From 0212cdb12376a1e1ed4d5c0601e12333a9c3ac82 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= <sebastienh@mirageoscience.com>
Date: Mon, 5 May 2025 11:34:10 -0400
Subject: [PATCH 1/5] [GEOPY-2161] fix wrong regular expression

---
 simpeg/directives/_save_geoh5.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/simpeg/directives/_save_geoh5.py b/simpeg/directives/_save_geoh5.py
index 6d085c7478..6ebcbcc23c 100644
--- a/simpeg/directives/_save_geoh5.py
+++ b/simpeg/directives/_save_geoh5.py
@@ -379,9 +379,7 @@ def write(self, iteration: int, **_):
         with open(dirpath / "SimPEG.log", "r", encoding="utf-8") as file:
             iteration = 0
             for line in file:
-                val = re.findall(
-                    "[+\-]?(?:0|[1-9]\d*)(?:\.\d*)?(?:[eE][+\-]?\d+)", line  # noqa
-                )
+                val = re.findall(r"[+-]?(?:0|[1-9]\d*)(?:\.\d*)?(?:[eE][+-]?\d+)", line)
                 if len(val) == 5:
                     log.append(val[:-2])
                     iteration += 1

From 931eaadce417deb59a49fecc3e6273a361a23724 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= <sebastienh@mirageoscience.com>
Date: Mon, 5 May 2025 11:59:57 -0400
Subject: [PATCH 2/5] [GEOPY-2161] lock black and flake GitHub actions on sha
 as recommended by zizmor

used `pinact run` (see https://github.com/suzuki-shunsuke/pinact)
---
 .github/workflows/pull_request.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 3052116a35..307ebdc7d8 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -68,7 +68,7 @@ jobs:
           persist-credentials: false
 
       - name: flake8 review
-        uses: reviewdog/action-flake8@v3
+        uses: reviewdog/action-flake8@b65981e158319f08cb7d0132f28bc0081e110adc # v3.15.2
         with:
           workdir: pr_source
           github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -104,7 +104,7 @@ jobs:
           path: 'pr_source'
           persist-credentials: false
 
-      - uses: reviewdog/action-black@v3
+      - uses: reviewdog/action-black@644053a260402bc4278a865906107bd8aef7fae8 # v3.22.4
         with:
           workdir: 'pr_source'
           github_token: ${{ secrets.GITHUB_TOKEN }}

From 1b9d5c8b459827eb48219b7bd9ee97958681195c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= <sebastienh@mirageoscience.com>
Date: Mon, 5 May 2025 12:27:03 -0400
Subject: [PATCH 3/5] [GEOPY-2161] zizmor ignore on pr_add_jira_summary

---
 .github/workflows/pr_add_jira_summary.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml
index 794bf3f0b1..2180300051 100644
--- a/.github/workflows/pr_add_jira_summary.yml
+++ b/.github/workflows/pr_add_jira_summary.yml
@@ -1,7 +1,7 @@
 name: Add JIRA issue summary
 
 on:
-  pull_request_target:
+  pull_request_target:  # zizmor: ignore[dangerous-triggers]
     types: [opened]
 
 jobs:

From cbe6ee45450410bc3d10a3e16fefca0f8196f265 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= <sebastienh@mirageoscience.com>
Date: Mon, 5 May 2025 12:42:10 -0400
Subject: [PATCH 4/5] [GEOPY-2161] fix reports by Zizmor in github workflows

---
 .github/workflows/issue_to_jira.yml       | 9 ++++++++-
 .github/workflows/pr_add_jira_summary.yml | 8 +++++++-
 .github/workflows/python_deploy_dev.yml   | 4 ++++
 .github/workflows/python_deploy_prod.yml  | 4 ++++
 4 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml
index 249e0a8cc0..73602ab373 100644
--- a/.github/workflows/issue_to_jira.yml
+++ b/.github/workflows/issue_to_jira.yml
@@ -4,10 +4,17 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   call-workflow-create-jira-issue:
     uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main
-    secrets: inherit
     with:
       project-key: 'GEOPY'
       components: '[{"name": "simpeg"}]'
+    secrets:
+      JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+      JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+      JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml
index 2180300051..14963d5892 100644
--- a/.github/workflows/pr_add_jira_summary.yml
+++ b/.github/workflows/pr_add_jira_summary.yml
@@ -4,7 +4,13 @@ on:
   pull_request_target:  # zizmor: ignore[dangerous-triggers]
     types: [opened]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   call-workflow-add-jira-issue-summary:
     uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@main
-    secrets: inherit
+    secrets:
+      JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+      JIRA_BASIC_AUTH: ${{ secrets.JIRA_BASIC_AUTH }}
diff --git a/.github/workflows/python_deploy_dev.yml b/.github/workflows/python_deploy_dev.yml
index 2310ff2a03..d55b2cb8aa 100644
--- a/.github/workflows/python_deploy_dev.yml
+++ b/.github/workflows/python_deploy_dev.yml
@@ -9,6 +9,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  actions: read
+
 jobs:
   call-workflow-conda-publish:
     name: Publish development conda package on JFrog Artifactory
diff --git a/.github/workflows/python_deploy_prod.yml b/.github/workflows/python_deploy_prod.yml
index 5d9054ce07..20415b19e6 100644
--- a/.github/workflows/python_deploy_prod.yml
+++ b/.github/workflows/python_deploy_prod.yml
@@ -23,6 +23,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.release.tag_name || github.event.inputs.release-tag || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   call-workflow-conda-release:
     name: Publish production Conda package on JFrog Artifactory

From 74bd16a92e0d93879b29f4678e157a71e0d31437 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= <sebastienh@mirageoscience.com>
Date: Mon, 5 May 2025 17:54:54 -0400
Subject: [PATCH 5/5] [GEOPY-2161] another attempt to address report by Zizmor

---
 .github/workflows/python_deploy_dev.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/python_deploy_dev.yml b/.github/workflows/python_deploy_dev.yml
index d55b2cb8aa..1238f55f2e 100644
--- a/.github/workflows/python_deploy_dev.yml
+++ b/.github/workflows/python_deploy_dev.yml
@@ -9,14 +9,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
   cancel-in-progress: true
 
-permissions:
-  contents: write
-  actions: read
-
 jobs:
   call-workflow-conda-publish:
     name: Publish development conda package on JFrog Artifactory
     uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_rattler_package.yml@main
+    permissions:
+      contents: write  # to create draft release and attach artifacts
+      actions: read
     with:
       package-name: 'mira-simpeg'
       python-version: '3.10'
@@ -29,6 +28,9 @@ jobs:
   call-workflow-pypi-publish:
     name: Publish development pypi package (JFrog Artifactory, TestPyPI)
     uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_pypi_package.yml@main
+    permissions:
+      contents: write  # to create draft release and attach artifacts
+      actions: read
     with:
       package-manager: 'setuptools'
       package-name: 'mira-simpeg'