From bd4cd4e4b8291592dfe7577cf81d8cb395952203 Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Sat, 3 Jan 2026 07:37:49 +0000 Subject: [PATCH 1/4] Make prettier more compatible with yamlfix --- .prettierrc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.prettierrc b/.prettierrc index 3ab9aa054..cbaad29a4 100644 --- a/.prettierrc +++ b/.prettierrc @@ -3,7 +3,8 @@ { "files": ["*.yaml", "*.yml"], "options": { - "singleQuote": true + "singleQuote": true, + "printWidth": 100" } } ] From 7b8efd4196bc2e294d038e837262531f5827b18c Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Sat, 3 Jan 2026 07:43:21 +0000 Subject: [PATCH 2/4] Add zizmor --- zizmor.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 zizmor.yml diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 000000000..f63e179d2 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,12 @@ +--- +rules: + unpinned-uses: + disable: true + cache-poisoning: + disable: true + bot-conditions: + disable: true + dependabot-cooldown: + disable: true + template-injection: + disable: true From 238737c408e39f68462cb32e84a629b0a0b5a765 Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Sat, 3 Jan 2026 07:46:46 +0000 Subject: [PATCH 3/4] Fix prettier --- .prettierrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.prettierrc b/.prettierrc index cbaad29a4..4a36aae89 100644 --- a/.prettierrc +++ b/.prettierrc @@ -4,7 +4,7 @@ "files": ["*.yaml", "*.yml"], "options": { "singleQuote": true, - "printWidth": 100" + "printWidth": 100 } } ] From 694ce56a73697dab28ca4ae97df322352752129b Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Sat, 3 Jan 2026 07:49:33 +0000 Subject: [PATCH 4/4] Fix zizmor --- .github/workflows/docker-build.yml | 5 ++++- .github/workflows/lint.yml | 6 ++++-- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 10 ++++++++++ 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 63e9b6d26..ad39dd8a2 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -1,5 +1,4 @@ --- - name: Build Docker images # This matches the Docker image building done in the release process. @@ -17,6 +16,8 @@ on: - cron: 0 1 * * * workflow_dispatch: {} +permissions: {} + jobs: build: name: Build Docker images @@ -31,6 +32,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up QEMU uses: docker/setup-qemu-action@v3 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index c850e0fad..12b738ab7 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,5 +1,4 @@ --- - name: Lint on: @@ -13,9 +12,10 @@ on: - cron: 0 1 * * * workflow_dispatch: {} +permissions: {} + jobs: build: - strategy: matrix: python-version: ['3.13'] @@ -25,6 +25,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v7 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9cd203fa1..8ae91c012 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,4 @@ --- - name: Release on: workflow_dispatch @@ -29,6 +28,7 @@ jobs: # Also, avoids # https://github.com/stefanzweifel/git-auto-commit-action/issues/99. fetch-depth: 0 + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v7 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 992027cdc..386db8031 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,6 +16,8 @@ on: # workflows. We therefore want to run only one workflow at a time. concurrency: vuforia_credentials +permissions: {} + jobs: # CI tests with matrix ci-tests: @@ -117,6 +119,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v7 @@ -186,6 +190,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v7 @@ -229,6 +235,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v7 @@ -269,6 +277,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v7