Skip to content
CI

Reduce permission scope #15

Sign in to view logs

Reduce permission scope

Reduce permission scope #15

Workflow file for this run

.github/workflows/ci.yaml at 4a0169b
name: CI
on: [pull_request, push]
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: ${{ github.head_ref != '' }}
jobs:
ci:
name: Check
runs-on: ubuntu-22.04 # TODO: use `ubuntu-latest` when python 3.7 is dropped
strategy:
fail-fast: false
matrix:
python-version: ['3.7', '3.8', '3.9', '3.10', '3.11', '3.12', '3.13', '3.14-dev']
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install tools
run: pip install bandit pycodestyle pyflakes
- name: Lint code
run: |
pyflakes nova3/engines/*.py
bandit --skip B110,B310,B314,B405 nova3/engines/*.py
- name: Format code
run: |
# skipping E265, fixing it will break plugin usage on older qbt instances (< v4.1.2)
pycodestyle \
--ignore=E265,W503 \
--max-line-length=1000 \
--statistics \
nova3/engines/*.py
- name: Build code
run: |
python -m compileall nova3/engines/*.py
zizmor:
name: Check workflow files
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Check GitHub Actions workflow
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
pip install zizmor
zizmor \
--format sarif \
--pedantic \
./ \
| jq '(.runs[].results |= map(select(.ruleId != "unpinned-uses")))
| (.runs[].tool.driver.rules |= map(select(.id != "unpinned-uses")))' \
> "${{ runner.temp }}/zizmor_results.sarif"
- name: Upload zizmor results
uses: github/codeql-action/upload-sarif@v3
with:
category: zizmor
sarif_file: "${{ runner.temp }}/zizmor_results.sarif"