Merge remote-tracking branch 'skeleton/main' into release-prep-v31.1.0

AyanSinhaMahapatra · AyanSinhaMahapatra · commit 5eedb98f899e · 2026-05-14T18:05:43.000+05:30
Signed-off-by: Ayan Sinha Mahapatra &lt;asmahapatra@aboutcode.org&gt;
diff --git a/.github/workflows/docs-ci.yml b/.github/workflows/docs-ci.yml
@@ -2,6 +2,7 @@ name: CI Documentation
 
 on: [push, pull_request]
 
+permissions: {}
 jobs:
   build:
     runs-on: ubuntu-24.04
@@ -13,10 +14,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
           python-version: ${{ matrix.python-version }}
 
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
@@ -18,15 +18,18 @@ on:
     tags:
       - "v*.*.*"
 
+permissions: {}
 jobs:
   build-pypi-distribs:
     name: Build and publish library to PyPI
     runs-on: ubuntu-24.04
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
           python-version: 3.12
 
@@ -40,7 +43,7 @@ jobs:
         run: python -m twine check dist/*
 
       - name: Upload built archives
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: pypi_archives
           path: dist/*
@@ -54,13 +57,13 @@ jobs:
 
     steps:
       - name: Download built archives
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: pypi_archives
           path: dist
 
       - name: Create GH release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda
         with:
           draft: true
           files: dist/*
@@ -77,11 +80,11 @@ jobs:
 
     steps:
       - name: Download built archives
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: pypi_archives
           path: dist
 
       - name: Publish to PyPI
         if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,24 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
diff --git a/etc/scripts/utils_requirements.py b/etc/scripts/utils_requirements.py
@@ -15,7 +15,7 @@
 """
 Utilities to manage requirements files and call pip.
 NOTE: this should use ONLY the standard library and not import anything else
-because this is used for boostrapping with no requirements installed.
+because this is used for bootstrapping with no requirements installed.
 """
 
 
@@ -31,7 +31,7 @@ def load_requirements(requirements_file="requirements.txt", with_unpinned=False)
 
 def get_required_name_versions(requirement_lines, with_unpinned=False):
     """
-    Yield required (name, version) tuples given a`requirement_lines` iterable of
+    Yield required (name, version) tuples given a `requirement_lines` iterable of
     requirement text lines. Only accept requirements pinned to an exact version.
     """
 
@@ -47,7 +47,7 @@ def get_required_name_versions(requirement_lines, with_unpinned=False):
 
 def get_required_name_version(requirement, with_unpinned=False):
     """
-    Return a (name, version) tuple given a`requirement` specifier string.
+    Return a (name, version) tuple given a `requirement` specifier string.
     Requirement version must be pinned. If ``with_unpinned`` is True, unpinned
     requirements are accepted and only the name portion is returned.
 
