diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index acca2c19..b3ed08af 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,15 +18,19 @@ concurrency: ${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true +permissions: + contents: read + jobs: build-release: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: - python-version: 3.11 - cache: pip + python-version: "3.13" - name: install build package run: | @@ -50,7 +54,7 @@ jobs: jupyter server extension list 2>&1 | grep ipyparallel # ref: https://github.com/actions/upload-artifact#readme - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: ipyparallel-${{ github.sha }} path: "dist/*" @@ -60,14 +64,14 @@ jobs: permissions: id-token: write environment: release - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 if: startsWith(github.ref, 'refs/tags/') needs: - build-release steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: dist merge-multiple: true - name: Publish wheels to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 diff --git a/.github/workflows/test-docs.yml b/.github/workflows/test-docs.yml index ff8a6c75..acc65bf2 100644 --- a/.github/workflows/test-docs.yml +++ b/.github/workflows/test-docs.yml @@ -10,6 +10,9 @@ on: - "**" workflow_dispatch: +permissions: + contents: read + env: # UTF-8 content may be interpreted as ascii and causes errors without this. LANG: C.UTF-8 @@ -24,6 +27,7 @@ jobs: # make rediraffecheckdiff requires git history to compare current # commit with the main branch and previous releases. fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v6 with: @@ -54,7 +58,7 @@ jobs: if: github.event_name == 'pull_request' run: | cd docs - export REDIRAFFE_BRANCH=origin/${{ github.base_ref }} + export REDIRAFFE_BRANCH=origin/${GITHUB_BASE_REF} make rediraffecheckdiff # this should check currently published 'stable' links for redirects diff --git a/.github/workflows/test-ssh.yml b/.github/workflows/test-ssh.yml index 122ed2dc..6daed594 100644 --- a/.github/workflows/test-ssh.yml +++ b/.github/workflows/test-ssh.yml @@ -27,6 +27,9 @@ concurrency: ${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true +permissions: + contents: read + env: # UTF-8 content may be interpreted as ascii and causes errors without this. LANG: C.UTF-8 @@ -49,6 +52,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Get Docker infos run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 70373ead..d31e3b28 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,6 +14,9 @@ concurrency: ${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true +permissions: + contents: read + env: # UTF-8 content may be interpreted as ascii and causes errors without this. LANG: C.UTF-8 @@ -51,6 +54,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Cache conda environment uses: actions/cache@v5 diff --git a/.github/workflows/windows-ssh-image.yaml b/.github/workflows/windows-ssh-image.yaml index 93f08975..fb666129 100644 --- a/.github/workflows/windows-ssh-image.yaml +++ b/.github/workflows/windows-ssh-image.yaml @@ -20,6 +20,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Log in to the Container registry uses: docker/login-action@v4 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c42fd757..28f06acc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -24,7 +24,7 @@ repos: # than ruff itself # but has trouble with isort rules - repo: https://github.com/nbQA-dev/nbQA - rev: f96ec7f3b26a32619435686eb5813235f7e3327e # frozen: 1.9.1 + rev: d31b7eae1767c43460afb3ba130e0a6602933abe # frozen: 1.9.1 hooks: - id: nbqa-ruff-format - id: nbqa-ruff-check @@ -36,6 +36,19 @@ repos: rev: 515f543f5718ebfd6ce22e16708bb32c68ff96e1 # frozen: v3.8.3 hooks: - id: prettier + + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: a4727cbbcd26d7098e96b9cb738169b59711ae51 # frozen: v1.24.1 + hooks: + - id: zizmor + args: + - --fix=all + - id: zizmor + args: + - --fix=all + - --config=zizmor-strict.yaml + files: .github/workflows/release.yml + - repo: https://github.com/pre-commit/pre-commit-hooks rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0 hooks: diff --git a/docs/source/changelog.md b/docs/source/changelog.md index d130c651..00435e7e 100644 --- a/docs/source/changelog.md +++ b/docs/source/changelog.md @@ -6,6 +6,12 @@ Changes in IPython Parallel ## 9.1 +### 9.2.0 - 2026-05 + +9.2.0 updates JupyterLab extension dependencies and removes some use of deprecated APIs in ipykernel. + +([full changelog](https://github.com/ipython/ipyparallel/compare/9.1.0...9.2.0)) + ### 9.1.0 - 2026-03 9.1.0 introduces a new task labeling feature for filtering task results (Thanks, @ottointhesky!). diff --git a/zizmor-strict.yaml b/zizmor-strict.yaml new file mode 100644 index 00000000..d96409a8 --- /dev/null +++ b/zizmor-strict.yaml @@ -0,0 +1,7 @@ +# separate zizmor config for workflows with +# default +rules: + unpinned-uses: + config: + policies: + "*": hash-pin diff --git a/zizmor.yaml b/zizmor.yaml new file mode 100644 index 00000000..00ea2bb6 --- /dev/null +++ b/zizmor.yaml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "*": ref-pin