Skip to content

gh-140681: Freeze pre-commit hooks and update zizmor links#140682

Open
shenxianpeng wants to merge 5 commits intopython:mainfrom
shenxianpeng:update-for-zizmor
Open

gh-140681: Freeze pre-commit hooks and update zizmor links#140682
shenxianpeng wants to merge 5 commits intopython:mainfrom
shenxianpeng:update-for-zizmor

Conversation

@shenxianpeng
Copy link
Contributor

@shenxianpeng shenxianpeng commented Oct 27, 2025

gh-140681: Update zizmor repo and doc links

@shenxianpeng shenxianpeng changed the title Update zizmor repo and doc links gh-140681: Update zizmor repo and doc links Oct 27, 2025
@bedevere-app bedevere-app bot mentioned this pull request Oct 27, 2025
Open
@hugovk
Copy link
Member

hugovk commented Oct 27, 2025

We're in no rush here, it still works because of the redirects.

If we're going to update this, we might as well update the others (for example, prek autoupdate --jobs 0 or pre-commit autoupdate --jobs 0).

We can also now remove the self-hosted-runner of .github/actionlint.yaml.

And there might be a Sphinx Lint release fairly soon, so could also wait for that.

@hugovk hugovk added the infra CI, GitHub Actions, buildbots, Dependabot, etc. label Oct 27, 2025
@hugovk hugovk changed the title gh-140681: Update zizmor repo and doc links gh-140681: Freeze pre-commit hooks and update zizmor links Mar 4, 2026
@hugovk hugovk added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Mar 4, 2026
@hugovk
Copy link
Member

hugovk commented Mar 4, 2026

As this was still open, I've updated it to also freeze the pre-commit hooks, as discussed at python/devguide#1748 (review). In short, if a repo became compromised, they could rewrite the tag to something malicious. Git SHAs can mitigate this.

If we're going to update this, we might as well update the others (for example, prek autoupdate --jobs 0 or pre-commit autoupdate --jobs 0).

We can also now remove the self-hosted-runner of .github/actionlint.yaml.

I did these too.

@hugovk hugovk mentioned this pull request Mar 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@webknjaz webknjaz webknjaz approved these changes

@hugovk hugovk hugovk approved these changes

@sethmlarson sethmlarson sethmlarson approved these changes

@StanFromIreland StanFromIreland StanFromIreland approved these changes

@ezio-melotti ezio-melotti Awaiting requested review from ezio-melotti ezio-melotti is a code owner

@AA-Turner AA-Turner Awaiting requested review from AA-Turner AA-Turner is a code owner

Assignees

No one assigned

Labels

awaiting merge infra CI, GitHub Actions, buildbots, Dependabot, etc. needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes skip news

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@shenxianpeng @hugovk @webknjaz @sethmlarson @StanFromIreland