mirror of
https://github.com/astral-sh/setup-uv.git
synced 2025-12-15 11:07:14 +00:00
b1836110f7
This addresses all of zizmor's non-pedantic findings, and adds a workflow to proactively flag any more that come in. Key changes: * I've hash-pinned all actions references. Dependabot will continue to keep these updated and will update the hash comments as well. * I've marked every `actions/checkout` with `persist-credentials: false` except for one that actually needs persisted credentials (which I've explicitly enabled with an explanatory comment) * I've dropped some workflow-level permissions in favor of job-level permissions that were already provisioned. * I fixed two small template injections caused by expanding output contexts. I think these were not exploitable in practice, but fixing them is good for defense in depth (and makes spellcheck work nicely on these steps). --------- Signed-off-by: William Woodruff <william@astral.sh>