Skip to content

[pre-commit.ci] pre-commit autoupdate #3991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
seisman merged 3 commits into from
Jul 8, 2025
Merged

[pre-commit.ci] pre-commit autoupdate #3991

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3039b19
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Jul 7, 2025
1afd94f
Pin GitHub Actions to full length commit SHA
weiji14 Jul 7, 2025
cf41b00
Set MAMBA_ROOT_PREFIX env var properly on Windows GMT build
weiji14 Jul 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/benchmarks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:

# Install Micromamba with conda-forge dependencies
- name: Setup Micromamba
uses: mamba-org/setup-micromamba@v2.0.5
uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2.0.5
Copy link
Member

@weiji14 weiji14 Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've used pinact to convert the tags to hash values, only for non-official GitHub Actions (i.e. actions/checkout still uses the tags). Let me know if you prefer to pin the hashes for the official GitHub Actions workflows too.

Copy link
Member

@seisman seisman Jul 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you make the changes manually and do we have to update the hashes manually next time?

Copy link
Member

@weiji14 weiji14 Jul 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I just ran pinact run, and it retrieved the hashes automatically.

Edit: There is also a verify option using pinact run --verify if you want to check that the hashes are ok.

Copy link
Member

@seisman seisman Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant do we need to run pinact run manually next time?

Copy link
Member

@weiji14 weiji14 Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh no, we don't need to because dependabot can update the SHA hash, as well as the # vX.Y.Z version tag comment at the end, see dependabot/dependabot-core#4691

with:
environment-name: pygmt
cache-environment: true
Expand Down Expand Up @@ -84,7 +84,7 @@ jobs:

# Run the benchmark tests
- name: Run benchmarks
uses: CodSpeedHQ/action@v3.5.0
uses: CodSpeedHQ/action@0010eb0ca6e89b80c88e8edaaa07cfe5f3e6664d # v3.5.0
with:
# 'bash -el -c' is needed to use the custom shell.
# See https://github.com/CodSpeedHQ/action/issues/65.
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/cache_data.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ jobs:

# Install Micromamba with conda-forge dependencies
- name: Setup Micromamba
uses: mamba-org/setup-micromamba@v2.0.5
uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2.0.5
with:
environment-name: pygmt
create-args: >-
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/check-links.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:

- name: Link Checker
id: lychee
uses: lycheeverse/lychee-action@v2.4.1
uses: lycheeverse/lychee-action@82202e5e9c2f4ef1a55a3d02563e1cb6041e5332 # v2.4.1
with:
fail: false # Don't fail action on broken links
output: /tmp/lychee-out.md
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci_docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ jobs:

# Install Micromamba with conda-forge dependencies
- name: Setup Micromamba
uses: mamba-org/setup-micromamba@v2.0.5
uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2.0.5
with:
environment-name: pygmt
cache-environment: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci_doctests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ jobs:

# Install Micromamba with conda-forge dependencies
- name: Setup Micromamba
uses: mamba-org/setup-micromamba@v2.0.5
uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2.0.5
with:
environment-name: pygmt
create-args: >-
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/ci_tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ jobs:

# Install Micromamba with conda-forge dependencies
- name: Setup Micromamba
uses: mamba-org/setup-micromamba@v2.0.5
uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2.0.5
with:
environment-name: pygmt
cache-environment: true
Expand Down Expand Up @@ -151,7 +151,7 @@ jobs:
GH_TOKEN: ${{ github.token }}

- name: Install uv
uses: astral-sh/setup-uv@v6.3.1
uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
with:
activate-environment: true
python-version: ${{ matrix.python-version }}
Expand Down Expand Up @@ -183,7 +183,7 @@ jobs:

# Upload coverage to Codecov
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5.4.3
uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
if: success() || failure()
with:
use_oidc: true
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/ci_tests_dev.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ jobs:

# Install Micromamba with conda-forge dependencies
- name: Setup Micromamba
uses: mamba-org/setup-micromamba@v2.0.5
uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2.0.5
with:
environment-name: pygmt
cache-environment: true
Expand Down Expand Up @@ -131,7 +131,7 @@ jobs:
cmake -G Ninja .. ^
-DCMAKE_INSTALL_PREFIX=%GMT_INSTALL_DIR% ^
-DCMAKE_BUILD_TYPE=Release ^
-DCMAKE_PREFIX_PATH=${{ env.MAMBA_ROOT_PREFIX }}\envs\pygmt\Library ^
-DCMAKE_PREFIX_PATH=%MAMBA_ROOT_PREFIX%\envs\pygmt\Library ^
Copy link
Member

@weiji14 weiji14 Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Zizmor was complaining that this line was vulnerable to code template injection:

help[template-injection]: code injection via template expansion
   --> .github/workflows/ci_tests_dev.yaml:134:37
    |
126 |         run: |
    |         --- help: this run block
127 |           cd gmt/
...
133 |             -DCMAKE_BUILD_TYPE=Release ^
134 |             -DCMAKE_PREFIX_PATH=${{ env.MAMBA_ROOT_PREFIX }}\envs\pygmt\Library ^
    |                                     --------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

The env.MAMBA_ROOT_PREFIX variable set in #2773 could simply be set as %MAMBA_ROOT_PREFIX% if I'm not mistaken, since we're not passing this variable via the env context, though it is set as MAMBA_ROOT_PREFIX: C:\Users\runneradmin\micromamba in https://github.com/GenericMappingTools/pygmt/actions/runs/16129619616/job/45514313791?pr=3991#step:8:18, probably from the setup-micromamba step?

Can you verify that this makes sense @seisman, given your comment on -DCMAKE_PREFIX_PATH at #2773 (comment)?

-DGMT_ENABLE_OPENMP=TRUE ^
-DGMT_USE_THREADS=TRUE
cmake --build .
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci_tests_legacy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ jobs:

# Install Micromamba with conda-forge dependencies
- name: Setup Micromamba
uses: mamba-org/setup-micromamba@v2.0.5
uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2.0.5
with:
environment-name: pygmt
create-args: >-
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/dvc-diff.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@ jobs:
persist-credentials: false

- name: Setup data version control (DVC)
uses: iterative/setup-dvc@v1.1.2
uses: iterative/setup-dvc@2508d098217d24eef3c0e8d7bc0ce7b9ca0723c3 # v1.1.2

- name: Setup continuous machine learning (CML)
uses: iterative/setup-cml@v2.0.0
uses: iterative/setup-cml@f714cd201b7183852dd6f94192b34e7618717560 # v2.0.0

# Produce the markdown diff report, which should look like:
# ## Summary of changed images
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/publish-to-pypi.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ jobs:
path: dist/

- name: Publish distribution 📦 to TestPyPI
uses: pypa/gh-action-pypi-publish@v1.12.4
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
with:
repository-url: https://test.pypi.org/legacy/

Expand All @@ -123,4 +123,4 @@ jobs:
path: dist/

- name: Publish distribution 📦 to PyPI
uses: pypa/gh-action-pypi-publish@v1.12.4
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
2 changes: 1 addition & 1 deletion .github/workflows/release-baseline-images.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
persist-credentials: false

- name: Setup data version control (DVC)
uses: iterative/setup-dvc@v1.1.2
uses: iterative/setup-dvc@2508d098217d24eef3c0e8d7bc0ce7b9ca0723c3 # v1.1.2

- name: Pull baseline image data from dvc remote
run: dvc pull && ls -lhR pygmt/tests/baseline/
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-drafter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:

steps:
# Drafts your next Release notes as Pull Requests are merged into "main"
- uses: release-drafter/release-drafter@v6.1.0
- uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
with:
# (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
config-name: release-drafter.yml
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/slash-command-dispatch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Slash Command Dispatch
uses: peter-evans/slash-command-dispatch@v4.0.0
uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4.0.0
with:
token: ${{ github.token }}
commands: |
Expand Down
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ repos:
- id: chmod
args: ['644']
- repo: https://github.com/woodruffw/zizmor-pre-commit
rev: v1.5.2
rev: v1.11.0
hooks:
- id: zizmor

Expand Down
Loading