Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: tox-dev/pyproject-fmt
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.20.0
Choose a base ref
...
head repository: tox-dev/pyproject-fmt
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.21.0
Choose a head ref
  • 5 commits
  • 6 files changed
  • 4 contributors

Commits on Mar 24, 2026

  1. Add zizmor pre-commit hook and fix security issues (#331) 

    This PR adds the
[zizmor](https://github.com/zizmorcore/zizmor-pre-commit) pre-commit
hook to catch GitHub Actions security vulnerabilities and fixes all
existing findings.

## Changes

1. **Added zizmor pre-commit hook** (v1.23.1) to
`.pre-commit-config.yaml`
2. **Fixed all security issues** found by zizmor auto-fix and manual
fixes:
- `template-injection`: Moved GitHub context expressions to environment
variables
- `secrets-outside-env`: Added `environment:` declarations to jobs using
secrets
- `dangerous-triggers`: Replaced `pull_request_target` with
`pull_request`
- `bot-conditions`: Changed `github.actor` checks to
`github.event.pull_request.user.login`
- `excessive-permissions`: Moved workflow-level permissions to job-level
- `superfluous-actions`: Replaced third-party actions with native tools

## Verification

All workflows now pass zizmor security audit with zero errors/warnings.

## Documentation

- [zizmor documentation](https://docs.zizmor.sh/)
- [zizmor pre-commit
hook](https://github.com/zizmorcore/zizmor-pre-commit)
    @gaborbernat
    gaborbernat authored Mar 24, 2026
    Configuration menu
    Copy the full SHA
    d2b6d42 View commit details
    Browse the repository at this point in the history

Commits on Mar 30, 2026

  1. Bump astral-sh/setup-uv from 7.6.0 to 8.0.0 (#332) 

    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Mar 30, 2026
    Configuration menu
    Copy the full SHA
    babaa44 View commit details
    Browse the repository at this point in the history

  2. [pre-commit.ci] pre-commit autoupdate (#333) 

    Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Bernát Gábor <bgabor8@bloomberg.net>
    @pre-commit-ci @gaborbernat
    pre-commit-ci[bot] and gaborbernat authored Mar 30, 2026
    Configuration menu
    Copy the full SHA
    31b0312 View commit details
    Browse the repository at this point in the history

Commits on Mar 31, 2026

  1. Mirror: 2.21.0

    @github-actions
    github-actions[bot] committed Mar 31, 2026
    Configuration menu
    Copy the full SHA
    70de324 View commit details
    Browse the repository at this point in the history

  2. Mirror: 2.21.0

    @github-actions
    github-actions[bot] committed Mar 31, 2026
    Configuration menu
    Copy the full SHA
    6e10264 View commit details
    Browse the repository at this point in the history
Loading