Fix zizmor findings on CI (#148)

hugovk · web-flow · commit c9a99f412a74 · 2024-12-08T00:44:08.000+02:00
And replace pre-commit/action with faster tox-dev/action-pre-commit-uv.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -11,9 +11,6 @@ on:
       - published
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 env:
   FORCE_COLOR: 1
 
@@ -27,6 +24,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
 
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
@@ -1,8 +1,5 @@
 name: Sync labels
 
-permissions:
-  pull-requests: write
-
 on:
   push:
     branches:
@@ -13,9 +10,13 @@ on:
 
 jobs:
   sync:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: micnncim/action-label-syncer@v1
         with:
           prune: false
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -4,19 +4,16 @@ on: [push, pull_request, workflow_dispatch]
 
 env:
   FORCE_COLOR: 1
-  PIP_DISABLE_PIP_VERSION_CHECK: 1
-
-permissions:
-  contents: read
 
 jobs:
   lint:
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.x"
-          cache: pip
-      - uses: pre-commit/action@v3.0.1
+      - uses: tox-dev/action-pre-commit-uv@v1
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -14,9 +14,6 @@ on:
   #   types: [opened, reopened, synchronize]
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   update_release_draft:
     if: github.repository_owner == 'hugovk'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -2,12 +2,8 @@ name: Test
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions:
-  contents: read
-
 env:
   FORCE_COLOR: 1
-  PIP_DISABLE_PIP_VERSION_CHECK: 1
 
 jobs:
   test:
@@ -20,6 +16,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
@@ -30,18 +28,14 @@ jobs:
       - name: Install uv
         uses: hynek/setup-cached-uv@v2
 
-      - name: Install dependencies
-        run: |
-          uv pip install --system -U tox-uv
-
       - name: Tox tests
         run: |
-          tox -e py
+          uvx --with tox-uv tox -e py
 
       - name: Test CLI
         if: matrix.os == 'ubuntu-latest'
         run: |
-          tox -e cli
+          uvx --with tox-uv tox -e cli
 
       - name: Test emojis.json is up-to-date
         run: |
@@ -56,7 +50,7 @@ jobs:
         uses: codecov/codecov-action@v5.0.7
         with:
           flags: ${{ matrix.os }}
-          name: "${{ matrix.os }} Python ${{ matrix.python-version }}"
+          name: ${{ matrix.os }} Python ${{ matrix.python-version }}
 
   success:
     needs: test
