Merge pull request #12693 from freqtrade/update/pre-commit-hooks

Update pre-commit hooks

.github/actions/docker-tags/action.yml

@@ -46,8 +46,9 @@ runs:
       id: tags
       env:
         BRANCH_NAME_INPUT: ${{ github.event.inputs.branch_name }}
+        EVENT_NAME: ${{ github.event_name }}
       run: |
-        if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+        if [ "${EVENT_NAME}" = "workflow_dispatch" ]; then
           BRANCH_NAME="${BRANCH_NAME_INPUT}"
         else
           BRANCH_NAME="${GITHUB_REF##*/}"

.github/workflows/binance-lev-tier-update.yml

@@ -6,20 +6,25 @@ on:
   # on demand
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
 jobs:
   auto-update:
+    name: "Auto Update Binance Leverage Tiers"
     runs-on: ubuntu-latest
     environment:
       name: develop
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: "3.12"
 

.github/workflows/ci.yml

@@ -16,8 +16,8 @@ on:
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}"
   cancel-in-progress: true
-permissions:
-  repository-projects: read
+permissions: {}
+
 jobs:
   tests:
     name: "Tests and Linting"
@@ -28,12 +28,12 @@ jobs:
         python-version: ["3.11", "3.12", "3.13", "3.14"]
 
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: ${{ matrix.python-version }}
 
@@ -178,12 +178,12 @@ jobs:
     name: "Mypy Version Check"
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 #v6.1.0
       with:
         python-version: "3.12"
 
@@ -196,11 +196,11 @@ jobs:
     name: "Pre-commit checks"
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: "3.12"
     - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
@@ -209,7 +209,7 @@ jobs:
     name: "Documentation build"
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
@@ -218,7 +218,7 @@ jobs:
         ./tests/test_docs.sh
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: "3.12"
 
@@ -241,12 +241,12 @@ jobs:
     name: "Tests and Linting - Online tests"
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: "3.12"
 
@@ -275,6 +275,7 @@ jobs:
 
   # Notify only once - when CI completes (and after deploy) in case it's successful
   notify-complete:
+    name: "Notify CI Completion"
     needs: [
       build,
       build-linux-online
@@ -282,8 +283,6 @@ jobs:
     runs-on: ubuntu-22.04
     # Discord notification can't handle schedule events
     if: github.event_name != 'schedule' && github.repository == 'freqtrade/freqtrade'
-    permissions:
-      repository-projects: read
     steps:
 
     - name: Check user permission
@@ -321,12 +320,12 @@ jobs:
       with:
         jobs: ${{ toJSON(needs) }}
 
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: "3.12"
 
@@ -336,7 +335,7 @@ jobs:
         python -m build --sdist --wheel
 
     - name: Upload artifacts 📦
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.1.0
       with:
         name: freqtrade-build
         path: |
@@ -349,7 +348,7 @@ jobs:
         python -m build --sdist --wheel ft_client
 
     - name: Upload artifacts 📦
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.1.0
       with:
         name: freqtrade-client-build
         path: |
@@ -365,15 +364,15 @@ jobs:
       name: testpypi
       url: https://test.pypi.org/p/freqtrade
     permissions:
-      id-token: write
+      id-token: write # Needed for pypa/gh-action-pypi-publish
 
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
     - name: Download artifact  📦
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
       with:
         pattern: freqtrade*-build
         path: dist
@@ -394,15 +393,15 @@ jobs:
       name: pypi
       url: https://pypi.org/p/freqtrade
     permissions:
-      id-token: write
+      id-token: write # Needed for pypa/gh-action-pypi-publish
 
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
     - name: Download artifact  📦
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
       with:
         pattern: freqtrade*-build
         path: dist
@@ -420,7 +419,7 @@ jobs:
     if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'release') && github.repository == 'freqtrade/freqtrade'
     uses: ./.github/workflows/docker-build.yml
     permissions:
-      packages: write
+      packages: write # Needed to push package versions
       contents: read
     secrets:
       DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
@@ -434,6 +433,6 @@ jobs:
     # Only run on push, schedule, or release events
     if: (github.event_name == 'push' || github.event_name == 'schedule') && github.repository == 'freqtrade/freqtrade'
     permissions:
-      packages: write
+      packages: write # Needed to delete package versions
     with:
       package_name: 'freqtrade'

.github/workflows/deploy-docs.yml

@@ -11,6 +11,9 @@ on:
 # disable permissions for all of the available permissions
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 jobs:
   build-docs:
@@ -19,12 +22,12 @@ jobs:
     name: Deploy Docs through mike
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: true
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: '3.12'
 

.github/workflows/devcontainer-build.yml

@@ -17,14 +17,17 @@ concurrency:
   group: "${{ github.workflow }}"
   cancel-in-progress: true
 
+permissions:
+  contents: read
 
 jobs:
   build-and-push:
+    name: "Build and Push Devcontainer Image"
     permissions:
-      packages: write
+      packages: write  # Needed to push package versions
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
     - name: Login to GitHub Container Registry

.github/workflows/docker-build.yml

@@ -17,6 +17,10 @@ on:
         default: 'develop'
         type: string
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -33,7 +37,7 @@ jobs:
     if: github.repository == 'freqtrade/freqtrade'
 
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
@@ -159,14 +163,14 @@ jobs:
   deploy-arm:
     name: "Deploy Docker ARM64"
     permissions:
-      packages: write
+      packages: write # Needed to push package versions
     needs: [ deploy-docker ]
     # Only run on 64bit machines
     runs-on: [self-hosted, linux, ARM64]
     if: github.repository == 'freqtrade/freqtrade'
 
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 

.github/workflows/docker-update-readme.yml

@@ -4,14 +4,19 @@ on:
     branches:
     - stable
 
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
 # disable permissions for all of the available permissions
 permissions: {}
 
 jobs:
   dockerHubDescription:
+    name: "Update Docker Hub Description"
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 

.github/workflows/packages-cleanup.yml

@@ -25,20 +25,26 @@ on:
         default: true
         type: boolean
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: false
+
 env:
   PACKAGE_NAME: "freqtrade"
 
+permissions: {}
+
 jobs:
   deploy-docker:
     name: "Delete Packages"
     runs-on: ubuntu-24.04
     if: github.repository == 'freqtrade/freqtrade'
     permissions:
-      packages: write
+      packages: write  # Needed to delete package versions
 
     steps:
     - name: "Delete untagged Package Versions"
-      uses: actions/delete-package-versions@v5
+      uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
       with:
         package-name: ${{ inputs.package_name || env.PACKAGE_NAME }}
         package-type: 'container'

.github/workflows/pre-commit-update.yml

@@ -9,15 +9,20 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   auto-update:
+    name: Auto-update pre-commit hooks
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: "3.12"
 

.github/workflows/zizmor.yml

@@ -1,30 +0,0 @@
-name: GitHub Actions Security Analysis with zizmor 🌈
-
-on:
-  push:
-    branches:
-      - develop
-      - stable
-  pull_request:
-    branches:
-      - develop
-      - stable
-
-permissions: {}
-
-jobs:
-  zizmor:
-    name: Run zizmor 🌈
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-      # contents: read # only needed for private repos
-      # actions: read # only needed for private repos
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6.0.1
-        with:
-          persist-credentials: false
-
-      - name: Run zizmor 🌈
-        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0

.github/workflows/zizmor_action.yml

@@ -0,0 +1,34 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches:
+      - develop
+      - stable
+  pull_request:
+    branches:
+      - develop
+      - stable
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: false
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+      # contents: read         # Only needed for private repos. Needed to clone the repo.
+      # actions: read          # Only needed for private repos. Needed for upload-sarif to read workflow run info.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0

.pre-commit-config.yaml

@@ -83,6 +83,6 @@ repos:
 
   # Ensure github actions remain safe
   - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: v1.19.0
+    rev: v1.20.0
     hooks:
     - id: zizmor