Harden CI; add zizmor (#2952)

sloria · web-flow · commit d0e27cd994c9 · 2026-04-14T22:40:35.000-04:00
diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
@@ -5,6 +5,9 @@ on:
     tags: ["*"]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: ${{ matrix.name }}
@@ -18,17 +21,21 @@ jobs:
           - { name: "mypy", tox: mypy }
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+        with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
           enable-cache: true
       - run: uv run tox -e ${{ matrix.tox }}
   build:
     name: Build package
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+        with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
           enable-cache: true
       - run: uv build
       - run: uvx twine check --strict dist/*
@@ -44,8 +51,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+        with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
           enable-cache: true
       - run: uv run tox -e lint
   publish-to-pypi:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -11,6 +11,10 @@ repos:
   hooks:
     - id: check-github-workflows
     - id: check-readthedocs
+- repo: https://github.com/zizmorcore/zizmor-pre-commit
+  rev: v1.24.0
+  hooks:
+    - id: zizmor
 # TODO: Remove blacken-docs when https://github.com/astral-sh/ruff/issues/8237 is implemented
 - repo: https://github.com/asottile/blacken-docs
   rev: 1.20.0
