File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 2727 uses : astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
2828
2929 - name : Set up Python
30- uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
30+ uses : actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
3131 with :
3232 python-version : " 3.13"
3333
5858 uses : astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
5959
6060 - name : Set up Python ${{ matrix.python-version }}
61- uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
61+ uses : actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
6262 with :
6363 python-version : ${{ matrix.python-version }}
6464
Original file line number Diff line number Diff line change @@ -182,6 +182,30 @@ def test_actions_are_pinned_to_full_commit_shas(self):
182182 assert re .search (r"@[0-9a-f]{40}$" , uses_ref ), uses_ref
183183 assert re .search (r"@v\d+" , uses_ref ) is None
184184
185+ def test_setup_python_pin_matches_repo_standard (self ):
186+ workflow = _load_security_workflow ()
187+ security_refs = {
188+ step ["uses" ]
189+ for job in workflow ["jobs" ].values ()
190+ for step in job ["steps" ]
191+ if step .get ("uses" , "" ).startswith ("actions/setup-python@" )
192+ }
193+ repo_standard_refs = set ()
194+ for workflow_path in (
195+ REPO_ROOT / ".github" / "workflows" / "test.yml" ,
196+ REPO_ROOT / ".github" / "workflows" / "publish-pypi.yml" ,
197+ ):
198+ workflow_data = yaml .safe_load (workflow_path .read_text (encoding = "utf-8" ))
199+ repo_standard_refs .update (
200+ step ["uses" ]
201+ for job in workflow_data ["jobs" ].values ()
202+ for step in job ["steps" ]
203+ if step .get ("uses" , "" ).startswith ("actions/setup-python@" )
204+ )
205+
206+ assert len (repo_standard_refs ) == 1
207+ assert security_refs == repo_standard_refs
208+
185209 def test_committed_audit_requirements_are_hashed (self ):
186210 requirements = SECURITY_REQUIREMENTS .read_text (encoding = "utf-8" )
187211
You can’t perform that action at this time.
0 commit comments