From a8627ba057a8360a4083427ee1348e143e21e8c8 Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:38:59 +0200 Subject: [PATCH 01/14] Add zizmor hook to pre-commit --- .pre-commit-config.yaml | 8 ++++++++ pyproject.toml | 1 + uv.lock | 20 ++++++++++++++++++++ 3 files changed, 29 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 565eb41e..0f998f49 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -47,3 +47,11 @@ repos: entry: uv run python scripts/add_latest_release_date.py files: ^release-notes\.md$ pass_filenames: false + + - id: zizmor + name: zizmor + language: python + entry: uv run zizmor . + files: ^\.github\/workflows\/ + require_serial: true + pass_filenames: false diff --git a/pyproject.toml b/pyproject.toml index 874fa020..817a35de 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -60,6 +60,7 @@ Changelog = "https://github.com/fastapi/fastapi-cli/blob/main/release-notes.md" dev = [ { include-group = "tests" }, "prek>=0.2.24,<1.0.0", + "zizmor>=1.24.1", ] github-actions = [ "smokeshow>=0.5.0", diff --git a/uv.lock b/uv.lock index 154a2c8e..d6a3ed94 100644 --- a/uv.lock +++ b/uv.lock @@ -255,6 +255,7 @@ dev = [ { name = "ruff" }, { name = "ty" }, { name = "uvicorn" }, + { name = "zizmor" }, ] github-actions = [ { name = "smokeshow" }, @@ -292,6 +293,7 @@ dev = [ { name = "ruff", specifier = "==0.15.11" }, { name = "ty", specifier = ">=0.0.25" }, { name = "uvicorn", specifier = ">=0.39.0" }, + { name = "zizmor", specifier = ">=1.24.1" }, ] github-actions = [{ name = "smokeshow", specifier = ">=0.5.0" }] tests = [ @@ -1583,3 +1585,21 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/68/a1/dcb68430b1d00b698ae7a7e0194433bce4f07ded185f0ee5fb21e2a2e91e/websockets-15.0.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:cad21560da69f4ce7658ca2cb83138fb4cf695a2ba3e475e0559e05991aa8122", size = 176884, upload-time = "2025-03-05T20:03:27.934Z" }, { url = "https://files.pythonhosted.org/packages/fa/a8/5b41e0da817d64113292ab1f8247140aac61cbf6cfd085d6a0fa77f4984f/websockets-15.0.1-py3-none-any.whl", hash = "sha256:f7a866fbc1e97b5c617ee4116daaa09b722101d4a3c170c787450ba409f9736f", size = 169743, upload-time = "2025-03-05T20:03:39.41Z" }, ] + +[[package]] +name = "zizmor" +version = "1.24.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/27/98/21be481ab5c08d976e59409828cfcb460a32a737415cf4e9c3f3280acc0b/zizmor-1.24.1.tar.gz", hash = "sha256:54ebb7a7061ebaa3a373126dcbafe970c9228fe274cfc40776a9714d2095b5e6", size = 501427, upload-time = "2026-04-13T18:01:34.666Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/6a/0d/c932a14dfe7d3fed5dbf26a7bf1b7b9dbf277cef1d0b76fbcddae386442d/zizmor-1.24.1-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:fd7c4953aa438aae599db69ed70ac687995e9e3314208bf1be5336479d556c8e", size = 9123014, upload-time = "2026-04-13T18:01:28.834Z" }, + { url = "https://files.pythonhosted.org/packages/5c/cc/f87ff2ccb9c57f4a1e5e9bd0351f9c84dc724fbd61b8ef70bc7e8abc1e0e/zizmor-1.24.1-py3-none-macosx_11_0_arm64.whl", hash = "sha256:f44379019188b1a18d560614ab8abac7ce10553ad2ab57d519fa1c214881ff95", size = 8664275, upload-time = "2026-04-13T18:01:24.588Z" }, + { url = "https://files.pythonhosted.org/packages/d2/64/1dfa166dea03ddff23ee3d6c6ebce8322766f7188e008aa0d3612af3e709/zizmor-1.24.1-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:9b0689c55854edb0f3e6430321a93ca0081d8e34028cdcb47b9504f8a8559c27", size = 8837100, upload-time = "2026-04-13T18:01:18.708Z" }, + { url = "https://files.pythonhosted.org/packages/65/67/cc411d605fec63b70558d572eb3fc2dbe4e596753e747b74daf5b795c1ed/zizmor-1.24.1-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:61f39674d5ea29640c4b09f3c239b3c9824c646bc790fa3680022e7bb569b375", size = 8430633, upload-time = "2026-04-13T18:01:20.757Z" }, + { url = "https://files.pythonhosted.org/packages/76/86/f8dfffc7a5348c41bc17dea1f1796ac1a56d5e448f26a4193bc65996f571/zizmor-1.24.1-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:73083efc7a65e5a58f4439dd781cdcb0394b05a3750e664c7f7e414589dc49b1", size = 9263074, upload-time = "2026-04-13T18:01:31.403Z" }, + { url = "https://files.pythonhosted.org/packages/14/62/db19dd027b412e92bbea8bd311b733d7726402ee3c734033c714125348f1/zizmor-1.24.1-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:d36a2ba3b6d839acd4542f1a8f42bc34ff902cbff302cdf7916cb4e49dc8c5cc", size = 8863996, upload-time = "2026-04-13T18:01:35.929Z" }, + { url = "https://files.pythonhosted.org/packages/8d/28/c4f220a14cb100ecc965ea0faed1c1229139861a55e792522274221988b3/zizmor-1.24.1-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:ff5acdd10c66ac27396c0fe14e4604933f6c622ffda38a6aa2857b99c75f5108", size = 8382934, upload-time = "2026-04-13T18:01:27.014Z" }, + { url = "https://files.pythonhosted.org/packages/a1/df/9593e8851424738a3b682be8958abf0e6a2c170e0c880d7b3bfb5d9eaf15/zizmor-1.24.1-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b2d873816137296ca5633ad240a574ce49374009a39d43f78a1675e2dba1ab52", size = 9352624, upload-time = "2026-04-13T18:01:16.672Z" }, + { url = "https://files.pythonhosted.org/packages/ee/b9/2c4fe526fc02926206903bfc72dbfbc215f01728eccef8135363d57890c9/zizmor-1.24.1-py3-none-win32.whl", hash = "sha256:c87812173fef2a3449d269e50e93b67b2f40826d10464c7add0c0fd7f0523a2c", size = 7496962, upload-time = "2026-04-13T18:01:22.773Z" }, + { url = "https://files.pythonhosted.org/packages/ed/24/710149e5d64d474103165b9eef6f7698827ef2fbb762b034ebc02b11a816/zizmor-1.24.1-py3-none-win_amd64.whl", hash = "sha256:9a0e552bf84f146699a0231dc42cf2cd5cfe140e3f08ff867ac154f62fc1ac2e", size = 8550658, upload-time = "2026-04-13T18:01:33.13Z" }, +] From 11fe1869375425815b9a8869c344b3c39b63bd9e Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:40:37 +0200 Subject: [PATCH 02/14] Setup cooldown period time for Dependabot --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 959ec970..88b66845 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,6 +5,8 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 7 commit-message: prefix: ⬆ # Python @@ -12,5 +14,7 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 7 commit-message: prefix: ⬆ From ea28b01a75d5260bc7132d7b4a4461e961e5cf3d Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:41:33 +0200 Subject: [PATCH 03/14] Add `pre-commit` package ecosystem to Dependabot config --- .github/dependabot.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 88b66845..918a98f5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,3 +18,12 @@ updates: default-days: 7 commit-message: prefix: ⬆ + # pre-commit + - package-ecosystem: "pre-commit" + directory: "/" + schedule: + interval: "daily" + cooldown: + default-days: 7 + commit-message: + prefix: ⬆ From 7fa16d49f7f95cf4f14b6d8c46025f2d81554f96 Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:43:15 +0200 Subject: [PATCH 04/14] Add zizmor GH actions workflow --- .github/workflows/zizmor.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..2d6300c3 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,23 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: + - main + workflow_dispatch: + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 From 57b1efbfe4eedb2475a2291eb4eadabc1bca6762 Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:46:06 +0200 Subject: [PATCH 05/14] Resolve `test.yml` --- .github/workflows/test.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 585ac09d..6d9692c9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,6 +21,8 @@ on: required: false default: 'false' +permissions: {} + env: UV_NO_SYNC: true @@ -59,6 +61,8 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} run: echo "$GITHUB_CONTEXT" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: @@ -66,6 +70,7 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + version: "0.11.4" enable-cache: true cache-dependency-glob: | pyproject.toml @@ -100,12 +105,15 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} run: echo "$GITHUB_CONTEXT" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version-file: ".python-version" - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + version: "0.11.4" enable-cache: true cache-dependency-glob: | pyproject.toml From da64e64abdc9c025ea53d30f2dcc379edce4b6b5 Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:47:42 +0200 Subject: [PATCH 06/14] Resolve `test-redistribute.yml` --- .github/workflows/test-redistribute.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test-redistribute.yml b/.github/workflows/test-redistribute.yml index d4cc2757..43267b98 100644 --- a/.github/workflows/test-redistribute.yml +++ b/.github/workflows/test-redistribute.yml @@ -9,6 +9,8 @@ on: - opened - synchronize +permissions: {} + jobs: test-redistribute: runs-on: ubuntu-latest @@ -18,6 +20,8 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} run: echo "$GITHUB_CONTEXT" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: From edf0db6fd51e11e24acb6d64516edcac00b59ed5 Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:49:52 +0200 Subject: [PATCH 07/14] Resolve `smokeshow.yml` --- .github/workflows/smokeshow.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/smokeshow.yml b/.github/workflows/smokeshow.yml index 44a0db2c..d44edc8e 100644 --- a/.github/workflows/smokeshow.yml +++ b/.github/workflows/smokeshow.yml @@ -1,7 +1,7 @@ name: Smokeshow on: - workflow_run: + workflow_run: # zizmor: ignore[dangerous-triggers] workflows: [Test] types: [completed] @@ -17,12 +17,15 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} run: echo "$GITHUB_CONTEXT" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version-file: ".python-version" - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + version: "0.11.4" cache-dependency-glob: | pyproject.toml uv.lock @@ -40,4 +43,4 @@ jobs: SMOKESHOW_GITHUB_CONTEXT: coverage SMOKESHOW_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SMOKESHOW_GITHUB_PR_HEAD_SHA: ${{ github.event.workflow_run.head_sha }} - SMOKESHOW_AUTH_KEY: ${{ secrets.SMOKESHOW_AUTH_KEY }} + SMOKESHOW_AUTH_KEY: ${{ secrets.SMOKESHOW_AUTH_KEY }} # zizmor: ignore[secrets-outside-env] From 870f117f7b78307c77c614012b975d49d0c17ad0 Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:51:42 +0200 Subject: [PATCH 08/14] Resolve `publish.yml` --- .github/workflows/publish.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 87dc782d..32d6ea4f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,8 @@ on: types: - created +permissions: {} + jobs: publish: runs-on: ubuntu-latest @@ -17,12 +19,16 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} run: echo "$GITHUB_CONTEXT" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version-file: ".python-version" - name: Install uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + with: + version: "0.11.4" - name: Build distribution run: uv build - name: Publish From ba71aeb2a3afe1e1f249cd56d31443a7f9bbd249 Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:54:25 +0200 Subject: [PATCH 09/14] Resolve `pre-commit.yml` --- .github/workflows/pre-commit.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index fd784f01..df7f389e 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -6,6 +6,8 @@ on: - opened - synchronize +permissions: {} + env: # Forks and Dependabot don't have access to secrets HAS_SECRETS: ${{ secrets.PRE_COMMIT != '' }} @@ -28,7 +30,8 @@ jobs: # And it needs the full history to be able to compute diffs fetch-depth: 0 # A token other than the default GITHUB_TOKEN is needed to be able to trigger CI - token: ${{ secrets.PRE_COMMIT }} + token: ${{ secrets.PRE_COMMIT }} # zizmor: ignore[secrets-outside-env] + persist-credentials: true # Required for `git push` command # pre-commit lite ci needs the default checkout configs to work - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 name: Checkout PR for fork @@ -37,6 +40,7 @@ jobs: # To be able to commit it needs the head branch of the PR, the remote one ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: @@ -44,6 +48,7 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: + version: "0.11.4" cache-dependency-glob: | pyproject.toml uv.lock @@ -51,7 +56,7 @@ jobs: run: uv sync --locked --extra standard - name: Run prek - pre-commit id: precommit - run: uvx prek run --from-ref origin/${GITHUB_BASE_REF} --to-ref HEAD --show-diff-on-failure + run: uv run prek run --from-ref origin/${GITHUB_BASE_REF} --to-ref HEAD --show-diff-on-failure continue-on-error: true - name: Commit and push changes if: env.HAS_SECRETS == 'true' From e3647bb8fcfbac45c6eb5d2da3f51f79f0bc2934 Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:56:24 +0200 Subject: [PATCH 10/14] Resolve `latest-changes.yml` --- .github/workflows/latest-changes.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/latest-changes.yml b/.github/workflows/latest-changes.yml index 3ff3c5d1..cff901f4 100644 --- a/.github/workflows/latest-changes.yml +++ b/.github/workflows/latest-changes.yml @@ -1,7 +1,7 @@ name: Latest Changes on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] branches: - main types: @@ -16,9 +16,12 @@ on: required: false default: 'false' +permissions: {} + jobs: latest-changes: runs-on: ubuntu-latest + if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true steps: - name: Dump GitHub context env: @@ -27,7 +30,8 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # To allow latest-changes to commit to the main branch - token: ${{ secrets.LATEST_CHANGES }} + token: ${{ secrets.LATEST_CHANGES }} # zizmor: ignore[secrets-outside-env] + persist-credentials: true # required by tiangolo/latest-changes # Allow debugging with tmate - name: Setup tmate session uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23 From 03eb03b2bcaa049cda2af3d3e262e075c096efaa Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:57:39 +0200 Subject: [PATCH 11/14] Resolve `labeler.yml` --- .github/workflows/labeler.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 6ba56739..58c68923 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,6 +1,6 @@ name: Labels on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - opened - synchronize @@ -9,6 +9,8 @@ on: - labeled - unlabeled +permissions: {} + jobs: labeler: permissions: From f4202c7b45ae6574061587b9b310a65f283b42a6 Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 21:59:09 +0200 Subject: [PATCH 12/14] Resolve `issue-manager.yml` --- .github/workflows/issue-manager.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/issue-manager.yml b/.github/workflows/issue-manager.yml index 694de0d8..1818eddc 100644 --- a/.github/workflows/issue-manager.yml +++ b/.github/workflows/issue-manager.yml @@ -9,19 +9,21 @@ on: issues: types: - labeled - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - labeled workflow_dispatch: -permissions: - issues: write - pull-requests: write +permissions: {} + jobs: issue-manager: if: github.repository_owner == 'fastapi' runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - name: Dump GitHub context env: From 9db718b910926cb36df5fde9900901a7f6b91415 Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 22:01:35 +0200 Subject: [PATCH 13/14] Resolve `detect-conflicts.yml` --- .github/workflows/detect-conflicts.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/detect-conflicts.yml b/.github/workflows/detect-conflicts.yml index 3ac6f65e..38d526bd 100644 --- a/.github/workflows/detect-conflicts.yml +++ b/.github/workflows/detect-conflicts.yml @@ -1,9 +1,11 @@ name: "Conflict detector" on: push: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] types: [synchronize] +permissions: {} + jobs: main: permissions: From 47a0fcdd39248ffeee024f637ef64b0084ec3fe5 Mon Sep 17 00:00:00 2001 From: Yurii Motov Date: Fri, 17 Apr 2026 22:03:08 +0200 Subject: [PATCH 14/14] Resolve `add-to-project.yml` --- .github/workflows/add-to-project.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 0308d7a0..01a08244 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -1,12 +1,14 @@ name: Add to Project on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] issues: types: - opened - reopened +permissions: {} + jobs: add-to-project: name: Add to project @@ -15,4 +17,4 @@ jobs: - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/fastapi/projects/2 - github-token: ${{ secrets.PROJECTS_TOKEN }} + github-token: ${{ secrets.PROJECTS_TOKEN }} # zizmor: ignore[secrets-outside-env]