11name : CI
22
3- on :
3+ # Since this same workflow file is used for both PRs and pushes,
4+ # Zizmor wants to flag all uses of caches as potential cache poisoning vulnerabilities.
5+ # I don't see a way to easily split this workflow into two separate files since
6+ # we do want to build the package for PRs, and then publish it from that exact
7+ # built artifact, if we're pushing to tags.
8+
9+ on : # zizmor: ignore[cache-poisoning]
410 push :
511 branches :
612 - master
1218 - master
1319 - ' *-maint'
1420
21+ permissions : {}
22+
1523jobs :
1624 lint :
25+ name : lint
1726 permissions :
1827 contents : read
1928 runs-on : ubuntu-latest
2029 steps :
21- - uses : actions/checkout@v5
22- - uses : astral-sh/setup-uv@v6
30+ - uses : actions/checkout@v6
31+ with :
32+ persist-credentials : false
33+ - uses : astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
2334 with :
2435 cache-dependency-glob : " .github/workflows/*.yml"
2536 cache-suffix : pre-commit-uv
2637 - run : uv tool install pre-commit --with pre-commit-uv --force-reinstall
27- - uses : actions/cache@v4
38+ - uses : actions/cache@v5
2839 with :
2940 path : ~/.cache/pre-commit
3041 key : pre-commit-uv-v1-${{ hashFiles('.pre-commit-config.yaml') }}
3142 - run : pre-commit run --all-files --show-diff-on-failure --color=always
3243 env :
3344 RUFF_OUTPUT_FORMAT : github
3445 test :
46+ name : test
3547 permissions :
3648 contents : read
3749 runs-on : ${{ matrix.os }}
5567 BABEL_CLDR_QUIET : " 1"
5668 PIP_DISABLE_PIP_VERSION_CHECK : " 1"
5769 steps :
58- - uses : actions/checkout@v5
59- - uses : actions/cache@v4
70+ - uses : actions/checkout@v6
71+ with :
72+ persist-credentials : false
73+ - uses : actions/cache@v5
6074 with :
6175 path : cldr
6276 key : cldr-${{ hashFiles('scripts/*cldr*') }}
@@ -76,19 +90,22 @@ jobs:
7690 env :
7791 COVERAGE_XML_PATH : ${{ runner.temp }}
7892 BABEL_TOX_EXTRA_DEPS : pytest-github-actions-annotate-failures
79- - uses : codecov/codecov-action@v5
93+ - uses : codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
8094 with :
8195 directory : ${{ runner.temp }}
8296 flags : ${{ matrix.os }}-${{ matrix.python-version }}
8397 token : ${{ secrets.CODECOV_TOKEN }}
8498 verbose : true
8599 build :
100+ name : build
86101 permissions :
87102 contents : read
88103 runs-on : ubuntu-24.04
89104 needs : lint
90105 steps :
91- - uses : actions/checkout@v5
106+ - uses : actions/checkout@v6
107+ with :
108+ persist-credentials : false
92109 - uses : actions/setup-python@v6
93110 with :
94111 python-version : " 3.14"
@@ -97,11 +114,12 @@ jobs:
97114 - run : pip install build -e .
98115 - run : make import-cldr
99116 - run : python -m build
100- - uses : actions/upload-artifact@v4
117+ - uses : actions/upload-artifact@v6
101118 with :
102119 name : dist
103120 path : dist
104121 publish :
122+ name : publish
105123 if : github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
106124 needs :
107125 - build
@@ -110,14 +128,14 @@ jobs:
110128 name : release
111129 url : https://pypi.org/p/babel/
112130 permissions :
113- id-token : write
131+ id-token : write # Required for Trusted Publishing action
114132 steps :
115- - uses : actions/download-artifact@v5
133+ - uses : actions/download-artifact@v7
116134 with :
117135 name : dist
118136 path : dist/
119137 - name : Publish package distributions to PyPI
120- uses : pypa/gh-action-pypi-publish@release/v1
138+ uses : pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
121139 with :
122140 verbose : true
123141 print-hash : true
0 commit comments