Add zizmor pre-commit hook and fix security issues

gaborbernat · gaborbernat · commit 7cb63ceabc8d · 2026-03-24T15:35:56.000-07:00
Add zizmor pre-commit hook to catch GitHub Actions security issues.
Fix all existing findings:
- template-injection: Move GitHub context to env vars
- secrets-outside-env: Add environment declarations
- dangerous-triggers: Replace pull_request_target with pull_request
- bot-conditions: Use pull_request.user.login instead of github.actor
- excessive-permissions: Move permissions to job level
- superfluous-actions: Replace with native tools
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
@@ -34,13 +34,14 @@ jobs:
           - dev
           - pkg_meta
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
-          enable-cache: true
+          enable-cache: false
           cache-dependency-glob: "pyproject.toml"
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install tox
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -13,19 +13,20 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
-          enable-cache: true
+          enable-cache: false
           cache-dependency-glob: "pyproject.toml"
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Build package
         run: uv build --python 3.14 --python-preference only-managed --sdist --wheel . --out-dir dist
       - name: Store the distribution packages
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: ${{ env.dists-artifact-name }}
           path: dist/*
@@ -41,11 +42,11 @@ jobs:
       id-token: write
     steps:
       - name: Download all the dists
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: ${{ env.dists-artifact-name }}
           path: dist/
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.13.0
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           attestations: true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -31,6 +31,10 @@ repos:
         additional_dependencies:
           - prettier@3.8.1
           - "@prettier/plugin-xml@3.4.2"
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
   - repo: meta
     hooks:
       - id: check-hooks-apply
