diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 3c045cbe..1fc044c8 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -1,5 +1,8 @@
name: CD
+permissions:
+ contents: read
+
on:
workflow_dispatch:
pull_request:
@@ -14,11 +17,11 @@ jobs:
dist:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- - uses: hynek/build-and-inspect-python-package@v2
+ - uses: hynek/build-and-inspect-python-package@b5076c307dc91924a82ad150cdd1533b444d3310 # v2.12.0
publish:
needs: [dist]
@@ -31,14 +34,14 @@ jobs:
if: github.event_name == 'release' && github.event.action == 'published'
steps:
- - uses: actions/download-artifact@v4
+ - uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0
with:
name: Packages
path: dist
- name: Generate artifact attestation for sdist and wheel
- uses: actions/attest-build-provenance@v2.2.3
+ uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
with:
subject-path: "dist/*"
- - uses: pypa/gh-action-pypi-publish@release/v1
+ - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index de8250cd..96b16c28 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
name: CI
+permissions:
+ contents: read
+
on:
workflow_dispatch:
pull_request:
@@ -21,16 +24,16 @@ jobs:
name: Format
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- - uses: actions/setup-python@v5
+ - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: "3.x"
- - uses: pre-commit/action@v3.0.1
+ - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
with:
extra_args: --hook-stage manual --all-files
- - uses: prefix-dev/setup-pixi@v0.8.3
+ - uses: prefix-dev/setup-pixi@92815284c57faa15cd896c4d5cfb2d59f32dc43d # v0.8.3
with:
pixi-version: v0.42.1
cache: true
@@ -52,11 +55,11 @@ jobs:
runs-on: [ubuntu-latest]
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- - uses: prefix-dev/setup-pixi@v0.8.3
+ - uses: prefix-dev/setup-pixi@92815284c57faa15cd896c4d5cfb2d59f32dc43d # v0.8.3
with:
pixi-version: v0.42.1
cache: true
@@ -66,6 +69,6 @@ jobs:
run: pixi run -e ${{ matrix.environment }} tests-ci
- name: Upload coverage report
- uses: codecov/codecov-action@v5.4.0
+ uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index bd29e25b..d6ac394d 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -13,7 +13,7 @@ jobs:
steps:
- name: Dependabot metadata
id: metadata
- uses: dependabot/fetch-metadata@v2
+ uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2.3.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Enable auto-merge for Dependabot PRs
diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml
index c850c851..1637878d 100644
--- a/.github/workflows/docs-build.yml
+++ b/.github/workflows/docs-build.yml
@@ -1,12 +1,15 @@
name: Docs Build
+permissions:
+ contents: read
+
on: [push, pull_request]
jobs:
docs-build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: prefix-dev/setup-pixi@v0.8.3
with:
pixi-version: v0.42.1
@@ -15,7 +18,7 @@ jobs:
- name: Build Docs
run: pixi run -e docs docs
- name: Upload Artifact
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: docs-build
path: docs/build/
diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml
index a7a8cb1c..3f7e6ed0 100644
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -1,5 +1,8 @@
name: Docs Deploy
+permissions:
+ contents: read
+
on:
workflow_run:
workflows: ["Docs Build"]
@@ -14,9 +17,9 @@ jobs:
environment:
name: docs-deploy
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download Artifact
- uses: dawidd6/action-download-artifact@v9
+ uses: dawidd6/action-download-artifact@07ab29fd4a977ae4d2b275087cf67563dfdf0295 # v9
with:
workflow: docs-build.yml
name: docs-build
@@ -26,7 +29,7 @@ jobs:
# See
# https://github.com/JamesIves/github-pages-deploy-action/tree/dev#using-an-ssh-deploy-key-
- name: Deploy
- uses: JamesIves/github-pages-deploy-action@v4
+ uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3
with:
folder: docs/build/
ssh-key: ${{ secrets.DEPLOY_KEY }}
diff --git a/README.md b/README.md
index ab42dfa0..739fdc5f 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@
[![Conda-Forge][conda-badge]][conda-link]
[![PyPI platforms][pypi-platforms]][pypi-link]
[](https://jacobtomlinson.dev/effver)
+[](https://scientific-python.org/specs/spec-0000/)
<!-- SPHINX-START -->