diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index e9ce092..4ebc7e4 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -15,6 +15,8 @@ jobs: build: runs-on: ubuntu-latest + environment: build + permissions: packages: write @@ -31,7 +33,8 @@ jobs: plan: /tmt/build/rawhide container: - image: quay.io/testing-farm/cli:latest + # Always use latest Testing Farm CLI to get newest features and fixes + image: quay.io/testing-farm/cli:latest # zizmor: ignore[unpinned-images] steps: - name: Compute image tag diff --git a/.github/workflows/container.yml.j2 b/.github/workflows/container.yml.j2 index 83b69bb..e346d9f 100644 --- a/.github/workflows/container.yml.j2 +++ b/.github/workflows/container.yml.j2 @@ -15,6 +15,8 @@ jobs: build: runs-on: ubuntu-latest + environment: build + permissions: packages: write @@ -29,7 +31,8 @@ jobs: plan: /tmt/build/rawhide {% raw %} container: - image: quay.io/testing-farm/cli:latest + # Always use latest Testing Farm CLI to get newest features and fixes + image: quay.io/testing-farm/cli:latest # zizmor: ignore[unpinned-images] steps: - name: Compute image tag diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml index ff6e1a6..afc475a 100644 --- a/.github/workflows/mkdocs.yml +++ b/.github/workflows/mkdocs.yml @@ -17,10 +17,12 @@ jobs: steps: - name: Checkout repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.14' @@ -44,7 +46,7 @@ jobs: fi - name: Deploy to GitHub Pages - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./site diff --git a/.github/workflows/refresh-build-fmf.yml b/.github/workflows/refresh-build-fmf.yml index a0c3208..d29cc34 100644 --- a/.github/workflows/refresh-build-fmf.yml +++ b/.github/workflows/refresh-build-fmf.yml @@ -16,10 +16,12 @@ jobs: steps: - name: Checkout repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.13' @@ -33,7 +35,7 @@ jobs: run: make generate/build-fmf - name: Create pull request if changed - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7 with: commit-message: | ci: regenerate configs and docs for current Fedora releases diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 420106a..9113b0e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,12 +1,12 @@ --- repos: - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.11.0.1 + rev: 745eface02aef23e168a8afb6b5737818efbea95 # v0.11.0.1 hooks: - id: shellcheck - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v6.0.0 + rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0 hooks: - id: check-added-large-files - id: check-ast @@ -29,12 +29,12 @@ repos: - id: trailing-whitespace - repo: https://github.com/gitleaks/gitleaks - rev: v8.30.1 + rev: 83d9cd684c87d95d656c1458ef04895a7f1cbd8e # v8.30.1 hooks: - id: gitleaks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.48.0 + rev: e72a3ca1632f0b11a07d171449fe447a7ff6795e # v0.48.0 hooks: - id: markdownlint args: @@ -47,6 +47,11 @@ repos: - sentences-per-line - repo: https://github.com/codespell-project/codespell - rev: v2.4.2 + rev: 2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a # v2.4.2 hooks: - id: codespell + + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: ea2eb407b4cbce87cf0d502f36578950494f5ac9 # v1.23.1 + hooks: + - id: zizmor