mirror
/
tiangolo.fastapi
mirror of https://github.com/tiangolo/fastapi
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

🔒️ Add zizmor and fix audit findings (#15316)

pull/15365/head
Motov Yurii 2 months ago
committed by GitHub
parent
708606c982
commit
3f4169be1a
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
23 changed files with 266 additions and 135 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 15
      .github/dependabot.yml
  2. 8
      .github/workflows/add-to-project.yml
  3. 35
      .github/workflows/build-docs.yml
  4. 17
      .github/workflows/contributors.yml
  5. 35
      .github/workflows/deploy-docs.yml
  6. 6
      .github/workflows/detect-conflicts.yml
  7. 11
      .github/workflows/issue-manager.yml
  8. 14
      .github/workflows/label-approved.yml
  9. 8
      .github/workflows/labeler.yml
  10. 16
      .github/workflows/latest-changes.yml
  11. 17
      .github/workflows/notify-translations.yml
  12. 17
      .github/workflows/people.yml
  13. 21
      .github/workflows/pre-commit.yml
  14. 12
      .github/workflows/publish.yml
  15. 20
      .github/workflows/smokeshow.yml
  16. 17
      .github/workflows/sponsors.yml
  17. 10
      .github/workflows/test-redistribute.yml
  18. 45
      .github/workflows/test.yml
  19. 13
      .github/workflows/topic-repos.yml
  20. 33
      .github/workflows/translate.yml
  21. 10
      .pre-commit-config.yaml
  22. 1
      pyproject.toml
  23. 20
      uv.lock

15
.github/dependabot.yml
View File

@ -5,12 +5,25 @@ updates:
directory: "/" directory: "/"
schedule: schedule:
interval: "daily" interval: "daily"
cooldown:
default-days: 7
commit-message: commit-message:
prefix: prefix:
# Python # Python
- package-ecosystem: "uv" - package-ecosystem: "uv"
directory: "/" directory: "/"
schedule: schedule:
interval: "monthly" interval: "daily"
cooldown:
default-days: 7
commit-message:
prefix:
# pre-commit
- package-ecosystem: "pre-commit"
directory: "/"
schedule:
interval: "daily"
cooldown:
default-days: 7
commit-message: commit-message:
prefix: prefix:

8
.github/workflows/add-to-project.yml
View File

@ -1,18 +1,20 @@
name: Add to Project name: Add to Project
on: on:
pull_request_target: pull_request_target: # zizmor: ignore[dangerous-triggers]
issues: issues:
types: types:
- opened - opened
- reopened - reopened
permissions: {}
jobs: jobs:
add-to-project: add-to-project:
name: Add to project name: Add to project
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/[email protected] - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with: with:
project-url: https://github.com/orgs/fastapi/projects/2 project-url: https://github.com/orgs/fastapi/projects/2
github-token: ${{ secrets.PROJECTS_TOKEN }} github-token: ${{ secrets.PROJECTS_TOKEN }} # zizmor: ignore[secrets-outside-env]

35
.github/workflows/build-docs.yml
View File

@ -8,6 +8,8 @@ on:
- opened - opened
- synchronize - synchronize
permissions: {}
jobs: jobs:
changes: changes:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -18,9 +20,11 @@ jobs:
outputs: outputs:
docs: ${{ steps.filter.outputs.docs }} docs: ${{ steps.filter.outputs.docs }}
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
# For pull requests it's not necessary to checkout the code but for the main branch it is # For pull requests it's not necessary to checkout the code but for the main branch it is
- uses: dorny/paths-filter@v4 - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
id: filter id: filter
with: with:
filters: | filters: |
@ -42,14 +46,17 @@ jobs:
outputs: outputs:
langs: ${{ steps.show-langs.outputs.langs }} langs: ${{ steps.show-langs.outputs.langs }}
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -75,14 +82,17 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -91,13 +101,14 @@ jobs:
run: uv sync --locked --no-dev --group docs run: uv sync --locked --no-dev --group docs
- name: Update Languages - name: Update Languages
run: uv run ./scripts/docs.py update-languages run: uv run ./scripts/docs.py update-languages
- uses: actions/cache@v5 - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with: with:
key: mkdocs-cards-${{ matrix.lang }}-${{ github.ref }} key: mkdocs-cards-${{ matrix.lang }}-${{ github.ref }}
path: docs/${{ matrix.lang }}/.cache path: docs/${{ matrix.lang }}/.cache
- name: Build Docs - name: Build Docs
run: uv run ./scripts/docs.py build-lang ${{ matrix.lang }} run: | # zizmor: ignore[template-injection] - comes from trusted source
- uses: actions/upload-artifact@v7 uv run ./scripts/docs.py build-lang ${{ matrix.lang }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with: with:
name: docs-site-${{ matrix.lang }} name: docs-site-${{ matrix.lang }}
path: ./site/** path: ./site/**
@ -111,7 +122,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Decide whether the needed jobs succeeded or failed - name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@release/v1 uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with: with:
jobs: ${{ toJSON(needs) }} jobs: ${{ toJSON(needs) }}
allowed-skips: build-docs allowed-skips: build-docs

17
.github/workflows/contributors.yml
View File

@ -10,6 +10,8 @@ on:
required: false required: false
default: "false" default: "false"
permissions: {}
jobs: jobs:
job: job:
if: github.repository_owner == 'fastapi' if: github.repository_owner == 'fastapi'
@ -21,14 +23,17 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true # Required for `git push` in `contributors.py`
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -37,13 +42,13 @@ jobs:
run: uv sync --locked --no-dev --group github-actions run: uv sync --locked --no-dev --group github-actions
# Allow debugging with tmate # Allow debugging with tmate
- name: Setup tmate session - name: Setup tmate session
uses: mxschmitt/action-tmate@v3 uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }} if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with: with:
limit-access-to-actor: true limit-access-to-actor: true
env: env:
GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} # zizmor: ignore[secrets-outside-env]
- name: FastAPI People Contributors - name: FastAPI People Contributors
run: uv run ./scripts/contributors.py run: uv run ./scripts/contributors.py
env: env:
GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} # zizmor: ignore[secrets-outside-env]

35
.github/workflows/deploy-docs.yml
View File

@ -1,37 +1,38 @@
name: Deploy Docs name: Deploy Docs
on: on:
workflow_run: workflow_run: # zizmor: ignore[dangerous-triggers]
workflows: workflows:
- Build Docs - Build Docs
types: types:
- completed - completed
permissions: permissions: {}
deployments: write
issues: write
pull-requests: write
statuses: write
jobs: jobs:
deploy-docs: deploy-docs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
deployments: write
issues: write
pull-requests: write
statuses: write
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
enable-cache: true version: "0.11.4"
cache-dependency-glob: | enable-cache: false
pyproject.toml
uv.lock
- name: Install GitHub Actions dependencies - name: Install GitHub Actions dependencies
run: uv sync --locked --no-dev --group github-actions run: uv sync --locked --no-dev --group github-actions
- name: Deploy Docs Status Pending - name: Deploy Docs Status Pending
@ -45,7 +46,7 @@ jobs:
run: | run: |
rm -rf ./site rm -rf ./site
mkdir ./site mkdir ./site
- uses: actions/download-artifact@v8 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with: with:
path: ./site/ path: ./site/
pattern: docs-site-* pattern: docs-site-*
@ -59,10 +60,10 @@ jobs:
env: env:
PROJECT_NAME: fastapitiangolo PROJECT_NAME: fastapitiangolo
BRANCH: ${{ ( github.event.workflow_run.head_repository.full_name == github.repository && github.event.workflow_run.head_branch == 'master' && 'main' ) || ( github.event.workflow_run.head_sha ) }} BRANCH: ${{ ( github.event.workflow_run.head_repository.full_name == github.repository && github.event.workflow_run.head_branch == 'master' && 'main' ) || ( github.event.workflow_run.head_sha ) }}
uses: cloudflare/wrangler-action@v3 uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3.14.1
with: with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} # zizmor: ignore[secrets-outside-env]
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} # zizmor: ignore[secrets-outside-env]
command: pages deploy ./site --project-name=${{ env.PROJECT_NAME }} --branch=${{ env.BRANCH }} command: pages deploy ./site --project-name=${{ env.PROJECT_NAME }} --branch=${{ env.BRANCH }}
- name: Deploy Docs Status Error - name: Deploy Docs Status Error
if: failure() if: failure()

6
.github/workflows/detect-conflicts.yml
View File

@ -1,9 +1,11 @@
name: "Conflict detector" name: "Conflict detector"
on: on:
push: push:
pull_request_target: pull_request_target: # zizmor: ignore[dangerous-triggers]
types: [synchronize] types: [synchronize]
permissions: {}
jobs: jobs:
main: main:
permissions: permissions:
@ -12,7 +14,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Check if PRs have merge conflicts - name: Check if PRs have merge conflicts
uses: eps1lon/actions-label-merge-conflict@v3 uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
with: with:
dirtyLabel: "conflicts" dirtyLabel: "conflicts"
repoToken: "${{ secrets.GITHUB_TOKEN }}" repoToken: "${{ secrets.GITHUB_TOKEN }}"

11
.github/workflows/issue-manager.yml
View File

@ -9,25 +9,26 @@ on:
issues: issues:
types: types:
- labeled - labeled
pull_request_target: pull_request_target: # zizmor: ignore[dangerous-triggers]
types: types:
- labeled - labeled
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
issues: write
pull-requests: write
jobs: jobs:
issue-manager: issue-manager:
if: github.repository_owner == 'fastapi' if: github.repository_owner == 'fastapi'
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: tiangolo/[email protected] - uses: tiangolo/issue-manager@2fb3484ec9279485df8659e8ec73de262431737d # 0.6.0
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
config: > config: >

14
.github/workflows/label-approved.yml
View File

@ -5,26 +5,30 @@ on:
- cron: "0 12 * * *" - cron: "0 12 * * *"
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
pull-requests: write
jobs: jobs:
label-approved: label-approved:
if: github.repository_owner == 'fastapi' if: github.repository_owner == 'fastapi'
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
pull-requests: write
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml

8
.github/workflows/labeler.yml
View File

@ -1,6 +1,6 @@
name: Labels name: Labels
on: on:
pull_request_target: pull_request_target: # zizmor: ignore[dangerous-triggers]
types: types:
- opened - opened
- synchronize - synchronize
@ -9,6 +9,8 @@ on:
- labeled - labeled
- unlabeled - unlabeled
permissions: {}
jobs: jobs:
labeler: labeler:
permissions: permissions:
@ -16,7 +18,7 @@ jobs:
pull-requests: write pull-requests: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/labeler@v6 - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
if: ${{ github.event.action != 'labeled' && github.event.action != 'unlabeled' }} if: ${{ github.event.action != 'labeled' && github.event.action != 'unlabeled' }}
- run: echo "Done adding labels" - run: echo "Done adding labels"
# Run this after labeler applied labels # Run this after labeler applied labels
@ -27,7 +29,7 @@ jobs:
pull-requests: read pull-requests: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: docker://agilepathway/pull-request-label-checker:latest - uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65
with: with:
one_of: breaking,security,feature,bug,refactor,upgrade,docs,lang-all,internal one_of: breaking,security,feature,bug,refactor,upgrade,docs,lang-all,internal
repo_token: ${{ secrets.GITHUB_TOKEN }} repo_token: ${{ secrets.GITHUB_TOKEN }}

16
.github/workflows/latest-changes.yml
View File

@ -1,7 +1,7 @@
name: Latest Changes name: Latest Changes
on: on:
pull_request_target: pull_request_target: # zizmor: ignore[dangerous-triggers]
branches: branches:
- master - master
types: types:
@ -16,27 +16,29 @@ on:
required: false required: false
default: 'false' default: 'false'
permissions: {}
jobs: jobs:
latest-changes: latest-changes:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
# pin to actions/checkout@v5 for compatibility with latest-changes - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# Ref: https://github.com/actions/checkout/issues/2313
- uses: actions/checkout@v5
with: with:
# To allow latest-changes to commit to the main branch # To allow latest-changes to commit to the main branch
token: ${{ secrets.FASTAPI_LATEST_CHANGES }} token: ${{ secrets.FASTAPI_LATEST_CHANGES }} # zizmor: ignore[secrets-outside-env]
persist-credentials: true # required by tiangolo/latest-changes
# Allow debugging with tmate # Allow debugging with tmate
- name: Setup tmate session - name: Setup tmate session
uses: mxschmitt/action-tmate@v3 uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }} if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with: with:
limit-access-to-actor: true limit-access-to-actor: true
- uses: tiangolo/[email protected] - uses: tiangolo/latest-changes@c9d329cb147f0ddf4fb631214e3f838ff17ccbbd # 0.4.1
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
latest_changes_file: docs/en/docs/release-notes.md latest_changes_file: docs/en/docs/release-notes.md

17
.github/workflows/notify-translations.yml
View File

@ -1,10 +1,12 @@
name: Notify Translations name: Notify Translations
on: on:
pull_request_target: pull_request_target: # zizmor: ignore[dangerous-triggers]
types: types:
- labeled - labeled
- closed - closed
branches:
- master
workflow_dispatch: workflow_dispatch:
inputs: inputs:
number: number:
@ -15,6 +17,8 @@ on:
required: false required: false
default: 'false' default: 'false'
permissions: {}
jobs: jobs:
job: job:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -25,14 +29,17 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -41,7 +48,7 @@ jobs:
run: uv sync --locked --no-dev --group github-actions run: uv sync --locked --no-dev --group github-actions
# Allow debugging with tmate # Allow debugging with tmate
- name: Setup tmate session - name: Setup tmate session
uses: mxschmitt/action-tmate@v3 uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }} if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with: with:
limit-access-to-actor: true limit-access-to-actor: true

17
.github/workflows/people.yml
View File

@ -10,6 +10,8 @@ on:
required: false required: false
default: "false" default: "false"
permissions: {}
jobs: jobs:
job: job:
if: github.repository_owner == 'fastapi' if: github.repository_owner == 'fastapi'
@ -21,14 +23,17 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true # Required for `git push` in `people.py`
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -37,14 +42,14 @@ jobs:
run: uv sync --locked --no-dev --group github-actions run: uv sync --locked --no-dev --group github-actions
# Allow debugging with tmate # Allow debugging with tmate
- name: Setup tmate session - name: Setup tmate session
uses: mxschmitt/action-tmate@v3 uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }} if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with: with:
limit-access-to-actor: true limit-access-to-actor: true
env: env:
GITHUB_TOKEN: ${{ secrets.FASTAPI_PEOPLE }} GITHUB_TOKEN: ${{ secrets.FASTAPI_PEOPLE }} # zizmor: ignore[secrets-outside-env]
- name: FastAPI People Experts - name: FastAPI People Experts
run: uv run ./scripts/people.py run: uv run ./scripts/people.py
env: env:
GITHUB_TOKEN: ${{ secrets.FASTAPI_PEOPLE }} GITHUB_TOKEN: ${{ secrets.FASTAPI_PEOPLE }} # zizmor: ignore[secrets-outside-env]
SLEEP_INTERVAL: ${{ vars.PEOPLE_SLEEP_INTERVAL }} SLEEP_INTERVAL: ${{ vars.PEOPLE_SLEEP_INTERVAL }}

21
.github/workflows/pre-commit.yml
View File

@ -6,6 +6,8 @@ on:
- opened - opened
- synchronize - synchronize
permissions: {}
env: env:
# Forks and Dependabot don't have access to secrets # Forks and Dependabot don't have access to secrets
HAS_SECRETS: ${{ secrets.PRE_COMMIT != '' }} HAS_SECRETS: ${{ secrets.PRE_COMMIT != '' }}
@ -18,7 +20,7 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v5 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
name: Checkout PR for own repo name: Checkout PR for own repo
if: env.HAS_SECRETS == 'true' if: env.HAS_SECRETS == 'true'
with: with:
@ -28,22 +30,25 @@ jobs:
# And it needs the full history to be able to compute diffs # And it needs the full history to be able to compute diffs
fetch-depth: 0 fetch-depth: 0
# A token other than the default GITHUB_TOKEN is needed to be able to trigger CI # A token other than the default GITHUB_TOKEN is needed to be able to trigger CI
token: ${{ secrets.PRE_COMMIT }} token: ${{ secrets.PRE_COMMIT }} # zizmor: ignore[secrets-outside-env]
persist-credentials: true # Required for `git push` command
# pre-commit lite ci needs the default checkout configs to work # pre-commit lite ci needs the default checkout configs to work
- uses: actions/checkout@v5 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
name: Checkout PR for fork name: Checkout PR for fork
if: env.HAS_SECRETS == 'false' if: env.HAS_SECRETS == 'false'
with: with:
# To be able to commit it needs the head branch of the PR, the remote one # To be able to commit it needs the head branch of the PR, the remote one
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
uv.lock uv.lock
@ -51,7 +56,7 @@ jobs:
run: uv sync --locked --extra all run: uv sync --locked --extra all
- name: Run prek - pre-commit - name: Run prek - pre-commit
id: precommit id: precommit
run: uvx prek run --from-ref origin/${GITHUB_BASE_REF} --to-ref HEAD --show-diff-on-failure run: uv run prek run --from-ref origin/${GITHUB_BASE_REF} --to-ref HEAD --show-diff-on-failure
continue-on-error: true continue-on-error: true
- name: Commit and push changes - name: Commit and push changes
if: env.HAS_SECRETS == 'true' if: env.HAS_SECRETS == 'true'
@ -65,7 +70,7 @@ jobs:
git commit -m "🎨 Auto format" git commit -m "🎨 Auto format"
git push git push
fi fi
- uses: pre-commit-ci/[email protected] - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0
if: env.HAS_SECRETS == 'false' if: env.HAS_SECRETS == 'false'
with: with:
msg: 🎨 Auto format msg: 🎨 Auto format
@ -85,6 +90,6 @@ jobs:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- name: Decide whether the needed jobs succeeded or failed - name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@release/v1 uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with: with:
jobs: ${{ toJSON(needs) }} jobs: ${{ toJSON(needs) }}

12
.github/workflows/publish.yml
View File

@ -5,6 +5,8 @@ on:
types: types:
- created - created
permissions: {}
jobs: jobs:
publish: publish:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -16,13 +18,17 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Install uv - name: Install uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
version: "0.11.4"
- name: Build distribution - name: Build distribution
run: uv build run: uv build
- name: Publish - name: Publish

20
.github/workflows/smokeshow.yml
View File

@ -1,34 +1,38 @@
name: Smokeshow name: Smokeshow
on: on:
workflow_run: workflow_run: # zizmor: ignore[dangerous-triggers]
workflows: [Test] workflows: [Test]
types: [completed] types: [completed]
permissions: permissions: {}
statuses: write
jobs: jobs:
smokeshow: smokeshow:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
statuses: write
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-python@v6 with:
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
uv.lock uv.lock
- run: uv sync --locked --no-dev --group github-actions - run: uv sync --locked --no-dev --group github-actions
- uses: actions/download-artifact@v8 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with: with:
name: coverage-html name: coverage-html
path: htmlcov path: htmlcov
@ -51,4 +55,4 @@ jobs:
SMOKESHOW_GITHUB_CONTEXT: coverage SMOKESHOW_GITHUB_CONTEXT: coverage
SMOKESHOW_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SMOKESHOW_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SMOKESHOW_GITHUB_PR_HEAD_SHA: ${{ github.event.workflow_run.head_sha }} SMOKESHOW_GITHUB_PR_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
SMOKESHOW_AUTH_KEY: ${{ secrets.SMOKESHOW_AUTH_KEY }} SMOKESHOW_AUTH_KEY: ${{ secrets.SMOKESHOW_AUTH_KEY }} # zizmor: ignore[secrets-outside-env]

17
.github/workflows/sponsors.yml
View File

@ -10,6 +10,8 @@ on:
required: false required: false
default: "false" default: "false"
permissions: {}
jobs: jobs:
job: job:
if: github.repository_owner == 'fastapi' if: github.repository_owner == 'fastapi'
@ -21,14 +23,17 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true # Required for `git push` in `sponsors.py`
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -37,12 +42,12 @@ jobs:
run: uv sync --locked --no-dev --group github-actions run: uv sync --locked --no-dev --group github-actions
# Allow debugging with tmate # Allow debugging with tmate
- name: Setup tmate session - name: Setup tmate session
uses: mxschmitt/action-tmate@v3 uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }} if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with: with:
limit-access-to-actor: true limit-access-to-actor: true
- name: FastAPI People Sponsors - name: FastAPI People Sponsors
run: uv run ./scripts/sponsors.py run: uv run ./scripts/sponsors.py
env: env:
SPONSORS_TOKEN: ${{ secrets.SPONSORS_TOKEN }} SPONSORS_TOKEN: ${{ secrets.SPONSORS_TOKEN }} # zizmor: ignore[secrets-outside-env]
PR_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} PR_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} # zizmor: ignore[secrets-outside-env]

10
.github/workflows/test-redistribute.yml
View File

@ -9,6 +9,8 @@ on:
- opened - opened
- synchronize - synchronize
permissions: {}
jobs: jobs:
test-redistribute: test-redistribute:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -17,9 +19,11 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Install build dependencies - name: Install build dependencies
@ -55,6 +59,6 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Decide whether the needed jobs succeeded or failed - name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@release/v1 uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with: with:
jobs: ${{ toJSON(needs) }} jobs: ${{ toJSON(needs) }}

45
.github/workflows/test.yml
View File

@ -12,6 +12,8 @@ on:
# cron every week on monday # cron every week on monday
- cron: "0 0 * * 1" - cron: "0 0 * * 1"
permissions: {}
env: env:
UV_NO_SYNC: true UV_NO_SYNC: true
INLINE_SNAPSHOT_DEFAULT_FLAGS: review INLINE_SNAPSHOT_DEFAULT_FLAGS: review
@ -26,9 +28,11 @@ jobs:
outputs: outputs:
src: ${{ steps.filter.outputs.src }} src: ${{ steps.filter.outputs.src }}
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
# For pull requests it's not necessary to checkout the code but for the main branch it is # For pull requests it's not necessary to checkout the code but for the main branch it is
- uses: dorny/paths-filter@v4 - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
id: filter id: filter
with: with:
filters: | filters: |
@ -99,14 +103,17 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version: ${{ matrix.python-version }} python-version: ${{ matrix.python-version }}
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -134,7 +141,7 @@ jobs:
# Do not store coverage for all possible combinations to avoid file size max errors in Smokeshow # Do not store coverage for all possible combinations to avoid file size max errors in Smokeshow
- name: Store coverage files - name: Store coverage files
if: matrix.coverage == 'coverage' if: matrix.coverage == 'coverage'
uses: actions/upload-artifact@v7 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with: with:
name: coverage-${{ runner.os }}-${{ matrix.python-version }}-${{ matrix.deprecated-tests}}-${{ hashFiles('**/coverage/.coverage.*') }} name: coverage-${{ runner.os }}-${{ matrix.python-version }}-${{ matrix.deprecated-tests}}-${{ hashFiles('**/coverage/.coverage.*') }}
path: coverage path: coverage
@ -153,14 +160,17 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version: "3.13" python-version: "3.13"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -168,7 +178,7 @@ jobs:
- name: Install Dependencies - name: Install Dependencies
run: uv sync --no-dev --group tests --extra all run: uv sync --no-dev --group tests --extra all
- name: CodSpeed benchmarks - name: CodSpeed benchmarks
uses: CodSpeedHQ/action@v4 uses: CodSpeedHQ/action@1c8ae4843586d3ba879736b7f6b7b0c990757fab # v4.12.1
with: with:
mode: simulation mode: simulation
run: uv run --no-sync pytest tests/benchmarks --codspeed run: uv run --no-sync pytest tests/benchmarks --codspeed
@ -182,13 +192,16 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-python@v6 with:
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -196,7 +209,7 @@ jobs:
- name: Install Dependencies - name: Install Dependencies
run: uv sync --locked --no-dev --group tests --extra all run: uv sync --locked --no-dev --group tests --extra all
- name: Get coverage files - name: Get coverage files
uses: actions/download-artifact@v8 uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with: with:
pattern: coverage-* pattern: coverage-*
path: coverage path: coverage
@ -205,7 +218,7 @@ jobs:
- run: uv run coverage combine coverage - run: uv run coverage combine coverage
- run: uv run coverage html --title "Coverage for ${{ github.sha }}" - run: uv run coverage html --title "Coverage for ${{ github.sha }}"
- name: Store coverage HTML - name: Store coverage HTML
uses: actions/upload-artifact@v7 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with: with:
name: coverage-html name: coverage-html
path: htmlcov path: htmlcov
@ -225,7 +238,7 @@ jobs:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- name: Decide whether the needed jobs succeeded or failed - name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@release/v1 uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with: with:
jobs: ${{ toJSON(needs) }} jobs: ${{ toJSON(needs) }}
allowed-skips: coverage-combine,test,benchmark allowed-skips: coverage-combine,test,benchmark

13
.github/workflows/topic-repos.yml
View File

@ -5,6 +5,8 @@ on:
- cron: "0 12 1 * *" - cron: "0 12 1 * *"
workflow_dispatch: workflow_dispatch:
permissions: {}
jobs: jobs:
topic-repos: topic-repos:
if: github.repository_owner == 'fastapi' if: github.repository_owner == 'fastapi'
@ -16,14 +18,17 @@ jobs:
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true # Required for `git push` in `topic_repos.py`
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -33,4 +38,4 @@ jobs:
- name: Update Topic Repos - name: Update Topic Repos
run: uv run ./scripts/topic_repos.py run: uv run ./scripts/topic_repos.py
env: env:
GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} GITHUB_TOKEN: ${{ secrets.FASTAPI_PR_TOKEN }} # zizmor: ignore[secrets-outside-env]

33
.github/workflows/translate.yml
View File

@ -41,6 +41,8 @@ on:
required: false required: false
default: 10 default: 10
permissions: {}
jobs: jobs:
langs: langs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -48,14 +50,17 @@ jobs:
langs: ${{ steps.show-langs.outputs.langs }} langs: ${{ steps.show-langs.outputs.langs }}
commands: ${{ steps.show-langs.outputs.commands }} commands: ${{ steps.show-langs.outputs.commands }}
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
uv.lock uv.lock
@ -78,23 +83,23 @@ jobs:
matrix: matrix:
lang: ${{ fromJson(needs.langs.outputs.langs) }} lang: ${{ fromJson(needs.langs.outputs.langs) }}
command: ${{ fromJson(needs.langs.outputs.commands) }} command: ${{ fromJson(needs.langs.outputs.commands) }}
permissions:
contents: write
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT" run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: with:
python-version-file: ".python-version" python-version-file: ".python-version"
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@v7 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
version: "0.11.4"
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
uv.lock uv.lock
@ -102,20 +107,20 @@ jobs:
run: uv sync --locked --no-dev --group github-actions --group translations run: uv sync --locked --no-dev --group github-actions --group translations
# Allow debugging with tmate # Allow debugging with tmate
- name: Setup tmate session - name: Setup tmate session
uses: mxschmitt/action-tmate@v3 uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }} if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }}
with: with:
limit-access-to-actor: true limit-access-to-actor: true
env: env:
GITHUB_TOKEN: ${{ secrets.FASTAPI_TRANSLATIONS }} GITHUB_TOKEN: ${{ secrets.FASTAPI_TRANSLATIONS }} # zizmor: ignore[secrets-outside-env]
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} # zizmor: ignore[secrets-outside-env]
- name: FastAPI Translate - name: FastAPI Translate
run: | run: |
uv run ./scripts/translate.py ${{ matrix.command }} uv run ./scripts/translate.py "$COMMAND"
uv run ./scripts/translate.py make-pr uv run ./scripts/translate.py make-pr
env: env:
GITHUB_TOKEN: ${{ secrets.FASTAPI_TRANSLATIONS }} GITHUB_TOKEN: ${{ secrets.FASTAPI_TRANSLATIONS }} # zizmor: ignore[secrets-outside-env]
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} # zizmor: ignore[secrets-outside-env]
LANGUAGE: ${{ matrix.lang }} LANGUAGE: ${{ matrix.lang }}
EN_PATH: ${{ github.event.inputs.en_path }} EN_PATH: ${{ github.event.inputs.en_path }}
COMMAND: ${{ matrix.command }} COMMAND: ${{ matrix.command }}

10
.pre-commit-config.yaml
View File

@ -2,7 +2,7 @@
# See https://pre-commit.com/hooks.html for more hooks # See https://pre-commit.com/hooks.html for more hooks
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks - repo: https://github.com/pre-commit/pre-commit-hooks
rev: v6.0.0 rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0
hooks: hooks:
- id: check-added-large-files - id: check-added-large-files
args: ['--maxkb=750'] args: ['--maxkb=750']
@ -85,3 +85,11 @@ repos:
entry: uv run python scripts/add_latest_release_date.py entry: uv run python scripts/add_latest_release_date.py
files: ^docs/en/docs/release-notes\.md$ files: ^docs/en/docs/release-notes\.md$
pass_filenames: false pass_filenames: false
- id: zizmor
name: zizmor
language: python
entry: uv run zizmor .
files: ^\.github\/workflows\/
require_serial: true
pass_filenames: false

1
pyproject.toml
View File

@ -126,6 +126,7 @@ dev = [
{ include-group = "translations" }, { include-group = "translations" },
"playwright >=1.57.0", "playwright >=1.57.0",
"prek >=0.2.22", "prek >=0.2.22",
"zizmor >=1.23.1",
] ]
docs = [ docs = [
{ include-group = "docs-tests" }, { include-group = "docs-tests" },

20
uv.lock
View File

@ -1154,6 +1154,7 @@ dev = [
{ name = "strawberry-graphql" }, { name = "strawberry-graphql" },
{ name = "ty" }, { name = "ty" },
{ name = "typer" }, { name = "typer" },
{ name = "zizmor" },
] ]
docs = [ docs = [
{ name = "black" }, { name = "black" },
@ -1296,6 +1297,7 @@ dev = [
{ name = "strawberry-graphql", specifier = ">=0.200.0,<1.0.0" }, { name = "strawberry-graphql", specifier = ">=0.200.0,<1.0.0" },
{ name = "ty", specifier = ">=0.0.9" }, { name = "ty", specifier = ">=0.0.9" },
{ name = "typer", specifier = ">=0.21.1" }, { name = "typer", specifier = ">=0.21.1" },
{ name = "zizmor", specifier = ">=1.23.1" },
] ]
docs = [ docs = [
{ name = "black", specifier = ">=25.1.0" }, { name = "black", specifier = ">=25.1.0" },
@ -5997,3 +5999,21 @@ sdist = { url = "https://files.pythonhosted.org/packages/e3/02/0f2892c661036d50e
wheels = [ wheels = [
{ url = "https://files.pythonhosted.org/packages/2e/54/647ade08bf0db230bfea292f893923872fd20be6ac6f53b2b936ba839d75/zipp-3.23.0-py3-none-any.whl", hash = "sha256:071652d6115ed432f5ce1d34c336c0adfd6a884660d1e9712a256d3d3bd4b14e", size = 10276, upload-time = "2025-06-08T17:06:38.034Z" }, { url = "https://files.pythonhosted.org/packages/2e/54/647ade08bf0db230bfea292f893923872fd20be6ac6f53b2b936ba839d75/zipp-3.23.0-py3-none-any.whl", hash = "sha256:071652d6115ed432f5ce1d34c336c0adfd6a884660d1e9712a256d3d3bd4b14e", size = 10276, upload-time = "2025-06-08T17:06:38.034Z" },
] ]
[[package]]
name = "zizmor"
version = "1.23.1"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/9e/58/d0228b1332f001f905d3cdd288a878d339e740ef8a92c321696a7359bdcd/zizmor-1.23.1.tar.gz", hash = "sha256:eb9871f1de004d8c6e35ff403bd6a41c495062736e78b9c4a98988970c598639", size = 463942, upload-time = "2026-03-08T16:57:29.065Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/49/57/32893d3370aa39f140934ee346a77aff1bc38d1de5248b9385dfcea612b7/zizmor-1.23.1-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:85f222eb610379aeeea76e4dc616621fdae9f21db77d1b006820452cafa739eb", size = 9085239, upload-time = "2026-03-08T16:57:32.241Z" },
{ url = "https://files.pythonhosted.org/packages/e3/43/037b68a2d173a44286f27c5c47e219d8beba758a323e1642770956831732/zizmor-1.23.1-py3-none-macosx_11_0_arm64.whl", hash = "sha256:82a7925bbdbc69713cbeb19ec90012cba3b92e3ace65ae60088e9604c5724182", size = 8657180, upload-time = "2026-03-08T16:57:23.078Z" },
{ url = "https://files.pythonhosted.org/packages/e5/37/322ec0e8b8d39a7de30290b754bd564c0b1c432d72f7b7aa011eca87cc7b/zizmor-1.23.1-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:19af913bb4bcd6dfeea41477fcf203d69e053f4b14a2b35690485c44ffa6c4a7", size = 8788247, upload-time = "2026-03-08T16:57:18.477Z" },
{ url = "https://files.pythonhosted.org/packages/3f/e7/5ca6f7d56741b190c6d7d3721eb98c66e23fb68d64e6886c92993e049f36/zizmor-1.23.1-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:08ae0d8f4d665f6cf9b475913c64d2193d52ffc6f02ce66d4dcfd1b92daf4f82", size = 8374212, upload-time = "2026-03-08T16:57:25.437Z" },
{ url = "https://files.pythonhosted.org/packages/d4/a5/a3784392aeaca14d65c5e5efa2795d887ba24db4871a942e06a99f90a3c8/zizmor-1.23.1-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:08233d0d25947e43ac92374f22383c04e43f351f44bc44d60b3c0695157c0f3e", size = 9230697, upload-time = "2026-03-08T16:57:34.425Z" },
{ url = "https://files.pythonhosted.org/packages/b6/0d/4475ded1664262af70525700e158c3156653391770159d65cd80245fb68e/zizmor-1.23.1-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:795e04dff47ca1d1b0af2d7a5d3a96909a18d5fa80548534951efb24af6ec83e", size = 8820009, upload-time = "2026-03-08T16:57:36.865Z" },
{ url = "https://files.pythonhosted.org/packages/a8/ef/818c68d9b407e3d02fbe7e39ad73750846d19afad50c4c9ad86455214fc2/zizmor-1.23.1-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:c62059c75100d0bc1a19cd95a6dce9b93ac5ab2e7d7bcdd974c51b2c5eb503e3", size = 8331336, upload-time = "2026-03-08T16:57:20.825Z" },
{ url = "https://files.pythonhosted.org/packages/28/bb/1c984e1474fcf5f08e5847838007668d2682e1fcbc109d481967736ab18f/zizmor-1.23.1-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:cf0dc93171e9ae7b822041471715ea7a9f5ebefa6865ceb6d1a39729a982d770", size = 9314682, upload-time = "2026-03-08T16:57:27.361Z" },
{ url = "https://files.pythonhosted.org/packages/fb/26/10f597f9b19ecd7bece2a1eb7d1ca1bd09d089d750d70365c76118056ec1/zizmor-1.23.1-py3-none-win32.whl", hash = "sha256:229c6b275941a18b03eef0ba5d24089dfbbe4fc34633a6b22bf924294ef69cde", size = 7464678, upload-time = "2026-03-08T16:57:30.569Z" },
{ url = "https://files.pythonhosted.org/packages/04/25/14071ea8ab5ebde85391d27e9de060d8a31a44eea448aba8d8bdd30693b3/zizmor-1.23.1-py3-none-win_amd64.whl", hash = "sha256:dc9befe3c08fea7d0fa3a0bc98073fadf31a77f0572b1f7931e1ff300337fe11", size = 8506938, upload-time = "2026-03-08T16:57:15.787Z" },
]

Write Preview
Loading…
Cancel
Save