From d2275de2dafa49bc0e7a3f4503519eef4ed6b26e Mon Sep 17 00:00:00 2001
From: Thomas Grainger <graingert@users.noreply.github.com>
Date: Mon, 6 Apr 2026 16:33:30 +0000
Subject: [PATCH] Add zizmor pre-commit hook for GitHub Actions security

Following pytest's pre-commit config. Fixes applied:
- Add persist-credentials: false to all checkout steps
- Fix template injection in deploy.yml (use env vars instead
  of direct template expansion in run blocks)
---
 .github/dependabot.yml       |  2 ++
 .github/workflows/deploy.yml | 21 ++++++++++++++-------
 .github/workflows/test.yml   | 16 +++++++++++-----
 .pre-commit-config.yaml      |  5 +++++
 4 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index be006de..9142c86 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,3 +11,5 @@ updates:
           - "*"  # Group all Actions updates into a single larger pull request
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 22ec241..5b1d681 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -8,16 +8,20 @@ on:
         required: true
         default: '1.2.3'
 
+permissions: {}
+
 jobs:
 
   package:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+      with:
+        persist-credentials: false
 
     - name: Build and Check Package
-      uses: hynek/build-and-inspect-python-package@v2.17
+      uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e  # v2.17
 
   deploy:
     needs: package
@@ -27,22 +31,25 @@ jobs:
       contents: write  # For tag.
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+      with:
+        persist-credentials: false
 
     - name: Download Package
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8
       with:
         name: Packages
         path: dist
 
     - name: Publish package to PyPI
-      uses: pypa/gh-action-pypi-publish@v1.13.0
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
       with:
         attestations: true
 
     - name: GitHub Release
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_EVENT_INPUTS_VERSION: ${{ github.event.inputs.version }}
       run: |
-        gh release create v${{ github.event.inputs.version }} --target=${{ github.ref_name }} --title v${{ github.event.inputs.version }}
-        gh pr merge ${{ github.ref_name }} --merge
+        gh release create v${GITHUB_EVENT_INPUTS_VERSION} --target=${GITHUB_REF_NAME} --title v${GITHUB_EVENT_INPUTS_VERSION}
+        gh pr merge ${GITHUB_REF_NAME} --merge
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 5d4100a..c23b46b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,6 +10,8 @@ on:
     branches:
       - "*"
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
@@ -22,9 +24,11 @@ jobs:
   package:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Build and Check Package
-        uses: hynek/build-and-inspect-python-package@v2.17
+        uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e  # v2.17
 
   test:
     needs: [package]
@@ -36,16 +40,18 @@ jobs:
         os: [ubuntu-latest, macos-latest]  # , windows-latest]  # Windows tests will fail.
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
 
       - name: Download Package
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8
         with:
           name: Packages
           path: dist
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: ${{ matrix.python-version }}
           allow-prereleases: true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 542a828..7c1daf5 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -5,6 +5,11 @@ repos:
       - id: ruff-check
         args: [--fix]
       - id: ruff-format
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
+        args: ["--fix", "--no-progress"]
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks: