diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 318c3c2fb0..35d089860c 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -13,6 +13,7 @@ jobs: add-to-project: name: Add to project runs-on: ubuntu-latest + timeout-minutes: 5 steps: - uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0 with: diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml index f30ea3bef9..128b69e94d 100644 --- a/.github/workflows/build-docs.yml +++ b/.github/workflows/build-docs.yml @@ -16,6 +16,7 @@ jobs: # Required permissions permissions: pull-requests: read + timeout-minutes: 5 # Set job outputs to values from filter step outputs: docs: ${{ steps.filter.outputs.docs }} @@ -42,6 +43,7 @@ jobs: - changes if: ${{ needs.changes.outputs.docs == 'true' }} runs-on: ubuntu-latest + timeout-minutes: 5 outputs: langs: ${{ steps.show-langs.outputs.langs }} steps: @@ -55,6 +57,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: true cache-dependency-glob: | @@ -73,6 +77,7 @@ jobs: - langs if: ${{ needs.changes.outputs.docs == 'true' }} runs-on: ubuntu-latest + timeout-minutes: 7 strategy: matrix: lang: ${{ fromJson(needs.langs.outputs.langs) }} @@ -91,6 +96,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: true cache-dependency-glob: | diff --git a/.github/workflows/contributors.yml b/.github/workflows/contributors.yml index 17649a653d..cc963ee55b 100644 --- a/.github/workflows/contributors.yml +++ b/.github/workflows/contributors.yml @@ -33,6 +33,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: true cache-dependency-glob: | diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index be1d93b305..1009ec6aaf 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -16,6 +16,7 @@ jobs: issues: write pull-requests: write statuses: write + timeout-minutes: 5 steps: - name: Dump GitHub context env: @@ -31,6 +32,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: false - name: Install GitHub Actions dependencies diff --git a/.github/workflows/detect-conflicts.yml b/.github/workflows/detect-conflicts.yml index 38d526bd9b..b824f8ae3a 100644 --- a/.github/workflows/detect-conflicts.yml +++ b/.github/workflows/detect-conflicts.yml @@ -12,6 +12,7 @@ jobs: contents: read pull-requests: write runs-on: ubuntu-latest + timeout-minutes: 5 steps: - name: Check if PRs have merge conflicts uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3 diff --git a/.github/workflows/guard-dependencies.yml b/.github/workflows/guard-dependencies.yml index c3f97c3752..142c7e50ed 100644 --- a/.github/workflows/guard-dependencies.yml +++ b/.github/workflows/guard-dependencies.yml @@ -15,6 +15,7 @@ permissions: jobs: check-author: runs-on: ubuntu-latest + timeout-minutes: 5 steps: - name: Check if author is org member or allowed bot uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 diff --git a/.github/workflows/issue-manager.yml b/.github/workflows/issue-manager.yml index c0ffd7ac70..fca3f1f2f8 100644 --- a/.github/workflows/issue-manager.yml +++ b/.github/workflows/issue-manager.yml @@ -23,6 +23,7 @@ jobs: permissions: issues: write pull-requests: write + timeout-minutes: 5 steps: - name: Dump GitHub context env: diff --git a/.github/workflows/label-approved.yml b/.github/workflows/label-approved.yml index e8ad87439c..55ec5c1c14 100644 --- a/.github/workflows/label-approved.yml +++ b/.github/workflows/label-approved.yml @@ -13,6 +13,7 @@ jobs: runs-on: ubuntu-latest permissions: pull-requests: write + timeout-minutes: 7 steps: - name: Dump GitHub context env: @@ -28,6 +29,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: true cache-dependency-glob: | diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 2072a3f0b9..5b7524f25e 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -17,6 +17,7 @@ jobs: contents: read pull-requests: write runs-on: ubuntu-latest + timeout-minutes: 5 steps: - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0 if: ${{ github.event.action != 'labeled' && github.event.action != 'unlabeled' }} @@ -28,6 +29,7 @@ jobs: permissions: pull-requests: read runs-on: ubuntu-latest + timeout-minutes: 5 steps: - uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65 with: diff --git a/.github/workflows/latest-changes.yml b/.github/workflows/latest-changes.yml index aaa12c17d5..12bc676865 100644 --- a/.github/workflows/latest-changes.yml +++ b/.github/workflows/latest-changes.yml @@ -22,6 +22,7 @@ jobs: latest-changes: runs-on: ubuntu-latest if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true + timeout-minutes: 5 steps: - name: Dump GitHub context env: diff --git a/.github/workflows/notify-translations.yml b/.github/workflows/notify-translations.yml index 9b8c6d7f1e..820ac70406 100644 --- a/.github/workflows/notify-translations.yml +++ b/.github/workflows/notify-translations.yml @@ -24,6 +24,7 @@ jobs: runs-on: ubuntu-latest permissions: discussions: write + timeout-minutes: 5 steps: - name: Dump GitHub context env: @@ -39,6 +40,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: true cache-dependency-glob: | diff --git a/.github/workflows/people.yml b/.github/workflows/people.yml index d3baec1d06..b9c0502a52 100644 --- a/.github/workflows/people.yml +++ b/.github/workflows/people.yml @@ -33,6 +33,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: true cache-dependency-glob: | diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 5e358e8f27..1e156b2499 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -15,6 +15,7 @@ env: jobs: pre-commit: runs-on: ubuntu-latest + timeout-minutes: 5 steps: - name: Dump GitHub context env: @@ -48,6 +49,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" cache-dependency-glob: | pyproject.toml @@ -84,6 +87,7 @@ jobs: needs: - pre-commit runs-on: ubuntu-latest + timeout-minutes: 5 steps: - name: Dump GitHub context env: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f7f180e8e2..307b3cb3c0 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -13,6 +13,7 @@ jobs: permissions: id-token: write contents: read + timeout-minutes: 5 steps: - name: Dump GitHub context env: @@ -28,6 +29,8 @@ jobs: - name: Install uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: "false" - name: Build distribution diff --git a/.github/workflows/smokeshow.yml b/.github/workflows/smokeshow.yml index c177b7390b..27bb8b195c 100644 --- a/.github/workflows/smokeshow.yml +++ b/.github/workflows/smokeshow.yml @@ -12,6 +12,7 @@ jobs: runs-on: ubuntu-latest permissions: statuses: write + timeout-minutes: 5 steps: - name: Dump GitHub context @@ -27,6 +28,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" cache-dependency-glob: | pyproject.toml diff --git a/.github/workflows/sponsors.yml b/.github/workflows/sponsors.yml index b1ab7f11d8..f1538caef1 100644 --- a/.github/workflows/sponsors.yml +++ b/.github/workflows/sponsors.yml @@ -18,6 +18,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + timeout-minutes: 5 steps: - name: Dump GitHub context env: @@ -33,6 +34,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: true cache-dependency-glob: | diff --git a/.github/workflows/test-redistribute.yml b/.github/workflows/test-redistribute.yml index fad16fb2cd..c78fbff565 100644 --- a/.github/workflows/test-redistribute.yml +++ b/.github/workflows/test-redistribute.yml @@ -14,6 +14,7 @@ permissions: {} jobs: test-redistribute: runs-on: ubuntu-latest + timeout-minutes: 5 steps: - name: Dump GitHub context env: @@ -57,6 +58,7 @@ jobs: needs: - test-redistribute runs-on: ubuntu-latest + timeout-minutes: 5 steps: - name: Decide whether the needed jobs succeeded or failed uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index edcc49b309..c0c2bd540a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,6 +25,7 @@ jobs: permissions: pull-requests: read # Set job outputs to values from filter step + timeout-minutes: 5 outputs: src: ${{ steps.filter.outputs.src }} steps: @@ -50,6 +51,7 @@ jobs: needs: - changes if: needs.changes.outputs.src == 'true' || github.ref == 'refs/heads/master' + timeout-minutes: 10 strategy: matrix: os: [ windows-latest, macos-latest ] @@ -118,6 +120,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: true cache-dependency-glob: | @@ -161,6 +165,7 @@ jobs: - changes if: needs.changes.outputs.src == 'true' || github.ref == 'refs/heads/master' runs-on: ubuntu-latest + timeout-minutes: 5 env: UV_PYTHON: "3.13" UV_RESOLUTION: highest @@ -179,6 +184,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: true cache-dependency-glob: | @@ -196,6 +203,7 @@ jobs: needs: - test runs-on: ubuntu-latest + timeout-minutes: 5 steps: - name: Dump GitHub context env: @@ -210,6 +218,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: true cache-dependency-glob: | @@ -241,6 +251,7 @@ jobs: - coverage-combine - benchmark runs-on: ubuntu-latest + timeout-minutes: 5 steps: - name: Dump GitHub context env: diff --git a/.github/workflows/topic-repos.yml b/.github/workflows/topic-repos.yml index 69bfdaff9d..1b34f1f58f 100644 --- a/.github/workflows/topic-repos.yml +++ b/.github/workflows/topic-repos.yml @@ -13,6 +13,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + timeout-minutes: 5 steps: - name: Dump GitHub context env: @@ -28,6 +29,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" enable-cache: true cache-dependency-glob: | diff --git a/.github/workflows/translate.yml b/.github/workflows/translate.yml index 87023623ed..4c624c93c8 100644 --- a/.github/workflows/translate.yml +++ b/.github/workflows/translate.yml @@ -60,6 +60,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" cache-dependency-glob: | pyproject.toml @@ -101,6 +103,8 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + # Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum. + # See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837 version: "0.11.4" cache-dependency-glob: | pyproject.toml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..1ce7c7bcef --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: Zizmor + +on: + push: + branches: + - main + workflow_dispatch: + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + timeout-minutes: 5 + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d304b78e8c..b53e2c9ea8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -96,6 +96,6 @@ repos: name: zizmor language: python entry: uv run zizmor . - files: ^\.github\/workflows\/ + files: ^\.github/workflows/|^uv\.lock$ require_serial: true pass_filenames: false