[3.12] Add zizmor to pre-commit and fix most findings (pythonGH-127749)

hugovk · AlexWaygood · hugovk · commit 63c4b355baf7 · 2024-12-10T13:33:46.000+02:00
(cherry picked from commit ae31df3) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -55,6 +55,8 @@ jobs:
     if: needs.check_source.outputs.run_tests == 'true'
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
       - name: Install dependencies
         run: |
@@ -109,6 +111,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 1
+          persist-credentials: false
       - name: Runner image version
         run: echo "IMAGE_VERSION=${ImageVersion}" >> $GITHUB_ENV
       - name: Check Autoconf and aclocal versions
@@ -145,6 +148,8 @@ jobs:
     if: needs.check_source.outputs.run_tests == 'true'
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.x'
@@ -299,6 +304,8 @@ jobs:
       LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}/lib
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Runner image version
       run: echo "IMAGE_VERSION=${ImageVersion}" >> $GITHUB_ENV
     - name: Restore config.cache
@@ -351,6 +358,8 @@ jobs:
       PYTHONSTRICTEXTENSIONBUILD: 1
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Register gcc problem matcher
       run: echo "::add-matcher::.github/problem-matchers/gcc.json"
     - name: Install dependencies
@@ -433,7 +442,7 @@ jobs:
         #
         # (GH-104097) test_sysconfig is skipped because it has tests that are
         # failing when executed from inside a virtual environment.
-        ${{ env.VENV_PYTHON }} -m test \
+        "${VENV_PYTHON}" -m test \
           -W \
           -o \
           -j4 \
@@ -465,6 +474,8 @@ jobs:
       ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Runner image version
       run: echo "IMAGE_VERSION=${ImageVersion}" >> $GITHUB_ENV
     - name: Restore config.cache
diff --git a/.github/workflows/documentation-links.yml b/.github/workflows/documentation-links.yml
@@ -10,16 +10,16 @@ on:
     - 'Doc/**'
     - '.github/workflows/doc.yml'
 
-permissions:
-  pull-requests: write
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
   documentation-links:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+
     steps:
       - uses: readthedocs/actions/preview@v1
         with:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -20,6 +20,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.x"
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
@@ -31,6 +31,8 @@ jobs:
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.x"
diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
@@ -4,15 +4,14 @@ on:
   pull_request:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
-permissions:
-  issues: write
-  pull-requests: write
-
 jobs:
   label:
     name: DO-NOT-MERGE / unresolved review
     if: github.repository_owner == 'python'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     timeout-minutes: 10
 
     steps:
diff --git a/.github/workflows/reusable-change-detection.yml b/.github/workflows/reusable-change-detection.yml
@@ -61,6 +61,8 @@ jobs:
     - run: >-
         echo '${{ github.event_name }}'
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Check for source changes
       id: check
       run: |
diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml
@@ -19,12 +19,14 @@ jobs:
     env:
       branch_base: 'origin/${{ github.event.pull_request.base.ref }}'
       branch_pr: 'origin/${{ github.event.pull_request.head.ref }}'
+      commits: ${{ github.event.pull_request.commits }}
       refspec_base: '+${{ github.event.pull_request.base.sha }}:remotes/origin/${{ github.event.pull_request.base.ref }}'
       refspec_pr: '+${{ github.event.pull_request.head.sha }}:remotes/origin/${{ github.event.pull_request.head.ref }}'
     steps:
     - name: 'Check out latest PR branch commit'
       uses: actions/checkout@v4
       with:
+        persist-credentials: false
         ref: >-
           ${{
             github.event_name == 'pull_request'
@@ -36,15 +38,15 @@ jobs:
       if: github.event_name == 'pull_request'
       run: |
         # Fetch enough history to find a common ancestor commit (aka merge-base):
-        git fetch origin ${{ env.refspec_pr }} --depth=$(( ${{ github.event.pull_request.commits }} + 1 )) \
+        git fetch origin "${refspec_pr}" --depth=$(( commits + 1 )) \
           --no-tags --prune --no-recurse-submodules
 
         # This should get the oldest commit in the local fetched history (which may not be the commit the PR branched from):
-        COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 ${{ env.branch_pr }} )
+        COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 "${branch_pr}" )
         DATE=$( git log --date=iso8601 --format=%cd "${COMMON_ANCESTOR}" )
 
         # Get all commits since that commit date from the base branch (eg: master or main):
-        git fetch origin ${{ env.refspec_base }} --shallow-since="${DATE}" \
+        git fetch origin "${refspec_base}" --shallow-since="${DATE}" \
           --no-tags --prune --no-recurse-submodules
     - name: 'Set up Python'
       uses: actions/setup-python@v5
@@ -66,7 +68,7 @@ jobs:
       if: github.event_name == 'pull_request'
       run: |
         python Doc/tools/check-warnings.py \
-          --annotate-diff '${{ env.branch_base }}' '${{ env.branch_pr }}' \
+          --annotate-diff "${branch_base}" "${branch_pr}" \
           --fail-if-regression \
           --fail-if-improved \
           --fail-if-new-news-nit
@@ -78,6 +80,8 @@ jobs:
     timeout-minutes: 60
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: 'Set up Python'
       uses: actions/setup-python@v5
       with:
@@ -96,6 +100,8 @@ jobs:
     timeout-minutes: 60
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/cache@v4
       with:
         path: ~/.cache/pip
diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml
@@ -28,6 +28,8 @@ jobs:
     runs-on: ${{ inputs.os }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Runner image version
       run: echo "IMAGE_VERSION=${ImageVersion}" >> $GITHUB_ENV
     - name: Restore config.cache
diff --git a/.github/workflows/reusable-tsan.yml b/.github/workflows/reusable-tsan.yml
@@ -15,8 +15,12 @@ jobs:
     name: 'Thread sanitizer'
     runs-on: ubuntu-22.04
     timeout-minutes: 60
+    env:
+      OPTIONS: ${{ inputs.options }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Runner image version
       run: echo "IMAGE_VERSION=${ImageVersion}" >> $GITHUB_ENV
     - name: Restore config.cache
@@ -44,7 +48,7 @@ jobs:
         save: ${{ github.event_name == 'push' }}
         max-size: "200M"
     - name: Configure CPython
-      run: ${{ inputs.options }}
+      run: "${OPTIONS}"
     - name: Build CPython
       run: make -j4
     - name: Display build info
diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
@@ -26,6 +26,8 @@ jobs:
       PYTHONSTRICTEXTENSIONBUILD: 1
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Register gcc problem matcher
       run: echo "::add-matcher::.github/problem-matchers/gcc.json"
     - name: Install dependencies
diff --git a/.github/workflows/reusable-windows-msi.yml b/.github/workflows/reusable-windows-msi.yml
@@ -17,8 +17,11 @@ jobs:
     runs-on: windows-latest
     timeout-minutes: 60
     env:
+      ARCH: ${{ inputs.arch }}
       IncludeFreethreaded: true
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Build CPython installer
-      run: .\Tools\msi\build.bat --doc -${{ inputs.arch }}
+      run: .\Tools\msi\build.bat --doc -"${ARCH}"
diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml
@@ -24,16 +24,20 @@ jobs:
       (${{ inputs.arch }})
     runs-on: windows-latest
     timeout-minutes: 60
+    env:
+      ARCH: ${{ inputs.arch }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Register MSVC problem matcher
       if: inputs.arch != 'Win32'
       run: echo "::add-matcher::.github/problem-matchers/msvc.json"
     - name: Build CPython
       run: >-
         .\PCbuild\build.bat
         -e -d
-        -p ${{ inputs.arch }}
+        -p "${ARCH}"
         ${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
     - name: Display build info
       if: inputs.arch != 'arm64'
@@ -42,6 +46,6 @@ jobs:
       if: inputs.arch != 'arm64'
       run: >-
         .\PCbuild\rt.bat
-        -p ${{ inputs.arch }}
+        -p "${ARCH}"
         -d -q -uall -u-cpu -rwW
         --slowest --timeout=1200 -j0
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -4,14 +4,13 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
-permissions:
-  pull-requests: write
-
 jobs:
   stale:
     if: github.repository_owner == 'python'
 
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     timeout-minutes: 10
 
     steps:
diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml
@@ -26,6 +26,8 @@ jobs:
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3'
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,6 @@
+# Configuration for the zizmor static analysis tool, run via pre-commit in CI
+# https://woodruffw.github.io/zizmor/configuration/
+rules:
+  dangerous-triggers:
+    ignore:
+      - documentation-links.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.6.7
+    rev: v0.8.2
     hooks:
       - id: ruff
         name: Run Ruff (lint) on Doc/
@@ -20,7 +20,7 @@ repos:
         files: ^Doc/
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v5.0.0
     hooks:
       - id: check-case-conflict
       - id: check-merge-conflict
@@ -33,8 +33,13 @@ repos:
       - id: trailing-whitespace
         types_or: [c, inc, python, rst]
 
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: zizmor
+
   - repo: https://github.com/sphinx-contrib/sphinx-lint
-    rev: v0.9.1
+    rev: v1.0.0
     hooks:
       - id: sphinx-lint
         args: [--enable=default-role]
