[pre-commit.ci] pre-commit autoupdate by pre-commit-ci[bot] · Pull Request #739 · python/typing_extensions

pre-commit-ci · 2026-04-06T21:55:42Z

updates:

updates: - [github.com/astral-sh/ruff-pre-commit: v0.14.10 → v0.15.9](astral-sh/ruff-pre-commit@v0.14.10...v0.15.9) - [github.com/python-jsonschema/check-jsonschema: 0.36.0 → 0.37.1](python-jsonschema/check-jsonschema@0.36.0...0.37.1) - [github.com/abravalheri/validate-pyproject: v0.24.1 → v0.25](abravalheri/validate-pyproject@v0.24.1...v0.25) - [github.com/rhysd/actionlint: v1.7.10 → v1.7.12](rhysd/actionlint@v1.7.10...v1.7.12) - [github.com/woodruffw/zizmor-pre-commit: v1.19.0 → v1.23.1](zizmorcore/zizmor-pre-commit@v1.19.0...v1.23.1)

codecov · 2026-04-06T21:56:22Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.38%. Comparing base (83caa59) to head (1a19955).

@@           Coverage Diff           @@
##             main     #739   +/-   ##
=======================================
  Coverage   97.38%   97.38%           
=======================================
  Files           3        3           
  Lines        7690     7690           
=======================================
  Hits         7489     7489           
  Misses        201      201

Flag	Coverage Δ
3.10	`88.98% <ø> (ø)`
3.10.4	`88.98% <ø> (ø)`
3.11	`88.21% <ø> (ø)`
3.11.0	`87.45% <ø> (ø)`
3.12	`88.16% <ø> (ø)`
3.12.0	`88.15% <ø> (ø)`
3.13	`81.66% <ø> (ø)`
3.13.0	`82.39% <ø> (ø)`
3.14	`78.09% <ø> (ø)`
3.9	`89.69% <ø> (ø)`
3.9.12	`89.69% <ø> (ø)`
pypy3.10	`88.81% <ø> (ø)`
pypy3.11	`88.07% <ø> (ø)`
pypy3.9	`89.52% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

srittau · 2026-04-07T00:00:55Z

Pre-commit now fails, since zizmor complains about unpinned GitHub actions hashes. My opinion is still that this rule is not helpful for GitHub-maintained actions as hacked GitHub means a lot of trouble anyway. On the other hand, security fixes in the actions will not get propagated. I suggest we turn off that rule.

AlexWaygood · 2026-05-18T11:38:43Z

My opinion is still that this rule is not helpful for GitHub-maintained actions as hacked GitHub means a lot of trouble anyway.

hmm... while that's true, I feel like it would be quite easy for one of these repos specifically to be hacked without that causing problems for "the whole of GitHub more broadly? I assume there are specific developers in GitHub responsible for maintaining these repos who could get phished or have their machines compromised, etc.

srittau · 2026-05-18T16:34:05Z

Sure, but it's likely that these developers have access to more critical infrastructure than just single actions. And the point remains that relying on specific tags means that we're susceptible to security problems that got fixed in later versions.

woodruffw · 2026-05-18T21:34:32Z

My recommendation would be to hash-pin GitHub's first-party actions as well: GitHub's official guidance is to hash-pin everything, and rely on channels like Renovate or Dependabot for both periodic and security updates.

(Relatedly, it's worth noting that the GitHub Actions under actions/* are seemingly mostly maintainer by third-party contractors, who are often not marked as officially affiliated with GitHub on their profiles. The lack of transparency/consistency in provenance is one of the reasons zizmor changed to requiring all actions to be hash-pinned, rather than considering first-party ones safer by default.)

AlexWaygood · 2026-05-18T21:36:20Z

And the point remains that relying on specific tags means that we're susceptible to security problems that got fixed in later versions.

But we have dependabot configured on this repo, and dependabot will immediately file an out-of-schedule PR updating us to the latest version of a github action if that version is marked as fixing a security issue

AlexWaygood · 2026-05-18T21:37:28Z

(Oops, posted simultaneously with @woodruffw there before I saw his comment!)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[pre-commit.ci] pre-commit autoupdate#739

[pre-commit.ci] pre-commit autoupdate#739
pre-commit-ci[bot] wants to merge 1 commit into
mainfrom
pre-commit-ci-update-config

pre-commit-ci Bot commented Apr 6, 2026

Uh oh!

codecov Bot commented Apr 6, 2026 •

edited

Loading

Uh oh!

srittau commented Apr 7, 2026 •

edited

Loading

Uh oh!

AlexWaygood commented May 18, 2026

Uh oh!

srittau commented May 18, 2026

Uh oh!

woodruffw commented May 18, 2026

Uh oh!

AlexWaygood commented May 18, 2026 •

edited

Loading

Uh oh!

AlexWaygood commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

pre-commit-ci Bot commented Apr 6, 2026

Uh oh!

codecov Bot commented Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

srittau commented Apr 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

AlexWaygood commented May 18, 2026

Uh oh!

srittau commented May 18, 2026

Uh oh!

woodruffw commented May 18, 2026

Uh oh!

AlexWaygood commented May 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

AlexWaygood commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

codecov Bot commented Apr 6, 2026 •

edited

Loading

srittau commented Apr 7, 2026 •

edited

Loading

AlexWaygood commented May 18, 2026 •

edited

Loading