Remove or protect secrets in Actions

[pre-commit-ci]

updates:

• github.com/astral-sh/ruff-pre-commit: v0.15.4 → v0.15.9
• github.com/psf/black-pre-commit-mirror: 26.1.0 → 26.3.1
• github.com/pre-commit/mirrors-clang-format: v22.1.0 → v22.1.2
• github.com/python-jsonschema/check-jsonschema: 0.37.0 → 0.37.1
• github.com/zizmorcore/zizmor-pre-commit: v1.22.0 → v1.23.1
• github.com/tox-dev/pyproject-fmt: v2.16.2 → v2.21.0

[hugovk]

Looking at the zizmor findings, all but one are like this for different test*.yml:

  warning[: secrets referenced without a dedicated environment
     --> .github/workflows/test.yml:180:20
      |
   35 |   build:
      |   ----- this job
  ...
  180 |         token: ${{ secrets.CODECOV_ORG_TOKEN }}
      |                    ^^^^^^^^^^^^^^^^^^^^^^^^^ secret is accessed outside of a dedicated environment
      |
      = note: audit confidence → High

  warning[: secrets referenced without a dedicated environment

I think we can remove the token.

https://app.codecov.io/account/github/python-pillow/org-upload-token says a token is required ("When a token is required, your team must use a global or repo-specific token for uploads.").

I've flipped that to not required ("When a token is not required, your team can upload coverage reports without one. Existing tokens will still work, and no action is needed for past uploads.)

I'll remove the token and we can confirm if coverage continues to upload.

[hugovk]

Coverage looks okay, I see lines like this for all workflows:

info - 2026-04-06 20:47:10,979 -- Your upload is now queued for processing. When finished, results will be available at: https://app.codecov.io/github/python-pillow/Pillow/commit/43a3e5ca211bc9788131f45bf5974816d1b0efbf
info - 2026-04-06 20:47:10,979 -- Sending upload (237864 bytes) to storage
info - 2026-04-06 20:47:11,113 -- Upload queued for processing complete

• https://github.com/python-pillow/Pillow/actions/runs/24050035283/job/70143073683?pr=9544
• https://github.com/python-pillow/Pillow/actions/runs/24050035256/job/70143073604?pr=9544
• https://github.com/python-pillow/Pillow/actions/runs/24050035274/job/70143073549?pr=9544
• https://github.com/python-pillow/Pillow/actions/runs/24050033834/job/70143071296?pr=9544
• https://github.com/python-pillow/Pillow/actions/runs/24050033834/job/70143071330?pr=9544

[hugovk]

I've asked for recommendations about ANACONDA_ORG_UPLOAD_TOKEN in the https://scientific-python.org/community/ Discord. Here's a link for people already there:

https://discord.com/channels/786703927705862175/1257384941990318121/1492125224462975097

[radarhere]

secret is accessed outside of a dedicated environment

Is the simple solution not to just create an environment at https://github.com/python-pillow/Pillow/settings/environments and move the secret there?

We could restrict it to the main branch. ANACONDA_ORG_UPLOAD_TOKEN doesn't need to be accessed anywhere else.

[hugovk]

Simplest solution is to ignore the warning :)

But yes, a branch-restricted env was suggested on the Discord server too. I'll set it up.

[hugovk]

• Created release-anaconda env at https://github.com/python-pillow/Pillow/settings/environments/13995540071/edit, restricted to main, and added ANACONDA_ORG_UPLOAD_TOKEN.

• Deleted ANACONDA_ORG_UPLOAD_TOKEN from repo secrets at https://github.com/python-pillow/Pillow/settings/secrets/actions

• Restrict nightly Anaconda uploads to environment in wheels.yml