Set up pre-commit (w/ Zizmor and misc.), Dependabot and tidy up GH workflows

.github/dependabot.yml

@@ -0,0 +1,14 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "quarterly"
+    groups:
+      actions:
+        patterns:
+          - "*"
+    cooldown:
+      # Actions should still be inspected manually, as currently this cooldown
+      # can be bypassed: https://github.com/dependabot/dependabot-core/issues/13078
+      default-days: 14

.github/workflows/cron.yml

@@ -5,20 +5,25 @@ on:
   schedule:
     - cron: "0 * * * *"
 
+permissions:
+  contents: read
+
 jobs:
   cron:
     runs-on: ubuntu-latest
     name: "Run PSRT Advisory Bot"
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version-file: "pyproject.toml"
 

.github/workflows/lint.yml

@@ -0,0 +1,19 @@
+name: Lint
+
+on: [push, pull_request, workflow_dispatch]
+
+env:
+  FORCE_COLOR: 1
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+      - uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # v1.1.1

.github/workflows/ci.yml → .github/workflows/tests.yml

@@ -1,25 +1,14 @@
-name: CI
+name: Run tests
 
 on: [push, pull_request, workflow_dispatch]
 
 env:
   FORCE_COLOR: 1
 
-jobs:
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-
-      - name: Run ruff lint
-        uses: astral-sh/ruff-action@v3
-
-      - name: Run ruff format check
-        uses: astral-sh/ruff-action@v3
-        with:
-          args: "format --check --diff"
+permissions:
+  contents: read
 
+jobs:
   test:
     name: Test on Python ${{ matrix.python-version }}
     runs-on: ubuntu-latest
@@ -29,15 +18,17 @@ jobs:
         python-version: ["3.14"]
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: true
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -55,10 +46,10 @@ jobs:
 
       - name: Upload coverage reports
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: test-results-${{ matrix.python-version }}
           path: |
             .coverage
             htmlcov/
-          retention-days: 30
+          retention-days: 30

.github/zizmor.yml

@@ -0,0 +1,4 @@
+rules:
+  secrets-outside-env:
+    ignore:
+      - cron.yml

.pre-commit-config.yaml

@@ -0,0 +1,35 @@
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: e05c5c0818279e5ac248ac9e954431ba58865e61  # frozen: v0.15.7
+    hooks:
+      - id: ruff-check
+        name: Run Ruff (lint)
+        args: [--exit-non-zero-on-fix]
+      - id: ruff-format
+        name: Run Ruff (format)
+        args: [--exit-non-zero-on-fix]
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c  # frozen: v6.0.0
+    hooks:
+      - id: check-case-conflict
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: mixed-line-ending
+        args: [--fix=auto]
+      - id: trailing-whitespace
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: 393031adb9afb225ee52ae2ccd7a5af5525e03e8  # frozen: v1.7.11
+    hooks:
+      - id: actionlint
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: b546b77c44c466a54a42af5499dcc0dcc1a3193f  # frozen: v1.22.0
+    hooks:
+      - id: zizmor
+
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes

.python-version

@@ -1 +1 @@
-3.14
+3.14

LICENSE

@@ -51,4 +51,4 @@ products or services of Licensee, or any third party.
 8. By copying, installing or otherwise using Python Security Response Team
 GitHub Security Advisory Bot, Licensee
 agrees to be bound by the terms and conditions of this License
-Agreement.
+Agreement.

Makefile

@@ -26,4 +26,4 @@ test:  ## Run tests
 ci: lint fmt type-check test  ## Run everything
 
 app:  ## Run the app
-	@uv run python src/psrt_ghsa_bot/app.py
+	@uv run python src/psrt_ghsa_bot/app.py