diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5882d415..3c754d82 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -4,10 +4,14 @@ on: push: pull_request: +permissions: {} + jobs: msys2: runs-on: windows-latest + permissions: + contents: read strategy: fail-fast: false matrix: @@ -18,10 +22,12 @@ jobs: pkgprefix: mingw-w64-clang-x86_64 steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: setup-msys2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@e9898307ac31d1a803454791be09ab9973336e1c # v2.31.1 with: msystem: ${{ matrix.msystem }} update: true @@ -61,19 +67,23 @@ jobs: poetry run coverage xml -i - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 ubuntu: runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false matrix: python-version: ['3.10', '3.11', '3.12', '3.13', '3.14', '3.14t', 'pypy-3.11'] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} allow-prereleases: true @@ -107,7 +117,7 @@ jobs: uv run coverage xml -i - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 - name: Run linters if: ${{ !contains(matrix.python-version, 'pypy') }} @@ -123,6 +133,8 @@ jobs: msvc: runs-on: ${{ matrix.os }} + permissions: + contents: read strategy: fail-fast: false matrix: @@ -140,29 +152,35 @@ jobs: architecture: 'arm64' os: 'windows-11-arm' steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} id: setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} architecture: ${{ matrix.architecture }} allow-prereleases: true - name: Setup MSVC - uses: ilammy/msvc-dev-cmd@v1.13.0 + uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 with: arch : ${{ matrix.architecture }} - name: Download and extract Cairo Binary + env: + PYCAIRO_ARCH: ${{ matrix.architecture }} run: | - python .ci/download-cairo-win32.py "${{ matrix.architecture }}" + python .ci/download-cairo-win32.py "$env:PYCAIRO_ARCH" - name: Install dependencies + env: + PYTHON_PATH: ${{ steps.setup-python.outputs.python-path }} run: | - pipx install --python "${{ steps.setup-python.outputs.python-path }}" uv - pipx install --python "${{ steps.setup-python.outputs.python-path }}" meson + pipx install --python "$env:PYTHON_PATH" uv + pipx install --python "$env:PYTHON_PATH" meson uv sync - name: Build & Test with meson @@ -191,14 +209,17 @@ jobs: uv run coverage xml -i - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 macos: runs-on: macos-latest - + permissions: + contents: read steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install dependencies run: | @@ -221,4 +242,4 @@ jobs: uv run coverage xml -i - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 858d48ea..73ea7734 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -2,16 +2,23 @@ name: Build on: [push, pull_request] +permissions: {} + jobs: build_sdist: runs-on: ubuntu-latest + permissions: + contents: read + steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.11' @@ -24,7 +31,7 @@ jobs: - name: Build sdist run: python -m build --sdist - - uses: actions/upload-artifact@v5 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: sdist path: ./dist/*.tar.gz @@ -32,6 +39,8 @@ jobs: build_wheels: name: Build wheels on ${{ matrix.os }} (${{ matrix.platform_id }}) runs-on: ${{ matrix.os }} + permissions: + contents: read strategy: fail-fast: false matrix: @@ -47,15 +56,17 @@ jobs: arch: arm64 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup MSVC - uses: ilammy/msvc-dev-cmd@v1.13.0 + uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 with: arch : ${{ matrix.arch }} - name: Build wheels - uses: pypa/cibuildwheel@v3.2.1 + uses: pypa/cibuildwheel@8d2b08b68458a16aeb24b64e68a09ab1c8e82084 # v3.4.1 env: CFLAGS: "-DCAIRO_WIN32_STATIC_BUILD=1" CIBW_BEFORE_BUILD: "python {package}/.ci/download-cairo-win32.py ${{ matrix.arch }}" @@ -65,7 +76,7 @@ jobs: CIBW_TEST_COMMAND: bash {package}/.ci/test-wheels.sh {package} CIBW_ENVIRONMENT_WINDOWS: PKG_CONFIG_PATH='${{ github.workspace }}/cairo-prebuild/lib/pkgconfig' PKG_CONFIG='${{ github.workspace }}/cairo-prebuild/bin/pkgconf.exe' - - uses: actions/upload-artifact@v5 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: "wheel-${{ matrix.arch }}" path: ./wheelhouse/*.whl