diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index 95277fd..af171c1 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -27,7 +27,7 @@ jobs: - uses: actions/checkout@v7 - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 24dc00b..b37cba8 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -87,7 +87,7 @@ jobs: with: python-version: "3.12" - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Sync locked environment run: uv sync --frozen - name: Run pip-audit advisory gate diff --git a/.github/workflows/docs-backfill.yaml b/.github/workflows/docs-backfill.yaml index 887b6ba..9be68e7 100644 --- a/.github/workflows/docs-backfill.yaml +++ b/.github/workflows/docs-backfill.yaml @@ -71,7 +71,7 @@ jobs: ref: master - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml index 83b4e86..315eac9 100644 --- a/.github/workflows/documentation.yaml +++ b/.github/workflows/documentation.yaml @@ -70,10 +70,10 @@ on: required: false default: "" +# Default to read-only at the top level so the PR build-only job inherits the +# least privilege. The deploy jobs opt back into the write scopes they need. permissions: - contents: write - id-token: write - pages: write + contents: read # Allow one concurrent deployment so a fast-follow push doesn't race the # previous deploy on gh-pages. @@ -93,7 +93,7 @@ jobs: fetch-depth: 0 - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true @@ -119,6 +119,10 @@ jobs: name: Deploy latest documentation if: github.event_name == 'push' runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + pages: write steps: - name: Checkout (full history for mike + git-revision-date plugins) uses: actions/checkout@v7 @@ -126,7 +130,7 @@ jobs: fetch-depth: 0 - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true @@ -167,6 +171,10 @@ jobs: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'repository_dispatch' runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + pages: write steps: - name: Checkout (full history for mike + git-revision-date plugins) uses: actions/checkout@v7 @@ -198,7 +206,7 @@ jobs: echo "Resolved release tag: ${tag}" - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true @@ -240,6 +248,10 @@ jobs: # left byte-for-byte unchanged. It reuses the existing deploy scripts verbatim. if: github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + pages: write steps: - name: Validate inputs env: @@ -267,7 +279,7 @@ jobs: ref: master - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true diff --git a/.github/workflows/native-core-build.yml b/.github/workflows/native-core-build.yml index 13272c3..4f3ef4e 100644 --- a/.github/workflows/native-core-build.yml +++ b/.github/workflows/native-core-build.yml @@ -27,7 +27,7 @@ jobs: python-version: "3.13" - name: Setup uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Setup Rust uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index a306f9e..4613976 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -162,7 +162,7 @@ jobs: with: python-version: ${{ env.PYTHON_VERSION }} - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Sync resolved environment # Resolve the locked dependency set into .venv so the SBOM reflects the # exact versions a consumer gets, not just the declared ranges. diff --git a/.github/workflows/type-check.yml b/.github/workflows/type-check.yml index 15a8580..04cec6e 100644 --- a/.github/workflows/type-check.yml +++ b/.github/workflows/type-check.yml @@ -47,7 +47,7 @@ jobs: uses: actions/checkout@v7 - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: python-version: 3.13 @@ -131,7 +131,7 @@ jobs: uses: actions/checkout@v7 - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: python-version: 3.13