Skip to content

[pre-commit.ci] pre-commit autoupdate #13387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[pre-commit.ci] pre-commit autoupdate #13387

wants to merge 2 commits into from

Conversation

pre-commit-ci[bot]
Copy link
Contributor

@pre-commit-ci pre-commit-ci bot commented Apr 21, 2025
edited
Loading

@nicoddemus
Copy link
Member

nicoddemus commented Apr 22, 2025
edited
Loading

zizmor is failing with:

error[unpinned-uses]: unpinned action reference
  --> .github/workflows/deploy.yml:34:7
   |
34 |       uses: hynek/build-and-inspect-python-package@v2.12.0
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

It wants us to update to hashes... however how does that affect dependabot updates?

@Pierre-Sassoulas
Copy link
Member

I think it still works and start using a hash instead (you don't have to change to a hash each time). I don't remember on what repo I saw that though. Doing this even if dependabot doesn't work anymore would make sense considering that an action owner can delete and recreate tags and completely change the pipelines behavior without any reviews, which is a lot of trust to give to anyone.

@pre-commit-ci pre-commit-ci bot force-pushed the pre-commit-ci-update-config branch from 319866b to d9f184b Compare April 28, 2025 20:03
@pre-commit-ci pre-commit-ci bot force-pushed the pre-commit-ci-update-config branch 2 times, most recently from b1a3352 to 41c03da Compare May 12, 2025 20:03
@Pierre-Sassoulas
Copy link
Member

Used the latest tag for softprops/action-gh-release@v2 and codecov/codecov-action@v5 which were implicitely the latest tag. We can expect to be spammed a lot more by dependabot, might be time to change the settings so it update less often.

@Pierre-Sassoulas Pierre-Sassoulas added the backport 8.3.x apply to PRs at any point; backports the changes to the 8.3.x branch label May 12, 2025
@Pierre-Sassoulas Pierre-Sassoulas requested a review from webknjaz May 16, 2025 05:06
@pre-commit-ci pre-commit-ci bot force-pushed the pre-commit-ci-update-config branch from 4342b75 to 363fb79 Compare May 19, 2025 20:08
pre-commit-ci bot and others added 2 commits May 20, 2025 10:21
@pre-commit-ci @Pierre-Sassoulas
[pre-commit.ci] pre-commit autoupdate
8a66a9e 
updates:
- [github.com/astral-sh/ruff-pre-commit: v0.11.5 → v0.11.10](astral-sh/ruff-pre-commit@v0.11.5...v0.11.10)
- [github.com/woodruffw/zizmor-pre-commit: v1.5.2 → v1.7.0](zizmorcore/zizmor-pre-commit@v1.5.2...v1.7.0)
@Pierre-Sassoulas
[ci] Pin all action to a precise hash to appease zizmor
76ee187
@Pierre-Sassoulas Pierre-Sassoulas force-pushed the pre-commit-ci-update-config branch from 885f8ac to 76ee187 Compare May 20, 2025 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicoddemus nicoddemus Awaiting requested review from nicoddemus

@webknjaz webknjaz Awaiting requested review from webknjaz

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
backport 8.3.x apply to PRs at any point; backports the changes to the 8.3.x branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nicoddemus @Pierre-Sassoulas