From cc4762b8cd029f387ae691a70061e50113b9dc9f Mon Sep 17 00:00:00 2001
From: BarbUk <julien.virey@gmail.com>
Date: Mon, 6 Apr 2026 09:10:54 +0400
Subject: [PATCH 1/3] Add zizmor precommit

---
 .pre-commit-config.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 92f2686e8b..1f79966855 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -24,9 +24,13 @@ repos:
   - repo: https://github.com/Lucas-C/pre-commit-hooks
     rev: ad1b27d73581aa16cca06fc4a0761fc563ffe8e8  # frozen: v1.5.6
     hooks:
-      # - id: forbid-crlf
       - id: remove-crlf
         exclude: ".bat$"
+  # Github action
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: ea2eb407b4cbce87cf0d502f36578950494f5ac9  # frozen: v1.23.1
+    hooks:
+      - id: zizmor
   - repo: local
     hooks:
       - id: dot-sh

From 42bc49160a95ad452f9c2ce84690632924be8532 Mon Sep 17 00:00:00 2001
From: BarbUk <julien.virey@gmail.com>
Date: Mon, 6 Apr 2026 09:11:20 +0400
Subject: [PATCH 2/3] Fix ci workflow

---
 .github/workflows/ci.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c09bb0bd27..a9a21ffb45 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,6 +3,8 @@ name: CI
 # Triggers the workflow on push or pull request events
 on: [push, pull_request]
 
+permissions: {}
+
 jobs:
   bats-test:
     strategy:
@@ -13,6 +15,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Install greadlink
       if: startsWith(runner.os, 'macOS')
       run: brew install coreutils
@@ -27,6 +31,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
@@ -41,6 +47,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up Go
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
@@ -74,6 +82,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - id: ShellCheck
         name: Differential ShellCheck

From a5be3cf470826cf6d04f3d07b23a987e71e39c1d Mon Sep 17 00:00:00 2001
From: BarbUk <julien.virey@gmail.com>
Date: Sun, 12 Apr 2026 22:21:34 +0400
Subject: [PATCH 3/3] Add zizmor action

---
 .github/workflows/ci.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a9a21ffb45..b4b5b4bbcb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,19 @@ on: [push, pull_request]
 permissions: {}
 
 jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+
   bats-test:
     strategy:
       matrix: