Skip to content

Lingering CI/CD pins, add cooldowns, remove template injections #4906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hauntsaninja merged 1 commit into from
Dec 11, 2025
Merged

Lingering CI/CD pins, add cooldowns, remove template injections #4906

hauntsaninja merged 1 commit into from
Dec 11, 2025
+20 −8

Conversation

@woodruffw
Copy link
Member

@woodruffw woodruffw commented Dec 11, 2025

Description

This follows #4901 and #4905 with some more small CI/CD security improvements. It hash-pins some of the dependencies added with #4611, minimizes more workflow/job permissions, and eliminates a few template injections (which probably aren't exploitable in practice in this context, but are still good to remove IMO!)

Following this, there's only one finding left from zizmor (which will unfortunately be nontrivial to fix, since it involves a workflow_run trigger). I'm happy to try and take a look at that, but the "fix" might be a removal of functionality so I'll file an issue for consultation first.

Separately, I'm happy to send a PR enabling zizmor in your CI, either through pre-commit or zizmor-action. Let me know if either of these would be helpful; there's plenty of PSF / PyPA / PyPI / etc. reference material I can share for others using it!

Checklist - did you ...

  • Implement any code style changes under the --preview style, following the
    stability policy?
  • Add an entry in CHANGES.md if necessary?
  • Add / update tests if necessary?
  • Add new / update outdated documentation?

Like with the other PRs, I think none of the above apply 🙂

woodruffw
woodruffw commented Dec 11, 2025
View reviewed changes
.github/dependabot.yml
Comment on lines +11 to +12
cooldown:
default-days: 7
Copy link
Member Author

@woodruffw woodruffw Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: this and below prevents Dependabot from sending update PRs for dependency updates that are less than 7 days old. You can tweak this number (or I can remove it entirely), but I'd recommend some degree of "cooldown" since it's currently effective against the kinds of package compromises that have become increasingly common: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

@hauntsaninja hauntsaninja added the skip news Pull requests that don't need a changelog entry. label Dec 11, 2025
@github-actions
Copy link

github-actions bot commented Dec 11, 2025

diff-shades reports zero changes comparing this PR (7dbd200) to main (7916e4a).

What is this? | Workflow run | diff-shades documentation

@hauntsaninja hauntsaninja merged commit bfdecb1 into psf:main Dec 11, 2025
55 of 57 checks passed
@JelleZijlstra
Copy link
Collaborator

JelleZijlstra commented Dec 11, 2025

Thanks so much! I'd accept a PR adding zizmor to CI.

As for the remaining workflow_run issue, looks like it's https://github.com/psf/black/blob/main/.github/workflows/diff_shades_comment.yml . We'd have to talk about how to handle it; maybe it's fine to restrict the capabilities of the workflow in some way.

@woodruffw woodruffw mentioned this pull request Dec 12, 2025
Merged
4 tasks
cobaltt7 added a commit to cobaltt7/black that referenced this pull request Dec 29, 2025
@cobaltt7
Refactor diff-shades workflow
5102f81 
No longer uses `workflow_run` trigger (see psf#4906)
Reword PR comment to be clearer and more detailed
Work around Prettier format issues
Update docs appropriately

Signed-off-by: cobalt <[email protected]>
@cobaltt7 cobaltt7 mentioned this pull request Dec 29, 2025
Open
cobaltt7 added a commit to cobaltt7/black that referenced this pull request Dec 29, 2025
@cobaltt7
Refactor diff-shades workflow
7fd1ab3 
No longer uses `workflow_run` trigger (see psf#4906)
Reword PR comment to be clearer and more detailed
Work around Prettier format issues
Update docs appropriately

Signed-off-by: cobalt <[email protected]>
cobaltt7 added a commit to cobaltt7/black that referenced this pull request Dec 29, 2025
@cobaltt7
Refactor diff-shades workflow
5934c8d 
No longer uses `workflow_run` trigger (see psf#4906)
Reword PR comment to be clearer and more detailed
Work around Prettier format issues
Update docs appropriately

Signed-off-by: cobalt <[email protected]>
rxjacob pushed a commit to rxjacob/black that referenced this pull request Jan 3, 2026
@woodruffw @rxjacob
Lingering CI/CD pins, add cooldowns, remove template injections (psf#…
710ee32 
…4906)

Signed-off-by: William Woodruff <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hauntsaninja hauntsaninja hauntsaninja approved these changes

Assignees

No one assigned

Labels

skip news Pull requests that don't need a changelog entry.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@woodruffw @JelleZijlstra @hauntsaninja