Merge pull request #121 from mxmehl/ci-hardening

Author: mxmehl

.github/actions/uvbuild/action.yaml

@@ -28,5 +28,8 @@ runs:
         enable-cache: true
     - name: Setup project
       run: |
-        uv sync  --locked --all-extras --dev ${{ inputs.uv_args }}
+        uv_args="${UV_ARGS}"
+        uv sync  --locked --all-extras --dev $uv_args
+      env:
+        UV_ARGS: ${{ inputs.uv_args }}
       shell: bash

.github/workflows/release-vulnerabilities.yaml

@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "35 9 * * 1"  # run a check once a week
 
+permissions:
+  contents: read
+
 jobs:
   osv-check:
     runs-on: ubuntu-latest

.github/workflows/release.yaml

@@ -17,13 +17,15 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       - name: Install uv
         uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
-          enable-cache: true
+          enable-cache: false # avoid cache-poisoning attacks
       - name: Build package
         run: uv build
       - name: Publish package to PyPI
-        run: uv publish
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

.github/workflows/test.yaml

@@ -10,6 +10,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   # Test using the tool via uv on different OSes and python versions
   test-os-python-matrix:
@@ -29,6 +32,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/uvbuild
         with:
           python: ${{ matrix.python-version }}
@@ -42,6 +47,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
@@ -64,6 +71,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/uvbuild
         with:
           uv_args: --no-dev
@@ -91,13 +100,17 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/uvbuild
       - name: Lint with ruff
         run: uv run ruff check
   ty:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/uvbuild
       - name: Test typing with ty
         run: uv run ty check
@@ -107,5 +120,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Check REUSE Compliance
         uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0

pyproject.toml

@@ -25,7 +25,6 @@ classifiers = [
     "Topic :: System :: Systems Administration",
     "Intended Audience :: Developers",
     "Intended Audience :: System Administrators",
-    "License :: OSI Approved :: GNU General Public License v3 (GPLv3)",
     "Programming Language :: Python :: 3",
     "Programming Language :: Python :: 3.10",
     "Programming Language :: Python :: 3.11",
@@ -85,6 +84,8 @@ ignore = [
     "D212",
     "PTH123",
 ]
+[tool.ruff.lint.extend-per-file-ignores]
+"tests/*" = ["S101", "PLR", "PT011", "ANN001"]
 [tool.ruff.lint.pydocstyle]
 convention = "google"