diff --git a/.github/workflows/a_pre_commit.yml b/.github/workflows/a_pre_commit.yml index 8c1299b..91d0c22 100644 --- a/.github/workflows/a_pre_commit.yml +++ b/.github/workflows/a_pre_commit.yml @@ -22,11 +22,11 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: ${{ secrets.TOKEN }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: 3.12 - name: Set up git config @@ -43,7 +43,7 @@ jobs: git diff --staged --quiet || git commit -m ":file_folder: pre-commit > Made via .github/workflows/a_pre_commit.yml" || echo "pre-commit: no changes" - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: token: ${{ secrets.TOKEN }} commit-message: Update files diff --git a/.github/workflows/actions-labeler.yaml b/.github/workflows/actions-labeler.yaml index 9c3baa6..f5b2dc8 100644 --- a/.github/workflows/actions-labeler.yaml +++ b/.github/workflows/actions-labeler.yaml @@ -14,9 +14,14 @@ jobs: permissions: pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 - - uses: actions/labeler@v5 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: configuration-path: .github/workflows/config/labeler.yml sync-labels: false diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 4dffebe..27d0728 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -41,12 +41,17 @@ jobs: # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -57,7 +62,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -71,6 +76,6 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/community.yaml b/.github/workflows/community.yaml index b6fc989..2ab2ae6 100644 --- a/.github/workflows/community.yaml +++ b/.github/workflows/community.yaml @@ -15,8 +15,13 @@ jobs: if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }} runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Check Labels id: labeler - uses: jimschubert/labeler-action@v2 + uses: jimschubert/labeler-action@cfce1831f33e0e4604bbc4e6933eb2f56c2fa530 # v2 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..21a469b --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 diff --git a/.github/workflows/ghaction-github-labeler.yaml b/.github/workflows/ghaction-github-labeler.yaml index 83b8299..ab43b7d 100644 --- a/.github/workflows/ghaction-github-labeler.yaml +++ b/.github/workflows/ghaction-github-labeler.yaml @@ -15,13 +15,19 @@ jobs: if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }} runs-on: ubuntu-latest permissions: - contents: write + contents: read + issues: write # for crazy-max/ghaction-github-labeler to create, rename, update and delete label steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Check out the repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run Labeler - uses: crazy-max/ghaction-github-labeler@v5 + uses: crazy-max/ghaction-github-labeler@de749cf181958193cb7debf1a9c5bb28922f3e1b # v5.0.0 with: github-token: ${{ secrets.TOKEN }} yaml-file: .github/labels.yaml diff --git a/.github/workflows/hassfest.yaml b/.github/workflows/hassfest.yaml index b59a73a..3023982 100644 --- a/.github/workflows/hassfest.yaml +++ b/.github/workflows/hassfest.yaml @@ -20,14 +20,24 @@ jobs: name: "HACS Validation" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: HACS Action - uses: hacs/action@main + uses: hacs/action@70694a570839431b5c69ff0eba599a213dc7a43b # main with: category: "integration" validate_hassfest: name: "Hassfest Validation" runs-on: "ubuntu-latest" steps: - - uses: actions/checkout@v4 - - uses: home-assistant/actions/hassfest@master + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: home-assistant/actions/hassfest@b227dff9ccf75101173b686878bc63852de8ea46 # master diff --git a/.github/workflows/issue-auto.yaml b/.github/workflows/issue-auto.yaml index 7d4e6f7..881d41c 100644 --- a/.github/workflows/issue-auto.yaml +++ b/.github/workflows/issue-auto.yaml @@ -11,11 +11,16 @@ jobs: titlePrefixCheck: runs-on: ubuntu-latest permissions: - issues: write + issues: write # for peter-evans/close-issue to close issues steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - if: contains(github.event.issue.title, 'Logout') || contains(github.event.issue.title, 'app') name: Close Issue - uses: peter-evans/close-issue@v3 + uses: peter-evans/close-issue@276d7966e389d888f011539a86c8920025ea0626 # v3.0.1 with: comment: | [# Workaround for logout in the Xplora® App](https://github.com/Ludy87/xplora_watch/issues/24) diff --git a/.github/workflows/issue-lock.yaml b/.github/workflows/issue-lock.yaml index fe92e05..ea30eba 100644 --- a/.github/workflows/issue-lock.yaml +++ b/.github/workflows/issue-lock.yaml @@ -18,7 +18,12 @@ jobs: issues: write pull-requests: write steps: - - uses: dessant/lock-threads@v5 + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 with: github-token: ${{ secrets.TOKEN }} add-issue-labels: "outdated" diff --git a/.github/workflows/label-actions.yaml b/.github/workflows/label-actions.yaml index 651a56f..7d1cadc 100644 --- a/.github/workflows/label-actions.yaml +++ b/.github/workflows/label-actions.yaml @@ -19,6 +19,11 @@ jobs: pull-requests: write discussions: write steps: - - uses: dessant/label-actions@v4 + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - uses: dessant/label-actions@102faf474a544be75fbaf4df54e73d3c515a0e65 # v4.0.1 with: config-path: .github/label-actions.yaml diff --git a/.github/workflows/merge.yaml b/.github/workflows/merge.yaml index 80dd925..65a5b47 100644 --- a/.github/workflows/merge.yaml +++ b/.github/workflows/merge.yaml @@ -16,10 +16,15 @@ jobs: pull-requests: write contents: write steps: - - uses: actions/checkout@v4.1.6 + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Check if Pull Request id: check_pr run: echo "is_pull_request=${{ github.event_name == 'pull_request' }}" >> $GITHUB_ENV - if: env.is_pull_request == 'true' name: Merge - uses: Ludy87/action/merge@v1.0.7 + uses: Ludy87/action/merge@d5cd9da51b4f77739b9b399d5a855b26905c3143 # v1.0.7 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index bcf5241..f340fd7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,12 +17,17 @@ jobs: contents: write attestations: write steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: main - name: Set up Python 3 - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: | 3.12 diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index d9a91b9..30e53a1 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -12,10 +12,16 @@ jobs: stale: runs-on: ubuntu-latest permissions: - issues: write + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: X days stale issues - uses: actions/stale@v9 + uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 30 diff --git a/.github/workflows/unlock-reopened.yaml b/.github/workflows/unlock-reopened.yaml index 4a0bc20..a49114e 100644 --- a/.github/workflows/unlock-reopened.yaml +++ b/.github/workflows/unlock-reopened.yaml @@ -12,6 +12,11 @@ jobs: name: Unlock Reopened runs-on: ubuntu-latest steps: - - uses: OSDKDev/unlock-issues@v1 + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - uses: OSDKDev/unlock-issues@b06b7f7e5c3f2eaa1c6d5d89f40930e4d6d9699e # v1 with: repo-token: "${{ secrets.TOKEN }}" diff --git a/.github/workflows/update_hacs.yaml b/.github/workflows/update_hacs.yaml index 1b18de7..6af6371 100644 --- a/.github/workflows/update_hacs.yaml +++ b/.github/workflows/update_hacs.yaml @@ -18,5 +18,10 @@ jobs: pull-requests: write contents: write steps: - - uses: actions/checkout@v4.1.6 - - uses: Ludy87/action/update_hacs_hassio@v1.0.7 + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: Ludy87/action/update_hacs_hassio@d5cd9da51b4f77739b9b399d5a855b26905c3143 # v1.0.7 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 613fccb..2ba7f16 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,6 +37,8 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v5.0.0 hooks: + - id: end-of-file-fixer + - id: trailing-whitespace - id: check-executables-have-shebangs stages: [manual] - id: check-json @@ -65,3 +67,7 @@ repos: rev: v8.22.0 hooks: - id: gitleaks + - repo: https://github.com/pylint-dev/pylint + rev: v2.17.2 + hooks: + - id: pylint