Skip to content

Commit

Permalink
[3.12] Add zizmor to pre-commit and fix most findings (pythonGH-127749)…
Browse files Browse the repository at this point in the history
… (python#127788)

Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Alex Waygood <[email protected]>
Co-authored-by: Ezio Melotti <[email protected]>
  • Loading branch information
3 people authored Dec 10, 2024
1 parent 8159d0c commit 381eb04
Show file tree
Hide file tree
Showing 16 changed files with 75 additions and 24 deletions.
13 changes: 12 additions & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ jobs:
if: needs.check_source.outputs.run_tests == 'true'
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
- name: Install dependencies
run: |
Expand Down Expand Up @@ -109,6 +111,7 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 1
persist-credentials: false
- name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> $GITHUB_ENV
- name: Check Autoconf and aclocal versions
Expand Down Expand Up @@ -145,6 +148,8 @@ jobs:
if: needs.check_source.outputs.run_tests == 'true'
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: '3.x'
Expand Down Expand Up @@ -299,6 +304,8 @@ jobs:
LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}/lib
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> $GITHUB_ENV
- name: Restore config.cache
Expand Down Expand Up @@ -351,6 +358,8 @@ jobs:
PYTHONSTRICTEXTENSIONBUILD: 1
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Register gcc problem matcher
run: echo "::add-matcher::.github/problem-matchers/gcc.json"
- name: Install dependencies
Expand Down Expand Up @@ -433,7 +442,7 @@ jobs:
#
# (GH-104097) test_sysconfig is skipped because it has tests that are
# failing when executed from inside a virtual environment.
${{ env.VENV_PYTHON }} -m test \
"${VENV_PYTHON}" -m test \
-W \
-o \
-j4 \
Expand Down Expand Up @@ -465,6 +474,8 @@ jobs:
ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> $GITHUB_ENV
- name: Restore config.cache
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/documentation-links.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,16 @@ on:
- 'Doc/**'
- '.github/workflows/doc.yml'

permissions:
pull-requests: write

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

jobs:
documentation-links:
runs-on: ubuntu-latest
permissions:
pull-requests: write

steps:
- uses: readthedocs/actions/preview@v1
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: "3.x"
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/mypy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ jobs:
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: "3.x"
Expand Down
7 changes: 3 additions & 4 deletions .github/workflows/require-pr-label.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,14 @@ on:
pull_request:
types: [opened, reopened, labeled, unlabeled, synchronize]

permissions:
issues: write
pull-requests: write

jobs:
label:
name: DO-NOT-MERGE / unresolved review
if: github.repository_owner == 'python'
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
timeout-minutes: 10

steps:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/reusable-change-detection.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ jobs:
- run: >-
echo '${{ github.event_name }}'
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Check for source changes
id: check
run: |
Expand Down
14 changes: 10 additions & 4 deletions .github/workflows/reusable-docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,14 @@ jobs:
env:
branch_base: 'origin/${{ github.event.pull_request.base.ref }}'
branch_pr: 'origin/${{ github.event.pull_request.head.ref }}'
commits: ${{ github.event.pull_request.commits }}
refspec_base: '+${{ github.event.pull_request.base.sha }}:remotes/origin/${{ github.event.pull_request.base.ref }}'
refspec_pr: '+${{ github.event.pull_request.head.sha }}:remotes/origin/${{ github.event.pull_request.head.ref }}'
steps:
- name: 'Check out latest PR branch commit'
uses: actions/checkout@v4
with:
persist-credentials: false
ref: >-
${{
github.event_name == 'pull_request'
Expand All @@ -36,15 +38,15 @@ jobs:
if: github.event_name == 'pull_request'
run: |
# Fetch enough history to find a common ancestor commit (aka merge-base):
git fetch origin ${{ env.refspec_pr }} --depth=$(( ${{ github.event.pull_request.commits }} + 1 )) \
git fetch origin "${refspec_pr}" --depth=$(( commits + 1 )) \
--no-tags --prune --no-recurse-submodules
# This should get the oldest commit in the local fetched history (which may not be the commit the PR branched from):
COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 ${{ env.branch_pr }} )
COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 "${branch_pr}" )
DATE=$( git log --date=iso8601 --format=%cd "${COMMON_ANCESTOR}" )
# Get all commits since that commit date from the base branch (eg: master or main):
git fetch origin ${{ env.refspec_base }} --shallow-since="${DATE}" \
git fetch origin "${refspec_base}" --shallow-since="${DATE}" \
--no-tags --prune --no-recurse-submodules
- name: 'Set up Python'
uses: actions/setup-python@v5
Expand All @@ -66,7 +68,7 @@ jobs:
if: github.event_name == 'pull_request'
run: |
python Doc/tools/check-warnings.py \
--annotate-diff '${{ env.branch_base }}' '${{ env.branch_pr }}' \
--annotate-diff "${branch_base}" "${branch_pr}" \
--fail-if-regression \
--fail-if-improved \
--fail-if-new-news-nit
Expand All @@ -78,6 +80,8 @@ jobs:
timeout-minutes: 60
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: 'Set up Python'
uses: actions/setup-python@v5
with:
Expand All @@ -96,6 +100,8 @@ jobs:
timeout-minutes: 60
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/cache@v4
with:
path: ~/.cache/pip
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/reusable-macos.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ jobs:
runs-on: ${{ inputs.os }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> $GITHUB_ENV
- name: Restore config.cache
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-tsan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,12 @@ jobs:
name: 'Thread sanitizer'
runs-on: ubuntu-22.04
timeout-minutes: 60
env:
OPTIONS: ${{ inputs.options }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> $GITHUB_ENV
- name: Restore config.cache
Expand Down Expand Up @@ -44,7 +48,7 @@ jobs:
save: ${{ github.event_name == 'push' }}
max-size: "200M"
- name: Configure CPython
run: ${{ inputs.options }}
run: "${OPTIONS}"
- name: Build CPython
run: make -j4
- name: Display build info
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/reusable-ubuntu.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ jobs:
PYTHONSTRICTEXTENSIONBUILD: 1
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Register gcc problem matcher
run: echo "::add-matcher::.github/problem-matchers/gcc.json"
- name: Install dependencies
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/reusable-windows-msi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,11 @@ jobs:
runs-on: windows-latest
timeout-minutes: 60
env:
ARCH: ${{ inputs.arch }}
IncludeFreethreaded: true
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Build CPython installer
run: .\Tools\msi\build.bat --doc -${{ inputs.arch }}
run: .\Tools\msi\build.bat --doc -"${ARCH}"
14 changes: 10 additions & 4 deletions .github/workflows/reusable-windows.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,24 +24,30 @@ jobs:
(${{ inputs.arch }})
runs-on: windows-latest
timeout-minutes: 60
env:
ARCH: ${{ inputs.arch }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Register MSVC problem matcher
if: inputs.arch != 'Win32'
run: echo "::add-matcher::.github/problem-matchers/msvc.json"
- name: Build CPython
run: >-
.\PCbuild\build.bat
.\\PCbuild\\build.bat
-e -d
-p ${{ inputs.arch }}
-p "${ARCH}"
${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
shell: bash
- name: Display build info
if: inputs.arch != 'arm64'
run: .\python.bat -m test.pythoninfo
- name: Tests
if: inputs.arch != 'arm64'
run: >-
.\PCbuild\rt.bat
-p ${{ inputs.arch }}
.\\PCbuild\\rt.bat
-p "${ARCH}"
-d -q -uall -u-cpu -rwW
--slowest --timeout=1200 -j0
shell: bash
5 changes: 2 additions & 3 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,13 @@ on:
schedule:
- cron: "0 0 * * *"

permissions:
pull-requests: write

jobs:
stale:
if: github.repository_owner == 'python'

runs-on: ubuntu-latest
permissions:
pull-requests: write
timeout-minutes: 10

steps:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/verify-ensurepip-wheels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ jobs:
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: '3'
Expand Down
6 changes: 6 additions & 0 deletions .github/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Configuration for the zizmor static analysis tool, run via pre-commit in CI
# https://woodruffw.github.io/zizmor/configuration/
rules:
dangerous-triggers:
ignore:
- documentation-links.yml
11 changes: 8 additions & 3 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.6.7
rev: v0.8.2
hooks:
- id: ruff
name: Run Ruff (lint) on Doc/
Expand All @@ -20,7 +20,7 @@ repos:
files: ^Doc/

- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
rev: v5.0.0
hooks:
- id: check-case-conflict
- id: check-merge-conflict
Expand All @@ -33,8 +33,13 @@ repos:
- id: trailing-whitespace
types_or: [c, inc, python, rst]

- repo: https://github.com/woodruffw/zizmor-pre-commit
rev: v0.8.0
hooks:
- id: zizmor

- repo: https://github.com/sphinx-contrib/sphinx-lint
rev: v0.9.1
rev: v1.0.0
hooks:
- id: sphinx-lint
args: [--enable=default-role]
Expand Down

0 comments on commit 381eb04

Please sign in to comment.