Merge pull request #551 from gaphor/block-egress

Block egress in CI and update dependencies

.github/workflows/build.yml

@@ -18,19 +18,29 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  python-version: '3.12'
+  python-version: '3.13'
 
 permissions:
   contents: read
 
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            pypi.org:443
+            github.com:443
+            api.github.com:443
+            objects.githubusercontent.com:443
+            raw.githubusercontent.com:443
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -57,7 +67,7 @@ jobs:
     strategy:
       max-parallel: 4
       matrix:
-        python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
+        python-version: ['3.9', '3.10', '3.11', '3.12', '3.13']
     name: build (python ${{ matrix.python-version }})
     outputs:
       targz: generic-${{ steps.meta.outputs.version }}.tar.gz
@@ -66,8 +76,18 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
-          egress-policy: audit
-
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.codeclimate.com:443
+            codeclimate.com:443
+            *.cloudfront.net:443
+            files.pythonhosted.org:443
+            pypi.org:443
+            github.com:443
+            keys.openpgp.org:443
+            objects.githubusercontent.com:443
+            raw.githubusercontent.com:443
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0

.github/workflows/pre-commit-updater.yml

@@ -0,0 +1,53 @@
+name: Pre-commit updater
+on:
+  workflow_dispatch:
+  schedule:
+    # min hour dom month dow
+    - cron:  '0 5 * * 3'
+env:
+  python_version: '3.13'
+
+jobs:
+
+  updater:
+    name: Update
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            pypi.org:443
+            raw.githubusercontent.com:443
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: main
+      - name: Set up Python
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        with:
+          python-version: ${{ env.python_version }}
+          cache: pip
+      - name: Install pre-commit
+        run: python -m pip install pre-commit
+      - name: Update pre-commit hooks
+        run: pre-commit autoupdate --freeze
+      - name: Run pre-commit hooks
+        run: pre-commit run --all-files
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        with:
+          token: ${{ secrets.PR_CREATOR }}
+          commit-message: Update pre-commit hooks
+          branch: pre-commit-update
+          delete-branch: true
+          title: 'Update pre-commit hooks'
+          body: |
+            This PR was automatically created to make the following update:
+            - Update pre-commit hooks
+          labels: |
+            skip-changelog

.pre-commit-config.yaml

@@ -1,15 +1,15 @@
 repos:
 - repo: https://github.com/pre-commit/mirrors-mypy
-  rev: v1.10.1
+  rev: f56614daa94d5cd733d3b7004c5df9caad267b4a  # frozen: v1.13.0
   hooks:
   - id: mypy
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.6.0
+  rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b  # frozen: v5.0.0
   hooks:
   - id: check-toml
   - id: check-yaml
 - repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: 'v0.5.1'
+  rev: '52c175db9e13515a6b086cd53ce8a66599eac64b'  # frozen: v0.7.2
   hooks:
     - id: ruff
       args: [--fix]