Merge pull request #22 from tacaswell/harden_gha

tacaswell · web-flow · commit 8444ae8a66fb · 2025-07-18T14:40:57.000-04:00
CI: Harden GHA configuration
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"      # Location of your workflow files
+    schedule:
+      interval: "weekly"  # Options: daily, weekly, monthly
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -25,6 +25,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,4 +1,6 @@
 name: Docs
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
@@ -11,6 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - name: Install Python dependencies
         run: pip install -r requirements-doc.txt
 
@@ -25,7 +29,7 @@ jobs:
 
       - name: Publish
         if: ${{ env.IS_RELEASE == 'true' }}
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./docs/build/html
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -1,4 +1,6 @@
 name: Unit Tests
+permissions:
+  contents: read
 
 on:
   push:
@@ -12,13 +14,14 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ['3.9', '3.10', '3.11', '3.12']
+        python-version: ['3.11', '3.12', '3.11']
       fail-fast: false
     steps:
 
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
@@ -41,4 +44,4 @@ jobs:
         coverage report
 
     - name: Upload code coverage
-      uses: codecov/codecov-action@v1
+      uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # v1
diff --git a/setup.py b/setup.py
@@ -7,7 +7,7 @@
 # NOTE: This file must remain Python 2 compatible for the foreseeable future,
 # to ensure that we error out properly for people with outdated setuptools
 # and/or pip.
-min_version = (3, 7)
+min_version = (3, 11)
 if sys.version_info < min_version:
     error = """
 mpl-gui does not support Python {0}.{1}.
