* Add a GitHub Actions check to CI using [`zizmor`](https://github.com/zizmorcore/zizmor) * In this case, we need `# zizmor: ignore[unpinned-uses]` for dtolnay/rust-toolchain@{nightly, stable, master, etc...) * Pin all actions by commit (we can use: [pinact](https://github.com/suzuki-shunsuke/pinact), [actions-up](https://github.com/azat-io/actions-up)) * Add comments (similar to `// SAFETY` in Rust) to [potentially dangerous](https://docs.zizmor.sh/audits/#dangerous-triggers) locations: https://github.com/PyO3/pyo3/blob/126aa4422d514e9e51f3ed11e284735dc753762e/.github/workflows/cache-cleanup.yml#L2-L5 * Use `uv` instead of `pip`: https://github.com/PyO3/pyo3/blob/126aa4422d514e9e51f3ed11e284735dc753762e/.github/workflows/build.yml#L60-L61
Add a GitHub Actions check to CI using
zizmorIn this case, we need
# zizmor: ignore[unpinned-uses]for dtolnay/rust-toolchain@{nightly, stable, master, etc...)Pin all actions by commit (we can use: pinact, actions-up)
Add comments (similar to
// SAFETYin Rust) to potentially dangerous locations:pyo3/.github/workflows/cache-cleanup.yml
Lines 2 to 5 in 126aa44
Use
uvinstead ofpip:pyo3/.github/workflows/build.yml
Lines 60 to 61 in 126aa44