[pre-commit.ci] pre-commit autoupdate#267
Merged
Merged
Conversation
gaborbernat
added a commit
to gaborbernat/pyproject-api
that referenced
this pull request
May 27, 2026
Adding zizmor to pre-commit catches GitHub Actions security issues
automatically. Running it against existing workflows exposed several
supply chain and privilege escalation risks that needed fixing rather
than suppressing.
Pin all action references to commit SHAs so tag mutations by upstream
maintainers cannot redirect CI to malicious code. Add workflow-level
`permissions: {}` as a deny-all baseline with explicit per-job grants,
preventing privilege escalation if a compromised action tries to use
inherited GITHUB_TOKEN permissions. Disable uv caching in
push-triggered workflows to close the cache-poisoning vector. Add
`persist-credentials: false` to checkout steps so the token is not
unnecessarily retained in the git config after checkout.
Also bumps all other pre-commit hook versions as proposed in PR tox-dev#267.
Adding zizmor to pre-commit catches GitHub Actions security issues
automatically. Running it against existing workflows exposed several
supply chain and privilege escalation risks that needed fixing rather
than suppressing.
Pin all action references to commit SHAs so tag mutations by upstream
maintainers cannot redirect CI to malicious code. Add workflow-level
`permissions: {}` as a deny-all baseline with explicit per-job grants,
preventing privilege escalation if a compromised action tries to use
inherited GITHUB_TOKEN permissions. Disable uv caching in
push-triggered workflows to close the cache-poisoning vector. Add
`persist-credentials: false` to checkout steps so the token is not
unnecessarily retained in the git config after checkout.
Also bumps all other pre-commit hook versions as proposed in PR #267.
The project migrated from mypy to ty, but several type: ignore comments used mypy-specific error codes (list-item, return-value, attr-defined) that ty does not recognise, causing the type check to fail. For the intentional bad-return test fixtures in build.py, the mypy codes are dropped in favour of bare type: ignore, which both tools honour. For the metadata lookup in test_frontend_setuptools.py, the workaround is removed entirely by switching from the untyped .items() to .get_all(), which is the correct PackageMetadata API and resolves the attribute error without any suppression.
Member
|
Superseded: ruff v0.15.14 already in main along with broader security hardening (zizmor, SHA-pinned actions, permissions). |
gaborbernat
force-pushed
the
pre-commit-ci-update-config
branch
from
958e6de to
75e0ff9
Compare
ruff v0.15.14 adds PLW0717 which flags try clauses with more than 5 statements. Collapse the redundant intermediate variable into a single assignment to drop from 6 to 5 statements.
gaborbernat
approved these changes
May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updates: