brian-team · mstimberg · Oct 29, 2024 · Oct 29, 2024 · Oct 29, 2024 · Oct 29, 2024
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -27,6 +27,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Python 3.x
         uses: actions/setup-python@v5
         with:
@@ -76,6 +77,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Python 3.x
         uses: actions/setup-python@v5
         with:
@@ -173,6 +175,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
       # https://github.com/actions/checkout/
     - name: Docker meta
       id: meta

diff --git a/.github/workflows/static_analysis.yml b/.github/workflows/static_analysis.yml
@@ -0,0 +1,29 @@
+name: " GitHub Actions Security Analysis with Zizmor"
+
+# The scheduled workflow runs every Sunday at 23:45 UTC.
+on:
+  push:
+  schedule:
+    - cron: '45 23 * * 0'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+      - name: Get zizmor
+        run: cargo install zizmor
+        # https://github.com/woodruffw/zizmor
+      - name: Run zizmor
+        run: zizmor --format sarif . > results.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
diff --git a/.github/workflows/test_latest.yml b/.github/workflows/test_latest.yml
@@ -41,6 +41,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install GSL
         uses: johnwason/vcpkg-action@v6
         id: vcpkg
@@ -65,24 +66,29 @@ jobs:
           python-version: ${{ matrix.python-version }}
           allow-prereleases: true
       - name: Install dependencies
+        env:
+          PYTHON_BINARY: ${{ steps.python.outputs.python-path }}
         run: |
-          ${{ steps.python.outputs.python-path }} -m pip install --upgrade pip setuptools
-          ${{ steps.python.outputs.python-path }} -m pip install --pre -i https://pypi.anaconda.org/scientific-python-nightly-wheels/simple numpy scipy
-          ${{ steps.python.outputs.python-path }} -m pip install mpmath  # install stable version
-          ${{ steps.python.outputs.python-path }} -m pip install --pre pytest pytest-xdist pytest-cov pytest-timeout cython sympy pyparsing jinja2 sphinx
+          "$PYTHON_BINARY" -m pip install --upgrade pip setuptools
+          "$PYTHON_BINARY" -m pip install --pre -i https://pypi.anaconda.org/scientific-python-nightly-wheels/simple numpy scipy
+          "$PYTHON_BINARY" -m pip install mpmath  # install stable version
+          "$PYTHON_BINARY" -m pip install --pre pytest pytest-xdist pytest-cov pytest-timeout cython sympy pyparsing jinja2 sphinx
       - name: Install Brian2
+        env:
+          PYTHON_BINARY: ${{ steps.python.outputs.python-path }}
         run: |
           cp numpy2.pyproject.toml pyproject.toml
-          ${{ steps.python.outputs.python-path }} -m pip install --pre -i https://pypi.anaconda.org/scientific-python-nightly-wheels/simple --extra-index-url https://pypi.org/simple .
+          "$PYTHON_BINARY" -m pip install --pre -i https://pypi.anaconda.org/scientific-python-nightly-wheels/simple --extra-index-url https://pypi.org/simple .
       - name: Run Tests
         run: |
           cd  ${{ github.workspace }}/.. # move out of the workspace to avoid direct import
-          ${{ steps.python.outputs.python-path }} -Wd ${{ github.workspace }}/dev/continuous-integration/run_test_suite.py
+          "$PYTHON_BINARY" -Wd ${{ github.workspace }}/dev/continuous-integration/run_test_suite.py
         env:
           AGENT_OS: ${{runner.os}}
           STANDALONE: ${{ matrix.standalone }}
           FLOAT_DTYPE_32: ${{ matrix.float_dtype_32 }}
           DO_NOT_RESET_PREFERENCES: true  # Make sure that GSL setting is used
+          PYTHON_BINARY: ${{ steps.python.outputs.python-path }}
 
   test-deprecations:
     needs: [ get_python_versions ]
@@ -99,6 +105,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install GSL
         uses: johnwason/vcpkg-action@v6
         id: vcpkg
@@ -116,12 +123,17 @@ jobs:
           python-version: ${{ matrix.python-version }}
           allow-prereleases: true
       - name: Install dependencies
+        env:
+          PYTHON_BINARY: ${{ steps.python.outputs.python-path }}
         run: |
-          ${{ steps.python.outputs.python-path }} -m pip install --upgrade pip setuptools
-          ${{ steps.python.outputs.python-path }} -m pip install --pre -i https://pypi.anaconda.org/scientific-python-nightly-wheels/simple numpy scipy
-          ${{ steps.python.outputs.python-path }} -m pip install --pre pytest cython sympy pyparsing jinja2 sphinx
+          "$PYTHON_BINARY" -m pip install --upgrade pip setuptools
+          "$PYTHON_BINARY" -m pip install --pre -i https://pypi.anaconda.org/scientific-python-nightly-wheels/simple numpy scipy
+          "$PYTHON_BINARY" -m pip install --pre pytest cython sympy pyparsing jinja2 sphinx
       - name: Install Brian2
-        run: ${{ steps.python.outputs.python-path }} -m pip install --pre -i https://pypi.anaconda.org/scientific-python-nightly-wheels/simple --extra-index-url https://pypi.org/simple .
+        env:
+          PYTHON_BINARY: ${{ steps.python.outputs.python-path }}      
+        run: |
+          "$PYTHON_BINARY" -m pip install --pre -i https://pypi.anaconda.org/scientific-python-nightly-wheels/simple --extra-index-url https://pypi.org/simple .
       - name: Determine Cython cache dir
         id: cython-cache
         run: |
@@ -137,8 +149,9 @@ jobs:
       - name: Run Tests
         run: |
           cd  ${{ github.workspace }}/.. # move out of the workspace to avoid direct import
-          ${{ steps.python.outputs.python-path }} -Wd ${{ github.workspace }}/dev/continuous-integration/run_test_suite.py || echo "Tests failed (but not marked as failed on GA)"
+          "$PYTHON_BINARY" -Wd ${{ github.workspace }}/dev/continuous-integration/run_test_suite.py || echo "Tests failed (but not marked as failed on GA)"
         env:
           DEPRECATION_ERROR: true
           AGENT_OS: linux
           STANDALONE: ${{ matrix.standalone }}
+          PYTHON_BINARY: ${{ steps.python.outputs.python-path }}
diff --git a/.github/workflows/testsuite.yml b/.github/workflows/testsuite.yml
@@ -21,6 +21,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.10'
@@ -60,6 +62,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Conda and Python
         uses: conda-incubator/setup-miniconda@v3
@@ -129,6 +132,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
         submodules: true
 
     - name: Setup Conda and Python