Skip to content

Commit 0e5ee97

Browse files
committed
ci: align security workflow python pin
Assisted-by: Codex (model: GPT-5, autonomous)
1 parent 0d39ddf commit 0e5ee97

2 files changed

Lines changed: 26 additions & 2 deletions

File tree

.github/workflows/security.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ jobs:
2727
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
2828

2929
- name: Set up Python
30-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
30+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
3131
with:
3232
python-version: "3.13"
3333

@@ -58,7 +58,7 @@ jobs:
5858
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
5959

6060
- name: Set up Python ${{ matrix.python-version }}
61-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
61+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
6262
with:
6363
python-version: ${{ matrix.python-version }}
6464

tests/test_security_workflow.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -182,6 +182,30 @@ def test_actions_are_pinned_to_full_commit_shas(self):
182182
assert re.search(r"@[0-9a-f]{40}$", uses_ref), uses_ref
183183
assert re.search(r"@v\d+", uses_ref) is None
184184

185+
def test_setup_python_pin_matches_repo_standard(self):
186+
workflow = _load_security_workflow()
187+
security_refs = {
188+
step["uses"]
189+
for job in workflow["jobs"].values()
190+
for step in job["steps"]
191+
if step.get("uses", "").startswith("actions/setup-python@")
192+
}
193+
repo_standard_refs = set()
194+
for workflow_path in (
195+
REPO_ROOT / ".github" / "workflows" / "test.yml",
196+
REPO_ROOT / ".github" / "workflows" / "publish-pypi.yml",
197+
):
198+
workflow_data = yaml.safe_load(workflow_path.read_text(encoding="utf-8"))
199+
repo_standard_refs.update(
200+
step["uses"]
201+
for job in workflow_data["jobs"].values()
202+
for step in job["steps"]
203+
if step.get("uses", "").startswith("actions/setup-python@")
204+
)
205+
206+
assert len(repo_standard_refs) == 1
207+
assert security_refs == repo_standard_refs
208+
185209
def test_committed_audit_requirements_are_hashed(self):
186210
requirements = SECURITY_REQUIREMENTS.read_text(encoding="utf-8")
187211

0 commit comments

Comments
 (0)