Skip to content

🔒️ Improve GitHub actions security#15607

Merged
YuriiMotov merged 8 commits into
masterfrom
zizmor-improvements
May 27, 2026
Merged

🔒️ Improve GitHub actions security#15607
YuriiMotov merged 8 commits into
masterfrom
zizmor-improvements

Conversation

@YuriiMotov

@YuriiMotov YuriiMotov commented May 25, 2026
edited
Loading

Copy link
Copy Markdown
Member

Description

This PR adds some security improvements that are implemented in other repos, but are missing in this repo (because PR in this repo was merged first and I added those improvements later):

  • Configure timeouts for jobs
  • Add comment about upgrading version for astral-sh/setup-uv action
  • Add zizmor GH actions workflow

Additionally, configured zizmor pre-commit hook to also run when uv.lock is updated. After bumping zizmor, it started arguing on caching enabled in publish.yml (cache poisoning attack).

CI fails due to deprecation warning introduced in Starlette. See PR #15603

AI Disclaimer

No AI used

Checklist

  • This PR is an obvious typo fix, or it links to a GitHub Discussion for the proposed code change.
  • I added tests for the change.
  • The new or updated tests fail on the main branch and pass on this PR.
  • Coverage stays at 100%.
  • The documentation explains the change if needed.

@codspeed-hq

codspeed-hq Bot commented May 25, 2026
edited
Loading

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 20 untouched benchmarks

Comparing zizmor-improvements (354b09b) with master (57535ef)1

Open in CodSpeed

Footnotes

  1. No successful run was found on master (ad09734) during the generation of this report, so 57535ef was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

@github-actions

github-actions Bot commented May 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

📝 Docs preview

Last commit 354b09b at: https://75391799.fastapitiangolo.pages.dev

tiangolo
tiangolo approved these changes May 27, 2026
View reviewed changes

@tiangolo tiangolo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, thank you! 🙌

Feel free to merge when ready.

YuriiMotov
YuriiMotov commented May 27, 2026
View reviewed changes
Comment thread .github/workflows/zizmor.yml Outdated
@YuriiMotov YuriiMotov merged commit a3558be into master May 27, 2026
49 checks passed
@YuriiMotov YuriiMotov deleted the zizmor-improvements branch May 27, 2026 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tiangolo tiangolo tiangolo approved these changes

Assignees

No one assigned

Labels

internal

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@YuriiMotov @tiangolo