From 8d45c8fc427d39750751bdaa0ffe5abc8e30cd50 Mon Sep 17 00:00:00 2001 From: M Bussonnier Date: Fri, 8 May 2026 12:46:47 +0200 Subject: [PATCH 1/3] Zizmor hardening --- .github/dependabot.yml | 4 ++++ .github/workflows/main.yml | 9 +++++++-- .github/workflows/publish.yml | 10 ++++++---- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9d1eded..325b0f5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,6 +7,8 @@ updates: directory: "/" # Location of package manifests schedule: interval: "monthly" + cooldown: + default-days: 7 - package-ecosystem: "github-actions" directory: "/" schedule: @@ -15,3 +17,5 @@ updates: actions: patterns: - "*" + cooldown: + default-days: 7 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 84a7b2d..cee1dee 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -6,6 +6,9 @@ on: - main pull_request: +permissions: + contents: read + defaults: run: shell: bash -l {0} @@ -31,10 +34,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + persist-credentials: false - name: Setup Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 75e4c5d..1eb7b94 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,10 +16,12 @@ jobs: permissions: id-token: write steps: - - uses: actions/checkout@v5 - + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + persist-credentials: false + - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.x' - name: Install dependencies @@ -31,7 +33,7 @@ jobs: - name: Install built wheel run: pip install dist/*.whl - name: Echo current tag - run: echo ${{ github.ref }} + run: echo "$GITHUB_REF" - name: Get package version run: | export PACKAGE_VERSION=$(python -c 'import matplotlib_inline; print(matplotlib_inline.__version__)') From 6eb2bd89dc8d4d6678478c6b2ec15be7b20d3374 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 10:51:23 +0000 Subject: [PATCH 2/3] Bump the actions group across 1 directory with 2 updates Bumps the actions group with 2 updates in the / directory: [actions/checkout](https://github.com/actions/checkout) and [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish). Updates `actions/checkout` from 5.0.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/93cb6efe18208431cddfb8368fd83d5badbf9bfd...de0fac2e4500dabe0009e67214ff5f5447ce83dd) Updates `pypa/gh-action-pypi-publish` from 1.13.0 to 1.14.0 - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](https://github.com/pypa/gh-action-pypi-publish/compare/ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e...cef221092ed1bacb1cc03d23a2d87d1d172e277b) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: pypa/gh-action-pypi-publish dependency-version: 1.14.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] --- .github/workflows/main.yml | 2 +- .github/workflows/publish.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cee1dee..c675715 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 1eb7b94..fac63f2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,7 +16,7 @@ jobs: permissions: id-token: write steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -43,5 +43,5 @@ jobs: exit 1 fi - name: Publish package - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b From e6e197523ecfabfff1d976e5b6958c3ede948ccb Mon Sep 17 00:00:00 2001 From: M Bussonnier Date: Fri, 8 May 2026 19:32:37 +0200 Subject: [PATCH 3/3] release 0.2.2 --- matplotlib_inline/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/matplotlib_inline/__init__.py b/matplotlib_inline/__init__.py index d275175..2c03285 100644 --- a/matplotlib_inline/__init__.py +++ b/matplotlib_inline/__init__.py @@ -1,6 +1,6 @@ from . import backend_inline, config # noqa -__version__ = "0.2.1" +__version__ = "0.2.2" # we can't ''.join(...) otherwise finding the version number at build time requires # import which introduces IPython and matplotlib at build time, and thus circular