🔒️ Add zizmor setup in workflow (#868)

Author: Aniketsy

.github/dependabot.yml

@@ -5,6 +5,8 @@ updates:
   directory: /
   schedule:
     interval: weekly
+  cooldown:
+    default-days: 7
   labels:
   - "topic: dependencies"
   - "tool: github-actions"
@@ -19,6 +21,8 @@ updates:
   directory: /
   schedule:
     interval: weekly
+  cooldown:
+    default-days: 7
   allow:
   - dependency-type: all
   ignore:

.github/workflows/ci.yml

@@ -1,5 +1,5 @@
 name: CI
-permissions: read-all
+permissions: {}
 
 on:
   push:
@@ -18,10 +18,13 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     timeout-minutes: 1
+    permissions:
+      contents: read
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
+      with:
+        persist-credentials: false
     - name: typos
       uses: crate-ci/typos@6ac2ebd1b93eade61faf7e12688ad87a073fea59 # v1.46.0
 
@@ -47,13 +50,16 @@ jobs:
   basedpyright:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         py: ["3.11", "3.12", "3.13", "3.14"]
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
+      with:
+        persist-credentials: false
     - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       with:
         python-version: ${{ matrix.py }}
@@ -64,13 +70,16 @@ jobs:
   mypy:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         py: ["3.11", "3.12", "3.13", "3.14"]
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
+      with:
+        persist-credentials: false
     - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       with:
         python-version: ${{ matrix.py }}
@@ -83,14 +92,17 @@ jobs:
   stubtest:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 5
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
         py: ["3.11", "3.12", "3.13", "3.14"]
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
+      with:
+        persist-credentials: false
     - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       with:
         python-version: ${{ matrix.py }}

.github/workflows/docs.yml

@@ -24,7 +24,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
+      with:
+        persist-credentials: false
     - name: Configure Git Credentials
       run: |
         git config user.name github-actions[bot]

.github/workflows/publish-pypi.yml

@@ -18,10 +18,13 @@ jobs:
       id-token: write
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: setup uv
       uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       with:
         python-version: "3.14"
+        enable-cache: false
     - name: uv build
       run: uv build
     - name: publish to PyPI

.github/workflows/zizmor.yml

@@ -0,0 +1,29 @@
+name: zizmor
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+      contents: read # Only needed for private repos. Needed to clone the repo.
+      actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info.
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
+
+    - name: run zizmor
+      uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3