🔒 Pass the pedantic zizmor

veit · veit · commit c12d3b0ccf69 · 2026-04-30T17:45:07.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,11 +5,20 @@ on:
   push:
     branches: [main]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   pre-commit:
+    name: pre-commit
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
     - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
@@ -22,6 +31,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - uses: pandoc/actions/setup@86321b6dd4675f5014c611e05088e10d4939e09e # v1.1.1
     - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
@@ -9,52 +9,55 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 # Allow one concurrent deployment
 concurrency:
   group: "pages"
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
-  # Single deploy job since we’re just deploying
   deploy:
+    name: Single deploy job since we’re just deploying
+    # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+    permissions:
+      contents: read # necessary for the deployment to GitHub Pages
+      pages: write # necessary for the deployment to GitHub Pages
+      id-token: write # necessary for the deployment to GitHub Pages
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Install packages
         run: sudo apt install plantuml
       - name: Setup pandoc
-        uses: pandoc/actions/setup@v1
+        uses: pandoc/actions/setup@86321b6dd4675f5014c611e05088e10d4939e09e # v1.1.1
       - name: Setup python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version-file: .python-version
           architecture: x64
       - name: Setup cached uv
-        uses: hynek/setup-cached-uv@v2
+        uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
       - name: Build and activate venv
         run: |
           uv venv
           echo "$PWD/.venv/bin" >> $GITHUB_PATH
           uv pip install --group=docs
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
       - name: Build HTML
         run: uv run make html
         working-directory: docs/
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
         with:
           path: docs/_build/html
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,31 @@
+# https://github.com/woodruffw/zizmor
+name: Zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          persona: pedantic
diff --git a/docs/packs/.github/workflows/build_wheels.yml b/docs/packs/.github/workflows/build_wheels.yml
@@ -1,10 +1,18 @@
 name: Build
 
 on:
-  workflow_dispatch:
+  push:
+    branches: [main]
   release:
     types:
       - published
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
 
 jobs:
   build_wheels:
@@ -17,6 +25,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Build wheels
         uses: pypa/cibuildwheel@8d2b08b68458a16aeb24b64e68a09ab1c8e82084 # v3.4.1
diff --git a/docs/packs/cibuildwheel.rst b/docs/packs/cibuildwheel.rst
@@ -28,7 +28,14 @@ Finally, the tests can also run against the wheels.
     .. literalinclude:: .github/workflows/build_wheels.yml
        :caption: .github/workflows/build_wheels.yml
        :language: yaml
-       :lines: 1-7
+       :lines: 1-15
+
+    ``release``
+        is executed when a tagged version is transferred.
+
+        .. seealso::
+           * `release
+             <https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#release>`_
 
     ``workflow_dispatch``
         allows you to click a button in the graphical user interface to trigger
@@ -39,18 +46,11 @@ Finally, the tests can also run against the wheels.
            * `workflow_dispatch
              <https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/>`_
 
-    ``release``
-        is executed when a tagged version is transferred.
-
-        .. seealso::
-           * `release
-             <https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#release>`_
-
     Now the :term:`wheels <wheel>` can be built with:
 
     .. literalinclude:: .github/workflows/build_wheels.yml
        :language: yaml
-       :lines: 9-22
+       :lines: 17-32
 
     This runs the CI workflow with the following default settings:
 
@@ -66,7 +66,7 @@ Finally, the tests can also run against the wheels.
 
     .. literalinclude:: .github/workflows/build_wheels.yml
        :language: yaml
-       :lines: 24-
+       :lines: 34-
 
 .. tab:: GitLab CI/CD
 
