Merge pull request #394 from open-zaak/chore/oaf-218-ci-hardening

🔒 [maykinmedia/open-api-framework#218] Add zizmor action and fix warnings/errors

Author: stevenbal

.github/workflows/ci.yml

@@ -45,13 +45,16 @@ jobs:
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.12"
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: "24"
+          package-manager-cache: false
 
       - name: Start CI docker compose
         run: docker compose --file docker-compose.ssl.yml up --detach mock
@@ -72,7 +75,7 @@ jobs:
           DB_POOL_ENABLED: ${{ matrix.use_pooling }}
 
       - name: Publish coverage report
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
@@ -81,9 +84,11 @@ jobs:
     name: Documentation build
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up backend environment
-        uses: maykinmedia/setup-django-backend@v1.3
+        uses: maykinmedia/setup-django-backend@a9abe0987130ed667fa09ce177a5ae0bd153aed1 # v1.3
         with:
           python-version: "3.12"
           setup-node: false
@@ -112,7 +117,7 @@ jobs:
         id: image-name
 
   open-api-ci:
-    uses: maykinmedia/open-api-workflows/.github/workflows/ci.yml@v6
+    uses: maykinmedia/open-api-workflows/.github/workflows/ci.yml@79102b911003d75203ca2fed7df01ad79d9b6bba  # v6.4.0
     needs:
       - store-reusable-workflow-vars
     permissions:
@@ -127,7 +132,7 @@ jobs:
       django-settings-module: nrc.conf.ci
 
   open-api-publish:
-    uses: maykinmedia/open-api-workflows/.github/workflows/publish.yml@v6
+    uses: maykinmedia/open-api-workflows/.github/workflows/publish.yml@79102b911003d75203ca2fed7df01ad79d9b6bba  # v6.4.0
     needs:
       - store-reusable-workflow-vars
       - open-api-ci

.github/workflows/code_quality.yml

@@ -4,13 +4,15 @@ name: Code quality checks
 on:
   push:
     branches:
-      - main 
-  pull_request: 
+      - main
+  pull_request:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   open-api-workflow-code-quality:
-    uses: maykinmedia/open-api-workflows/.github/workflows/code-quality.yml@v6
+    uses: maykinmedia/open-api-workflows/.github/workflows/code-quality.yml@79102b911003d75203ca2fed7df01ad79d9b6bba  # v6.4.0
     with:
       python-version: '3.12'
       node-version: '24'

.github/workflows/codeql-analysis.yml

@@ -17,7 +17,8 @@ on:
 permissions:
   contents: read
   security-events: write
+  actions: read
 
 jobs:
   open-api-workflow-code-analysis:
-    uses: maykinmedia/open-api-workflows/.github/workflows/code-analysis.yml@v6
+    uses: maykinmedia/open-api-workflows/.github/workflows/code-analysis.yml@79102b911003d75203ca2fed7df01ad79d9b6bba  # v6.4.0

.github/workflows/oaf-check.yml

@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   open-api-workflow-check-oas:
-    uses: maykinmedia/open-api-workflows/.github/workflows/oaf-check.yml@v6
+    uses: maykinmedia/open-api-workflows/.github/workflows/oaf-check.yml@79102b911003d75203ca2fed7df01ad79d9b6bba  # v6.4.0
 
     with:
       python-version: '3.12'

.github/workflows/oas.yml

@@ -18,7 +18,7 @@ permissions:
 jobs:
   oas:
     name: Checks
-    uses: maykinmedia/open-api-workflows/.github/workflows/oas.yml@v6
+    uses: maykinmedia/open-api-workflows/.github/workflows/oas.yml@79102b911003d75203ca2fed7df01ad79d9b6bba  # v6.4.0
     with:
       python-version: '3.12'
       apt-packages: 'libgdal-dev gdal-bin'

.github/workflows/quick-start.yml

@@ -15,4 +15,4 @@ permissions:
 
 jobs:
   open-api-workflow-quick-start:
-    uses: maykinmedia/open-api-workflows/.github/workflows/quick-start.yml@v6
+    uses: maykinmedia/open-api-workflows/.github/workflows/quick-start.yml@79102b911003d75203ca2fed7df01ad79d9b6bba  # v6.4.0

CHANGELOG.rst

@@ -941,10 +941,8 @@ Features:
 * Tested with Open Zaak integration
 * Admin interface to view data created via the APIs
 * Scalable notification delivery workers
-* `NLX`_ ready (can be used with NLX)
+* NLX ready (can be used with NLX)
 * Documentation on https://open-notificaties.readthedocs.io/
 * Deployable on Kubernetes, single server and as VMware appliance
 * Automated test suite
 * Automated deployment
-
-.. _NLX: https://nlx.io/

docs/installation/index.rst

@@ -21,13 +21,12 @@ Before you begin
   entry. In some cases, you might want this but it's not recommended. The same machine
   can be used for both `Open Zaak`_ and Open Notificaties.
 
-* If you want to use `NLX`_, make sure you have a publicaly available domain name, for
+* If you want to use NLX, make sure you have a publicaly available domain name, for
   example ``nlx.<organization.com>``, where your NLX-inway is accessible to the outside
   world.
 
 
 .. _`Open Zaak`: https://github.com/open-zaak/open-zaak
-.. _`NLX`: https://nlx.io/
 
 Guides
 ------