munge-incoming-ref.outputs.tag-ref == 'false' && github.event_name != 'pull_request' @@ -115,7 +116,7 @@ jobs: uses: actions/setup-python@v5 with: python-version: "3.12" - cache: 'pip' + cache: "pip" cache-dependency-path: interfaces/python_sdist/pyproject.toml.in - name: Install dependencies run: python3 -m pip install scons build @@ -217,18 +218,18 @@ jobs: - name: Install boost # Our custom manylinux images already have Boost installed if: runner.os != 'Linux' - uses: MarkusJx/install-boost@v2.5.0 + uses: MarkusJx/install-boost@b1f0ee8b87cf60236b72440c72d0085d002770c5 # v2.5.0 id: install-boost with: - # REQUIRED: Specify the required boost version - # A list of supported versions can be found here: - # https://github.com/MarkusJx/prebuilt-boost/blob/main/versions-manifest.json - boost_version: ${{ matrix.boost-version }} - # OPTIONAL: Specify a custon install location - boost_install_dir: ${{ runner.temp }} - toolset: ${{ matrix.boost-toolset }} - platform_version: ${{ matrix.boost-platform-version }} - arch: ${{ matrix.boost-arch }} + # REQUIRED: Specify the required boost version + # A list of supported versions can be found here: + # https://github.com/MarkusJx/prebuilt-boost/blob/main/versions-manifest.json + boost_version: ${{ matrix.boost-version }} + # OPTIONAL: Specify a custon install location + boost_install_dir: ${{ runner.temp }} + toolset: ${{ matrix.boost-toolset }} + platform_version: ${{ matrix.boost-platform-version }} + arch: ${{ matrix.boost-arch }} - name: Restore the cached built libraries id: restore-built-libraries @@ -275,7 +276,7 @@ jobs: key: ${{ steps.restore-built-libraries.outputs.cache-primary-key }} - name: Build wheels - uses: pypa/cibuildwheel@v2.23.2 + uses: pypa/cibuildwheel@5f22145df44122af0f5a201f93cf0207171beca7 # 3.0.0 env: CANTERA_TEST_DIR: ${{ steps.download-test-files.outputs.test-root }} CIBW_ENVIRONMENT_LINUX: CT_SKIP_SLOW=1 CANTERA_TEST_DIR=/host${{ steps.download-test-files.outputs.test-root }} @@ -311,7 +312,7 @@ jobs: pattern: cibw-* merge-multiple: true - name: pypi-publish - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 send_status_to_cantera: name: Send jobs status to Cantera/cantera diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 0e83b94..a1a10de 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -6,6 +6,8 @@ on: pull_request: branches: ["**"] +permissions: {} + jobs: zizmor: name: zizmor latest via PyPI @@ -18,16 +20,5 @@ jobs: with: persist-credentials: false - - name: Install the latest version of uv - uses: astral-sh/setup-uv@v5 - - name: Run zizmor 🌈 - run: uvx zizmor --format=sarif . > results.sarif - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif - category: zizmor + uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1