From be7f5f4e26d6ab00ea3ae4e0b663032333460f7f Mon Sep 17 00:00:00 2001 From: Freqtrade Bot <154552126+freqtrade-bot@users.noreply.github.com> Date: Tue, 6 Jan 2026 03:31:20 +0000 Subject: [PATCH 1/7] chore: update pre-commit hooks --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 09b08f0cc..9ae864090 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -83,6 +83,6 @@ repos: # Ensure github actions remain safe - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: v1.19.0 + rev: v1.20.0 hooks: - id: zizmor From 872b59c9cd72f8992bfd758233af06686090dff5 Mon Sep 17 00:00:00 2001 From: Matthias Date: Tue, 6 Jan 2026 09:13:13 +0100 Subject: [PATCH 2/7] maint: pin all actions by hash --- .github/workflows/binance-lev-tier-update.yml | 4 +-- .github/workflows/ci.yml | 36 +++++++++---------- .github/workflows/deploy-docs.yml | 4 +-- .github/workflows/devcontainer-build.yml | 2 +- .github/workflows/docker-build.yml | 4 +-- .github/workflows/docker-update-readme.yml | 2 +- .github/workflows/packages-cleanup.yml | 2 +- .github/workflows/pre-commit-update.yml | 4 +-- .github/workflows/zizmor.yml | 2 +- 9 files changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/binance-lev-tier-update.yml b/.github/workflows/binance-lev-tier-update.yml index bf24ec1bf..74e530b68 100644 --- a/.github/workflows/binance-lev-tier-update.yml +++ b/.github/workflows/binance-lev-tier-update.yml @@ -15,11 +15,11 @@ jobs: environment: name: develop steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b29e941fa..c2071d561 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,12 +28,12 @@ jobs: python-version: ["3.11", "3.12", "3.13", "3.14"] steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: ${{ matrix.python-version }} @@ -178,12 +178,12 @@ jobs: name: "Mypy Version Check" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 #v6.1.0 with: python-version: "3.12" @@ -196,11 +196,11 @@ jobs: name: "Pre-commit checks" runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 @@ -209,7 +209,7 @@ jobs: name: "Documentation build" runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false @@ -218,7 +218,7 @@ jobs: ./tests/test_docs.sh - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" @@ -241,12 +241,12 @@ jobs: name: "Tests and Linting - Online tests" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" @@ -321,12 +321,12 @@ jobs: with: jobs: ${{ toJSON(needs) }} - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" @@ -336,7 +336,7 @@ jobs: python -m build --sdist --wheel - name: Upload artifacts 📦 - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.1.0 with: name: freqtrade-build path: | @@ -349,7 +349,7 @@ jobs: python -m build --sdist --wheel ft_client - name: Upload artifacts 📦 - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.1.0 with: name: freqtrade-client-build path: | @@ -368,12 +368,12 @@ jobs: id-token: write steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Download artifact 📦 - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: freqtrade*-build path: dist @@ -397,12 +397,12 @@ jobs: id-token: write steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Download artifact 📦 - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: freqtrade*-build path: dist diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index 33272efa6..d5ec2442e 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -19,12 +19,12 @@ jobs: name: Deploy Docs through mike runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: true - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: '3.12' diff --git a/.github/workflows/devcontainer-build.yml b/.github/workflows/devcontainer-build.yml index 485ff30ed..969ce7fd0 100644 --- a/.github/workflows/devcontainer-build.yml +++ b/.github/workflows/devcontainer-build.yml @@ -24,7 +24,7 @@ jobs: packages: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Login to GitHub Container Registry diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index e105c9d21..de346f901 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -33,7 +33,7 @@ jobs: if: github.repository == 'freqtrade/freqtrade' steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false @@ -166,7 +166,7 @@ jobs: if: github.repository == 'freqtrade/freqtrade' steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false diff --git a/.github/workflows/docker-update-readme.yml b/.github/workflows/docker-update-readme.yml index 7f3a75280..c49c9a352 100644 --- a/.github/workflows/docker-update-readme.yml +++ b/.github/workflows/docker-update-readme.yml @@ -11,7 +11,7 @@ jobs: dockerHubDescription: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false diff --git a/.github/workflows/packages-cleanup.yml b/.github/workflows/packages-cleanup.yml index 9d31504e9..3dd990be1 100644 --- a/.github/workflows/packages-cleanup.yml +++ b/.github/workflows/packages-cleanup.yml @@ -38,7 +38,7 @@ jobs: steps: - name: "Delete untagged Package Versions" - uses: actions/delete-package-versions@v5 + uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0 with: package-name: ${{ inputs.package_name || env.PACKAGE_NAME }} package-type: 'container' diff --git a/.github/workflows/pre-commit-update.yml b/.github/workflows/pre-commit-update.yml index 31a0f8c5a..31c3bb51f 100644 --- a/.github/workflows/pre-commit-update.yml +++ b/.github/workflows/pre-commit-update.yml @@ -13,11 +13,11 @@ jobs: auto-update: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index cec2469b8..e01fd7790 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -22,7 +22,7 @@ jobs: # actions: read # only needed for private repos steps: - name: Checkout repository - uses: actions/checkout@v6.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false From 29f235441b0cf3b8c4a0186bfd4b3e3df2a6892e Mon Sep 17 00:00:00 2001 From: Matthias Date: Tue, 6 Jan 2026 09:17:08 +0100 Subject: [PATCH 3/7] maint: set base permissions for all workflows --- .github/workflows/devcontainer-build.yml | 2 ++ .github/workflows/packages-cleanup.yml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/devcontainer-build.yml b/.github/workflows/devcontainer-build.yml index 969ce7fd0..566af82b1 100644 --- a/.github/workflows/devcontainer-build.yml +++ b/.github/workflows/devcontainer-build.yml @@ -17,6 +17,8 @@ concurrency: group: "${{ github.workflow }}" cancel-in-progress: true +permissions: + contents: read jobs: build-and-push: diff --git a/.github/workflows/packages-cleanup.yml b/.github/workflows/packages-cleanup.yml index 3dd990be1..5dd79afd6 100644 --- a/.github/workflows/packages-cleanup.yml +++ b/.github/workflows/packages-cleanup.yml @@ -28,6 +28,9 @@ on: env: PACKAGE_NAME: "freqtrade" +permissions: + contents: read + jobs: deploy-docker: name: "Delete Packages" From 00d903cb3f82e59c46696e76e8f9b6f5dc81268e Mon Sep 17 00:00:00 2001 From: Matthias Date: Tue, 6 Jan 2026 09:19:03 +0100 Subject: [PATCH 4/7] maint: add explanatory comment for permission --- .github/workflows/zizmor.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index e01fd7790..3ff2930b0 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -17,9 +17,9 @@ jobs: name: Run zizmor 🌈 runs-on: ubuntu-latest permissions: - security-events: write - # contents: read # only needed for private repos - # actions: read # only needed for private repos + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + # contents: read # Only needed for private repos. Needed to clone the repo. + # actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 From 61274252af777bb88d6711e2c339f6a7768ceb52 Mon Sep 17 00:00:00 2001 From: Matthias Date: Tue, 6 Jan 2026 09:21:04 +0100 Subject: [PATCH 5/7] maint: rename zizmor CI workflow this will avoid schema collision with the zizmor.yml config file --- .github/workflows/{zizmor.yml => zizmor_action.yml} | 4 ++++ 1 file changed, 4 insertions(+) rename .github/workflows/{zizmor.yml => zizmor_action.yml} (87%) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor_action.yml similarity index 87% rename from .github/workflows/zizmor.yml rename to .github/workflows/zizmor_action.yml index 3ff2930b0..7baf065cf 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor_action.yml @@ -10,6 +10,10 @@ on: - develop - stable +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: false + permissions: {} jobs: From f845dc71b1b936abb99ede4adb5f64bf99aab3af Mon Sep 17 00:00:00 2001 From: Matthias Date: Tue, 6 Jan 2026 09:33:00 +0100 Subject: [PATCH 6/7] maint: fix pedantic zizmor problems --- .github/actions/docker-tags/action.yml | 3 ++- .github/workflows/binance-lev-tier-update.yml | 5 +++++ .github/workflows/ci.yml | 15 +++++++-------- .github/workflows/deploy-docs.yml | 3 +++ .github/workflows/devcontainer-build.yml | 3 ++- .github/workflows/docker-build.yml | 6 +++++- .github/workflows/docker-update-readme.yml | 5 +++++ .github/workflows/packages-cleanup.yml | 6 +++++- .github/workflows/pre-commit-update.yml | 5 +++++ 9 files changed, 39 insertions(+), 12 deletions(-) diff --git a/.github/actions/docker-tags/action.yml b/.github/actions/docker-tags/action.yml index 1a563aade..a0b8e4243 100644 --- a/.github/actions/docker-tags/action.yml +++ b/.github/actions/docker-tags/action.yml @@ -46,8 +46,9 @@ runs: id: tags env: BRANCH_NAME_INPUT: ${{ github.event.inputs.branch_name }} + EVENT_NAME: ${{ github.event_name }} run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + if [ "${EVENT_NAME}" = "workflow_dispatch" ]; then BRANCH_NAME="${BRANCH_NAME_INPUT}" else BRANCH_NAME="${GITHUB_REF##*/}" diff --git a/.github/workflows/binance-lev-tier-update.yml b/.github/workflows/binance-lev-tier-update.yml index 74e530b68..500e2140b 100644 --- a/.github/workflows/binance-lev-tier-update.yml +++ b/.github/workflows/binance-lev-tier-update.yml @@ -6,11 +6,16 @@ on: # on demand workflow_dispatch: +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: true + permissions: contents: read jobs: auto-update: + name: "Auto Update Binance Leverage Tiers" runs-on: ubuntu-latest environment: name: develop diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c2071d561..b342cc304 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,8 +16,8 @@ on: concurrency: group: "${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}" cancel-in-progress: true -permissions: - repository-projects: read +permissions: {} + jobs: tests: name: "Tests and Linting" @@ -275,6 +275,7 @@ jobs: # Notify only once - when CI completes (and after deploy) in case it's successful notify-complete: + name: "Notify CI Completion" needs: [ build, build-linux-online @@ -282,8 +283,6 @@ jobs: runs-on: ubuntu-22.04 # Discord notification can't handle schedule events if: github.event_name != 'schedule' && github.repository == 'freqtrade/freqtrade' - permissions: - repository-projects: read steps: - name: Check user permission @@ -365,7 +364,7 @@ jobs: name: testpypi url: https://test.pypi.org/p/freqtrade permissions: - id-token: write + id-token: write # Needed for pypa/gh-action-pypi-publish steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -394,7 +393,7 @@ jobs: name: pypi url: https://pypi.org/p/freqtrade permissions: - id-token: write + id-token: write # Needed for pypa/gh-action-pypi-publish steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -420,7 +419,7 @@ jobs: if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'release') && github.repository == 'freqtrade/freqtrade' uses: ./.github/workflows/docker-build.yml permissions: - packages: write + packages: write # Needed to push package versions contents: read secrets: DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} @@ -434,6 +433,6 @@ jobs: # Only run on push, schedule, or release events if: (github.event_name == 'push' || github.event_name == 'schedule') && github.repository == 'freqtrade/freqtrade' permissions: - packages: write + packages: write # Needed to delete package versions with: package_name: 'freqtrade' diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index d5ec2442e..83c110eec 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -11,6 +11,9 @@ on: # disable permissions for all of the available permissions permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: build-docs: diff --git a/.github/workflows/devcontainer-build.yml b/.github/workflows/devcontainer-build.yml index 566af82b1..65296d89c 100644 --- a/.github/workflows/devcontainer-build.yml +++ b/.github/workflows/devcontainer-build.yml @@ -22,8 +22,9 @@ permissions: jobs: build-and-push: + name: "Build and Push Devcontainer Image" permissions: - packages: write + packages: write # Needed to push package versions runs-on: ubuntu-latest steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index de346f901..e6240a837 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -17,6 +17,10 @@ on: default: 'develop' type: string +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: contents: read @@ -159,7 +163,7 @@ jobs: deploy-arm: name: "Deploy Docker ARM64" permissions: - packages: write + packages: write # Needed to push package versions needs: [ deploy-docker ] # Only run on 64bit machines runs-on: [self-hosted, linux, ARM64] diff --git a/.github/workflows/docker-update-readme.yml b/.github/workflows/docker-update-readme.yml index c49c9a352..939794a44 100644 --- a/.github/workflows/docker-update-readme.yml +++ b/.github/workflows/docker-update-readme.yml @@ -4,11 +4,16 @@ on: branches: - stable +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: true + # disable permissions for all of the available permissions permissions: {} jobs: dockerHubDescription: + name: "Update Docker Hub Description" runs-on: ubuntu-latest steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 diff --git a/.github/workflows/packages-cleanup.yml b/.github/workflows/packages-cleanup.yml index 5dd79afd6..aefb81c47 100644 --- a/.github/workflows/packages-cleanup.yml +++ b/.github/workflows/packages-cleanup.yml @@ -25,6 +25,10 @@ on: default: true type: boolean +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: false + env: PACKAGE_NAME: "freqtrade" @@ -37,7 +41,7 @@ jobs: runs-on: ubuntu-24.04 if: github.repository == 'freqtrade/freqtrade' permissions: - packages: write + packages: write # Needed to delete package versions steps: - name: "Delete untagged Package Versions" diff --git a/.github/workflows/pre-commit-update.yml b/.github/workflows/pre-commit-update.yml index 31c3bb51f..28bc6473e 100644 --- a/.github/workflows/pre-commit-update.yml +++ b/.github/workflows/pre-commit-update.yml @@ -9,8 +9,13 @@ on: permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: auto-update: + name: Auto-update pre-commit hooks runs-on: ubuntu-latest steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 From 2c5a150a7b1423c90b3482e236a25547de59b140 Mon Sep 17 00:00:00 2001 From: Matthias Date: Tue, 6 Jan 2026 09:35:22 +0100 Subject: [PATCH 7/7] maint: remove non-needed permission --- .github/workflows/packages-cleanup.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/packages-cleanup.yml b/.github/workflows/packages-cleanup.yml index aefb81c47..76b252df4 100644 --- a/.github/workflows/packages-cleanup.yml +++ b/.github/workflows/packages-cleanup.yml @@ -32,8 +32,7 @@ concurrency: env: PACKAGE_NAME: "freqtrade" -permissions: - contents: read +permissions: {} jobs: deploy-docker: