88 - ' **'
99 pull_request : {}
1010
11+ permissions : {}
12+
1113jobs :
1214 lint :
1315 runs-on : ubuntu-latest
1416
1517 steps :
16- - uses : actions/checkout@v6
18+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
19+ with :
20+ persist-credentials : false
1721
18- - name : set up uv
19- uses : astral-sh/setup-uv@v7
22+ - uses : astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
2023 with :
21- python-version : ' 3.12'
24+ python-version : ' 3.13'
25+ enable-cache : true # zizmor: ignore[cache-poisoning] -- Job does not produce release artifacts and does not have sensitive permissions
2226
2327 - name : Install dependencies
2428 # Installing pip is required for the pre-commit action:
2529 run : |
2630 uv sync --group linting --all-extras
2731 uv pip install pip
2832
29- -
uses :
pre-commit/[email protected] 33+ uses : pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
3034 with :
3135 extra_args : --all-files
36+ env :
37+ PRE_COMMIT_COLOR : always
38+ UV_NO_PROGRESS : ' 1'
3239
3340 test :
3441 name : test py${{ matrix.python }} on ${{ matrix.os }}
@@ -46,12 +53,14 @@ jobs:
4653 runs-on : ${{ matrix.os }}
4754
4855 steps :
49- - uses : actions/checkout@v6
56+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
57+ with :
58+ persist-credentials : false
5059
51- - name : set up uv
52- uses : astral-sh/setup-uv@v7
60+ - uses : astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
5361 with :
5462 python-version : ${{ matrix.python }}
63+ enable-cache : true # zizmor: ignore[cache-poisoning] -- Job does not produce release artifacts and does not have sensitive permissions
5564
5665 - name : Install dependencies
5766 run : |
7584 CONTEXT : ${{ runner.os }}-py${{ matrix.python }}-without-deps
7685
7786 - name : store coverage files
78- uses : actions/upload-artifact@v7
87+ uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
7988 with :
8089 name : coverage-${{ matrix.python }}-${{ runner.os }}
8190 path : coverage
@@ -85,20 +94,21 @@ jobs:
8594 runs-on : ubuntu-latest
8695 needs : [test]
8796 steps :
88- - uses : actions/checkout@v6
97+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
8998 with :
99+ persist-credentials : false
90100 # needed for diff-cover
91101 fetch-depth : 0
92102
93103 - name : get coverage files
94- uses : actions/download-artifact@v8
104+ uses : actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
95105 with :
96106 merge-multiple : true
97107 path : coverage
98108
99- - uses : astral-sh/setup-uv@v7
109+ - uses : astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
100110 with :
101- enable-cache : true
111+ enable-cache : true # zizmor: ignore[cache-poisoning] -- Job does not produce release artifacts and does not have sensitive permissions
102112
103113 - run : uv sync --group testing --all-extras
104114
@@ -107,18 +117,18 @@ jobs:
107117 - run : uv run coverage html --show-contexts --title "Pydantic Settings coverage for ${{ github.sha }}"
108118
109119 - name : Store coverage html
110- uses : actions/upload-artifact@v7
120+ uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
111121 with :
112122 name : coverage-html
113123 path : htmlcov
114124 include-hidden-files : true
115125
116126 - run : uv run coverage xml
117127
118- - run : uv run diff-cover coverage.xml --html-report index.html
128+ - run : uv run diff-cover coverage.xml --format html: index.html
119129
120130 - name : Store diff coverage html
121- uses : actions/upload-artifact@v7
131+ uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
122132 with :
123133 name : diff-coverage-html
124134 path : index.html
@@ -135,7 +145,7 @@ jobs:
135145
136146 steps :
137147 - name : Decide whether the needed jobs succeeded or failed
138- uses : re-actors/alls-green@release/v1
148+ uses : re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
139149 id : all-green
140150 with :
141151 jobs : ${{ toJSON(needs) }}
@@ -150,9 +160,11 @@ jobs:
150160 id-token : write
151161
152162 steps :
153- - uses : actions/checkout@v6
163+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
164+ with :
165+ persist-credentials : false
154166
155- - uses : actions/setup-python@v6
167+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
156168 with :
157169 python-version : ' 3.12'
158170
@@ -161,12 +173,12 @@ jobs:
161173
162174 - name : Check version
163175 id : check-tag
164- uses : samuelcolvin/check-python-version@v5
176+ uses : samuelcolvin/check-python-version@ee87cddb8049d2694cc03badc8569765a05cef00 # v5
165177 with :
166178 version_file_path : pydantic_settings/version.py
167179
168180 - name : Build library
169181 run : python -m build
170182
171183 - name : Upload package to PyPI
172- uses : pypa/gh-action-pypi-publish@release/v1
184+ uses : pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
0 commit comments