Skip to content

:octocat: GitHub Actions Updates #2868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jacobwoffenden merged 20 commits into from
Jan 13, 2026
Merged

:octocat: GitHub Actions Updates #2868

jacobwoffenden merged 20 commits into from
Jan 13, 2026

Conversation

@jacobwoffenden
Copy link
Contributor

@jacobwoffenden jacobwoffenden commented Jan 2, 2026
edited
Loading

Type of PR

  • BUG
  • FEAT
  • MAINT
  • DOC

Is your Pull Request linked to an existing Issue or Pull Request?

Not yet?

Give a brief description for the solution you have provided

PR Checklist

  • Added documentation for changes
  • Added feature to example notebooks or tutorial (if appropriate)
  • Added tests (if appropriate)
  • Updated CHANGELOG.md (if appropriate)
  • Made changes based off the latest version of Splink
  • Run the linter
  • Run the spellchecker (if appropriate)

Notes

Zizmor's current output is

(splink) vscode ➜ /workspaces/splink (feat/gha-updates) $ uvx zizmor .
🌈 zizmor v1.19.0
 INFO audit: zizmor: 🌈 completed ./.github/dependabot.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/check-minimal-import.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/codeql-analysis.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/demo-examples.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/demo-tutorials.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/dependency-canary.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/dependency-review.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/documentation.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/lint.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/mypy.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/pypi-release.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/pytest-duckdb.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/pytest-postgres.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/pytest-spark.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/pytest-sqlite.yml
info[use-trusted-publishing]: prefer trusted publishing for authentication
  --> ./.github/workflows/pypi-release.yml:39:14
   |
39 |         run: uv publish --token ${{ secrets.PYPI_API_TOKEN }}
   |         ---  ^^^^^^^^^^^^^^^^^^ this command
   |         |
   |         this step
   |
   = note: audit confidence → High

error[unpinned-images]: unpinned image references
  --> ./.github/workflows/pytest-postgres.yml:25:9
   |
25 |         image: postgres
   |         ^^^^^^^^^^^^^^^ container image is unpinned
   |
   = note: audit confidence → High

35 findings (33 suppressed): 1 informational, 0 low, 0 medium, 1 high

TODO

  • Remove self reference for workflows

@jacobwoffenden jacobwoffenden self-assigned this Jan 2, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 2, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 8e8c483db84b4bee98b60c0593521ed34d9990e8 🟢 6.5
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 56 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Vulnerabilities🟢 91 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
Security-Policy🟢 9security policy file detected
actions/astral-sh/setup-uv 681c641aba71e4a1c380be3ab5e12ad51f415867 UnknownUnknown
actions/actions/checkout 8e8c483db84b4bee98b60c0593521ed34d9990e8 🟢 6.5
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 56 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Vulnerabilities🟢 91 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
Security-Policy🟢 9security policy file detected
actions/astral-sh/setup-uv 681c641aba71e4a1c380be3ab5e12ad51f415867 UnknownUnknown

Scanned Files

  • .github/workflows/check_minimal_import.yml
  • .github/workflows/mypy.yml
  • .github/workflows/pytest-sqlite.yml
  • .github/workflows/pytest_sqlite.yml
  • .github/workflows/test_latest_dependency_versions.yml

@github-advanced-security
Copy link

github-advanced-security bot commented Jan 2, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@jacobwoffenden
refactor: update mypy workflow for clarity and Python version upgrade
3413172 
Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden
feat: update workflows for CodeQL analysis and PyPI release, add Duck…
8c4f561 
…DB Pytest workflow

Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden
feat: add Pytest Postgres workflow for testing with PostgreSQL
8b31227 
Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden
feat: add Pytest workflows for Spark and SQLite testing
f7bf614 
Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden
feat: add Dependabot configuration and new workflows for demo example…
1dc6c6b 
…s, tutorials, and dependency canary

Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden
feat: update PyPI release workflow permissions and configuration
ae8157e 
Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden
feat: refactor documentation workflow for clarity and updates
a50c91e 
Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden
feat: update documentation workflow permissions and structure
78be836 
Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden
fix: ensure newline at end of file in documentation workflow
17dafef 
Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden
fix: ensure newline at end of file in pytest-sqlite workflow
34c1d0b 
Signed-off-by: Jacob Woffenden <[email protected]>
RobinL
RobinL reviewed Jan 7, 2026
View reviewed changes
@jacobwoffenden jacobwoffenden marked this pull request as ready for review January 7, 2026 14:53
@jacobwoffenden jacobwoffenden requested a review from RobinL January 7, 2026 14:53
RobinL
RobinL requested changes Jan 7, 2026
View reviewed changes
Copy link
Member

@RobinL RobinL left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few minor comments on the docs workflow - thanks.

Actually realised I should try actually running all the tests using these new files - that's running here:
RobinL#8

EDIT: OK, that's run fine, so looks like this is all good except for the docs issues as mentioned

@jacobwoffenden jacobwoffenden requested a review from RobinL January 7, 2026 22:38
ADBond
ADBond approved these changes Jan 13, 2026
View reviewed changes
Copy link
Contributor

@ADBond ADBond left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cheers for this @jacobwoffenden, all looks good, happy to merge this

@jacobwoffenden jacobwoffenden merged commit ee0d551 into master Jan 13, 2026
4 checks passed
@jacobwoffenden jacobwoffenden deleted the feat/gha-updates branch January 13, 2026 11:18
@ADBond ADBond mentioned this pull request Jan 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ADBond ADBond ADBond approved these changes

@RobinL RobinL Awaiting requested review from RobinL

Assignees

@jacobwoffenden jacobwoffenden

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jacobwoffenden @RobinL @ADBond