From c473aa91e46d945e9247537e1b37aec31da3ba95 Mon Sep 17 00:00:00 2001 From: Luke Date: Tue, 31 Mar 2026 11:04:01 -0400 Subject: [PATCH] fix: improve supply chain protections --- .github/workflows/ci.yml | 28 +++++++++++++++++++++------- pyproject.toml | 3 +++ uv.lock | 4 ++++ 3 files changed, 28 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f2dfd23c..305fb189 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,9 @@ jobs: commitlint: name: Lint Commit Messages runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read steps: - uses: actions/checkout@v6 with: @@ -23,12 +26,19 @@ jobs: - uses: wagoid/commitlint-github-action@v6.2.1 lint: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + with: + persist-credentials: false + - name: Set up uv + uses: astral-sh/setup-uv@v8.0.0 with: python-version: "3.11" - - uses: pre-commit/action@v3.0.1 + activate-environment: true + - name: Run pre-commit + run: uv run --frozen pre-commit run --all-files test: strategy: @@ -38,16 +48,18 @@ jobs: - "3.11" - "3.14" runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v6 - name: Set up uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@v8.0.0 with: python-version: ${{ matrix.python-version }} activate-environment: true - run: uv pip install pip - name: Test with Pytest - run: uv run pytest --log-cli-level=DEBUG -vv -s --cov --cov-branch --cov-report=xml + run: uv run --frozen pytest --log-cli-level=DEBUG -vv -s --cov --cov-branch --cov-report=xml shell: bash - name: Upload results to Codecov uses: codecov/codecov-action@v5 @@ -55,8 +67,6 @@ jobs: token: ${{ secrets.CODECOV_TOKEN }} slug: Python-roborock/python-roborock - - build: name: Build Package runs-on: ubuntu-latest @@ -64,7 +74,7 @@ jobs: steps: - uses: actions/checkout@v6 - name: Set up uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@v8.0.0 with: python-version: "3.11" activate-environment: true @@ -76,6 +86,10 @@ jobs: name: Test Semantic Release runs-on: ubuntu-latest if: github.event_name == 'pull_request' + permissions: + contents: write + issues: write + pull-requests: write steps: - uses: actions/checkout@v6 with: diff --git a/pyproject.toml b/pyproject.toml index 552a2575..f3220e38 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -67,6 +67,9 @@ include = ["roborock"] requires = ["hatchling"] build-backend = "hatchling.build" +[tool.uv] +exclude-newer = "3 days" + [tool.semantic_release] branch = "main" version_toml = ["pyproject.toml:project.version"] diff --git a/uv.lock b/uv.lock index 74499ec7..8b5219b2 100644 --- a/uv.lock +++ b/uv.lock @@ -2,6 +2,10 @@ version = 1 revision = 3 requires-python = ">=3.11, <4" +[options] +exclude-newer = "2026-03-28T14:28:16.233895Z" +exclude-newer-span = "P3D" + [[package]] name = "aiohappyeyeballs" version = "2.6.1"