Skip to content

ci: add github actions lint (zizmor), pin actions, use uv#6172

Open
chirizxc wants to merge 21 commits into
PyO3:mainfrom
chirizxc:ci
Open

ci: add github actions lint (zizmor), pin actions, use uv#6172
chirizxc wants to merge 21 commits into
PyO3:mainfrom
chirizxc:ci

Conversation

@chirizxc

@chirizxc chirizxc commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

/close #6171

Add zizmor to CI:

  • pin all actions by commit via actions-up
  • add permissions: {} where not yet
  • use YAML anchors / ENV's for reducing duplication
  • add persist-credentials: false for actions/checkout
  • pip -> uv / uvx

@chirizxc chirizxc marked this pull request as draft June 30, 2026 11:37
@chirizxc chirizxc marked this pull request as ready for review June 30, 2026 15:48
@chirizxc chirizxc changed the title ci: update CI ci: add github actions lint (zizmor), pin actions, use uv Jul 3, 2026

@davidhewitt davidhewitt left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, generally looks great! A few thoughts / questions.

Comment on lines +18 to +21
# A small hack to use anchors as GitHub doesn't allow it to be top level
\_○_○_/: &enable-cache-save >-
${{ github.ref == 'refs/heads/main' ||
contains(github.event.pull_request.labels.*.name, 'CI-save-pr-cache') }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clever trick! I'm a little worried github could break this in future, and that it might pollute env. Would it be simpler to just set it as an env var here? _PYO3_CI_ENABLE_CACHE_SAVE: ${{ github.ref ...

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For example: ${{ env._PYO3_CI_ENABLE_FAIL_FAST }} will not be available in strategy.fail-fast, since it is evaluated before the job is created, and the env context is not available at that point.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub have examples in the documentation; I don't think they'll change this behavior🧐

Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml
Comment on lines -279 to +341
secrets: inherit
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this is just reducing the number of secrets passed down?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.zizmor.sh/audits/#before_14

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
   --> .github/workflows\ci.yml:330:11
    |
330 |     uses: ./.github/workflows/build.yml
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
...
340 |     secrets: inherit
    |     ---------------- inherits all parent secrets
    |
    = note: audit confidence → High

108 findings (29 ignored, 78 suppressed): 0 informational, 0 low, 1 medium, 0 high

Comment thread .github/workflows/ci.yml Outdated
Comment on lines +1043 to +1044
always() &&
!contains(needs.*.result, 'failure') &&

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why skip the check if a previous step failed (does GH successfully mark the check as failed?)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just reverted it back; it looks like jq works fine

Comment thread .github/workflows/coverage-pr-base.yml Outdated
@codspeed-hq

codspeed-hq Bot commented Jul 8, 2026

Copy link
Copy Markdown

Merging this PR will improve performance by 10.06%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

⚡ 1 improved benchmark
✅ 139 untouched benchmarks

Performance Changes

Benchmark BASE HEAD Efficiency
ordered_richcmp 2.6 µs 2.3 µs +10.06%

Tip

Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.


Comparing chirizxc:ci (9242378) with main (8fcf8fc)

Open in CodSpeed

This reverts commit 95b9db7.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CI update's

2 participants