@@ -2,6 +2,13 @@ name: Build
22
33on : [push, pull_request]
44
5+ concurrency :
6+ group : ${{ github.workflow }}-${{ github.ref }}
7+ cancel-in-progress : true
8+
9+ permissions :
10+ contents : read
11+
512env :
613 # These four values need to be kept in sync. Each pyodide version pins an
714 # emscripten version and a CPython version.
@@ -62,23 +69,25 @@ jobs:
6269 cibw_platform : pyodide
6370
6471 steps :
65- - uses : actions/checkout@v6.0.2
72+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
73+ with :
74+ persist-credentials : false
6675
6776 - if : ${{ matrix.kind == 'native' }}
68- uses : actions/setup-python@v6
77+ uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
6978 with :
7079 python-version : ' 3.13'
7180
7281 # -------------- Windows stuff ---------------- #
7382
7483 - if : ${{ matrix.os == 'windows-2022' }}
75- uses : msys2/setup-msys2@v2.31.0
84+ uses : msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d # v2.31.0
7685 with :
7786 msystem : ucrt64
7887 update : true
7988
8089 - if : ${{ matrix.os == 'windows-11-arm' }}
81- uses : msys2/setup-msys2@v2.31.0
90+ uses : msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d # v2.31.0
8291 with :
8392 msystem : clangarm64
8493 update : true
92101 # This is probably something to do with \ vs / in paths...
93102 - if : ${{ startsWith( matrix.os , 'windows' ) }}
94103 run : |
95- $pkgConfigPath = "${{ github.workspace }} /.local/lib/pkgconfig"
104+ $pkgConfigPath = "$env:GITHUB_WORKSPACE /.local/lib/pkgconfig"
96105 $pkgConfigPath = $pkgConfigPath.Replace('\', '/')
97106 echo "PKG_CONFIG_PATH=$pkgConfigPath" >> $env:GITHUB_ENV
98107
@@ -107,13 +116,14 @@ jobs:
107116
108117 - if : ${{ matrix.kind == 'pyodide' }}
109118 name : Check out Emscripten patches for Pyodide
110- uses : actions/checkout@v6.0.2
119+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
111120 with :
112121 repository : pyodide/pyodide
113122 ref : ${{ env.PYODIDE_VERSION }}
114123 path : pyodide-patches
115124 sparse-checkout : |
116125 emsdk/patches/
126+ persist-credentials : false
117127
118128 # ------------- actual build ------------- #
119129
@@ -126,7 +136,7 @@ jobs:
126136 # override setting in pyproject.toml to use msys2 instead of msys64 bash
127137 CIBW_BEFORE_ALL_WINDOWS : ${{ matrix.os == 'windows-11-arm' && 'msys2 -c bin/cibw_before_all_windows_arm64.sh' || 'msys2 -c bin/cibw_before_all_windows_amd64.sh' }}
128138
129- - uses : actions/upload-artifact@v7
139+ - uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
130140 with :
131141 name : ${{ matrix.artifact_name }}
132142 path : wheelhouse/*.whl
@@ -136,17 +146,19 @@ jobs:
136146 runs-on : ubuntu-22.04
137147
138148 steps :
139- - uses : actions/checkout@v6.0.2
149+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
150+ with :
151+ persist-credentials : false
140152
141- - uses : actions/setup-python@v6
153+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
142154 with :
143155 python-version : ${{ env.PYODIDE_PYTHON_VERSION }}
144156
145157 - run : bin/install_latest_flint_ubuntu.sh
146158 - run : pip install build
147159 - run : python -m build --sdist
148160
149- - uses : actions/upload-artifact@v7
161+ - uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
150162 with :
151163 name : sdist
152164 path : dist/*.tar.gz
@@ -155,6 +167,7 @@ jobs:
155167 needs : build_wheels
156168 name : Test ${{ matrix.python-version }} wheel on ${{ matrix.os }}
157169 runs-on : ${{ matrix.os }}
170+ permissions : {}
158171 strategy :
159172 fail-fast : false
160173 matrix :
@@ -176,11 +189,11 @@ jobs:
176189 python-version : pypy3.11
177190
178191 steps :
179- - uses : actions/setup-python@v6
192+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
180193 with :
181194 python-version : ${{ matrix.python-version }}
182195 allow-prereleases : true
183- - uses : actions/download-artifact@v8
196+ - uses : actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
184197 with :
185198 path : wheelhouse
186199 merge-multiple : true
@@ -200,20 +213,21 @@ jobs:
200213 needs : build_wheels
201214 name : Test Pyodide wheel
202215 runs-on : ubuntu-22.04
216+ permissions : {}
203217
204218 steps :
205- - uses : actions/setup-python@v6
219+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
206220 with :
207221 python-version : ${{ env.PYODIDE_PYTHON_VERSION }}
208222
209- - uses : actions/setup-node@v6
223+ - uses : actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
210224 with :
211225 node-version : ' 22'
212226
213227 - run : pip install pyodide-build
214- - run : pyodide xbuildenv install "${{ env. PYODIDE_VERSION }} "
228+ - run : pyodide xbuildenv install "$PYODIDE_VERSION"
215229
216- - uses : actions/download-artifact@v8
230+ - uses : actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
217231 with :
218232 name : wheels-pyodide
219233 path : wheelhouse
@@ -234,8 +248,10 @@ jobs:
234248 matrix :
235249 os : [ubuntu-24.04]
236250 steps :
237- - uses : actions/checkout@v6.0.2
238- - uses : actions/setup-python@v6
251+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
252+ with :
253+ persist-credentials : false
254+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
239255 with :
240256 python-version : ' 3.13'
241257 - run : sudo apt-get update
@@ -247,8 +263,10 @@ jobs:
247263 name : Test docs (build and doctest)
248264 runs-on : ubuntu-24.04
249265 steps :
250- - uses : actions/checkout@v6.0.2
251- - uses : actions/setup-python@v6
266+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
267+ with :
268+ persist-credentials : false
269+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
252270 with :
253271 python-version : ' 3.13'
254272 - run : bin/install_latest_flint_ubuntu.sh
@@ -262,8 +280,10 @@ jobs:
262280 name : ' Test old Cython/meson-python'
263281 runs-on : ubuntu-24.04
264282 steps :
265- - uses : actions/checkout@v6.0.2
266- - uses : actions/setup-python@v6
283+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
284+ with :
285+ persist-credentials : false
286+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
267287 with :
268288 python-version : ' 3.13'
269289 - run : sudo apt-get update
@@ -289,11 +309,15 @@ jobs:
289309 # Supported Flint versions:
290310 flint-tag : ['v3.0.1', 'v3.1.3-p1', 'v3.2.2', 'v3.3.1']
291311 steps :
292- - uses : actions/checkout@v6.0.2
293- - uses : actions/setup-python@v6
312+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
313+ with :
314+ persist-credentials : false
315+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
294316 with :
295317 python-version : ' 3.13'
296- - run : bin/install_flint_ubuntu.sh ${{ matrix.flint-tag }}
318+ - env :
319+ FLINT_TAG : ${{ matrix.flint-tag }}
320+ run : bin/install_flint_ubuntu.sh "$FLINT_TAG"
297321 - run : pip install .
298322 - run : python -m flint.test --verbose
299323
@@ -302,8 +326,10 @@ jobs:
302326 name : Test flint main Linux x86-64
303327 runs-on : ubuntu-24.04
304328 steps :
305- - uses : actions/checkout@v6.0.2
306- - uses : actions/setup-python@v6
329+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
330+ with :
331+ persist-credentials : false
332+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
307333 with :
308334 python-version : ' 3.13'
309335 - run : bin/install_flint_ubuntu.sh main
@@ -316,8 +342,10 @@ jobs:
316342 name : Test flint main Linux ARM
317343 runs-on : ubuntu-24.04-arm
318344 steps :
319- - uses : actions/checkout@v6.0.2
320- - uses : actions/setup-python@v6
345+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
346+ with :
347+ persist-credentials : false
348+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
321349 with :
322350 python-version : ' 3.13'
323351 - run : bin/install_flint_ubuntu.sh main
@@ -330,8 +358,10 @@ jobs:
330358 name : Test coverage setuptools build
331359 runs-on : ubuntu-24.04
332360 steps :
333- - uses : actions/checkout@v6.0.2
334- - uses : actions/setup-python@v6
361+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
362+ with :
363+ persist-credentials : false
364+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
335365 with :
336366 python-version : ' 3.13'
337367 - run : sudo apt-get update
@@ -344,8 +374,10 @@ jobs:
344374 name : Test coverage meson build
345375 runs-on : ubuntu-24.04
346376 steps :
347- - uses : actions/checkout@v6.0.2
348- - uses : actions/setup-python@v6
377+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
378+ with :
379+ persist-credentials : false
380+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
349381 with :
350382 python-version : ' 3.12' # does not work with 3.13
351383 - run : sudo apt-get update
@@ -362,24 +394,30 @@ jobs:
362394 matrix :
363395 sympy-version : ['1.13.1', '1.14.0']
364396 steps :
365- - uses : actions/checkout@v6.0.2
366- - uses : actions/setup-python@v6
397+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
398+ with :
399+ persist-credentials : false
400+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
367401 with :
368402 python-version : ' 3.13'
369403 - run : sudo apt-get update
370404 - run : sudo apt-get install libflint-dev
371405 - run : pip install .
372406 - run : pip install pytest pytest-xdist hypothesis
373- - run : pip install sympy==${{ matrix.sympy-version }}
407+ - env :
408+ SYMPY_VERSION : ${{ matrix.sympy-version }}
409+ run : pip install "sympy==$SYMPY_VERSION"
374410 - run : python -c 'import sympy; sympy.test(parallel=True)'
375411
376412 # Run SymPy master branch agains python-flint main
377413 test_sympy_master :
378414 name : Test SymPy master
379415 runs-on : ubuntu-24.04
380416 steps :
381- - uses : actions/checkout@v6.0.2
382- - uses : actions/setup-python@v6
417+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
418+ with :
419+ persist-credentials : false
420+ - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
383421 with :
384422 python-version : ' 3.13'
385423 - run : sudo apt-get update
@@ -400,11 +438,12 @@ jobs:
400438 # Run on push/merge to main
401439 if : github.event_name == 'push' && github.ref == 'refs/heads/main'
402440 runs-on : ubuntu-latest
441+ permissions : {}
403442
404443 steps :
405444 # Downloads all artifacts
406445 - name : Download release artifacts
407- uses : actions/download-artifact@v8
446+ uses : actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
408447 with :
409448 path : wheelhouse
410449 merge-multiple : true
@@ -418,7 +457,7 @@ jobs:
418457 artifacts_path : dist
419458 # This token is generated from anaconda.org
420459 # https://github.com/scientific-python/upload-nightly-action/issues/111
421- anaconda_nightly_upload_token : ${{ secrets.ANACONDA_ORG_UPLOAD_TOKEN }}
460+ anaconda_nightly_upload_token : ${{ secrets.ANACONDA_ORG_UPLOAD_TOKEN }} # zizmor: ignore[secrets-outside-env]
422461
423462 # Deploy wheels and sdist to PyPI
424463
@@ -431,13 +470,13 @@ jobs:
431470 name : pypi
432471 url : https://pypi.org/p/python-flint
433472 permissions :
434- id-token : write
473+ id-token : write # Required for trusted publishing to PyPI via OIDC.
435474 runs-on : ubuntu-latest
436475
437476 steps :
438477 # Downloads all artifacts
439478 - name : Download release artifacts
440- uses : actions/download-artifact@v8
479+ uses : actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
441480 with :
442481 path : wheelhouse
443482 merge-multiple : true
@@ -462,21 +501,24 @@ jobs:
462501 needs : pypi_release
463502 runs-on : ubuntu-latest
464503 permissions :
465- contents : write
504+ contents : write # Required to create the GitHub release with the gh CLI.
466505
467506 steps :
468- - uses : actions/checkout@v6.0.2
507+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
508+ with :
509+ persist-credentials : false
469510
470511 - name : Download sdist
471- uses : actions/download-artifact@v8
512+ uses : actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
472513 with :
473514 name : sdist
474515 path : dist
475516
476517 - name : Create GitHub release
477518 env :
478519 GH_TOKEN : ${{ github.token }}
479- run : >
480- gh release create ${{ github.ref_name }} dist/*
481- --title "python-flint ${{ github.ref_name }}"
482- --notes "https://github.com/flintlib/python-flint?tab=readme-ov-file#changelog"
520+ REF_NAME : ${{ github.ref_name }}
521+ run : |
522+ gh release create "$REF_NAME" dist/* \
523+ --title "python-flint $REF_NAME" \
524+ --notes "https://github.com/flintlib/python-flint?tab=readme-ov-file#changelog"
0 commit comments