Harden GitHub Actions with zizmor

[frenckatron]

Add zizmor to audit the GitHub Actions workflows and fix the findings it reports.

This pins the remaining actions by SHA, limits workflow permissions, disables checkout credential persistence, and removes the extra release upload action in favor of the GitHub CLI that is already available on the runner.

Checks run locally:

• uv run zizmor .github/workflows/
• uv run pre-commit run check-yaml --all-files
• uv run pre-commit run zizmor --all-files

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 157e3c07-8464-437a-bab7-6dc08180c666

📥 Commits

Reviewing files that changed from the base of the PR and between 3b85357 and 0b0a9f9.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• .github/workflows/documentation.yaml
• .github/workflows/pylint.yaml
• pyproject.toml

✅ Files skipped from review due to trivial changes (1)

• pyproject.toml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/documentation.yaml
• .github/workflows/pylint.yaml

---

📝 Walkthrough

Walkthrough

This pull request hardens GitHub Actions workflows with explicit permission blocks and pinned action commit SHAs; it adds a Zizmor workflow and pre-commit hook to validate workflow YAML and declares zizmor as a development dependency.

Changes

Workflow Security Hardening with Zizmor Integration

Layer / File(s)	Summary
Zizmor Tooling Setup .github/workflows/zizmor.yaml, .pre-commit-config.yaml, pyproject.toml	New Zizmor workflow runs on pull_request, push, and workflow_dispatch to validate workflow files; pre-commit hook added for local validation; zizmor>=1.25.2 added to dev dependencies.
Workflow Hardening - Permissions and Action Pinning .github/workflows/documentation.yaml, .github/workflows/hacs.yaml, .github/workflows/hassfest.yaml, .github/workflows/labels.yaml, .github/workflows/pylint.yaml, .github/workflows/ruff.yaml, .github/workflows/release-drafter.yaml, .github/workflows/tests.yml	Add explicit permissions blocks (typically contents: read and other minimal scopes) and pin action uses: references to specific commit SHAs; where applicable add persist-credentials: false to checkout steps; documentation workflow pins upload/deploy Pages actions.
Release and PR Labels Workflow Updates .github/workflows/pr-labels.yaml, .github/workflows/release.yaml	PR-Labels workflow trigger changed to pull_request and workflow_call added; explicit pull-requests: read permission added; label-check action pinned to a commit SHA. Release workflow pins checkout and Sigstore signing actions, derives RELEASE_TAG from the release event, and replaces the previous upload action with gh release upload --clobber.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through workflows, pinned each busy hare,
With zizmor and hooks I combed the YAML hair.
Permissions trimmed, SHAs tucked in tight,
Now CI sleeps safe through the long night.
Hop, patch, and ship — the pipelines fare!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: hardening GitHub Actions workflows using zizmor, which is the primary objective of the PR.
Description check	✅ Passed	The description is directly related to the changeset, explaining the addition of zizmor, pinning actions by SHA, limiting permissions, and other security hardening measures reflected in the file changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/zizmor-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 34.86%. Comparing base (fe195cb) to head (0b0a9f9).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1270   +/-   ##
=======================================
  Coverage   34.86%   34.86%           
=======================================
  Files         117      117           
  Lines        3029     3029           
  Branches      411      411           
=======================================
  Hits         1056     1056           
  Misses       1960     1960           
  Partials       13       13           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR hardens the repository’s GitHub Actions posture by adding zizmor (locally via pre-commit and in CI) and applying its recommended workflow security fixes (SHA pinning, tightened permissions, and safer checkout defaults), including simplifying release asset upload to use the runner’s GitHub CLI.

Changes:

• Add zizmor as a dev dependency and run it via pre-commit and a dedicated GitHub Actions workflow.
• Pin third-party actions to full commit SHAs and disable actions/checkout credential persistence.
• Restrict workflow permissions across CI/release workflows and switch release asset upload to gh release upload.

Reviewed changes

Copilot reviewed 13 out of 14 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
uv.lock	Adds zizmor to the locked dev dependency set.
pyproject.toml	Declares zizmor as a dev dependency.
.pre-commit-config.yaml	Adds a zizmor hook scoped to .github/workflows/.
.github/workflows/zizmor.yaml	New CI workflow to run zizmor against workflows with minimal permissions.
.github/workflows/tests.yml	Pins Codecov action by SHA and retains least-privilege permissions.
.github/workflows/ruff.yaml	Adds permissions, pins actions by SHA, and disables checkout credential persistence.
.github/workflows/pylint.yaml	Adds permissions, pins actions by SHA, and disables checkout credential persistence.
.github/workflows/release.yaml	Pins actions by SHA, disables checkout credential persistence, and uploads release assets via gh.
.github/workflows/release-drafter.yaml	Adds explicit permissions and pins Release Drafter action by SHA.
.github/workflows/pr-labels.yaml	Switches to pull_request trigger, adds explicit permissions, and pins the label verification action by SHA.
.github/workflows/labels.yaml	Adds explicit permissions, pins actions by SHA, and disables checkout credential persistence.
.github/workflows/hassfest.yaml	Adds explicit permissions, pins actions by SHA, and disables checkout credential persistence.
.github/workflows/hacs.yaml	Adds explicit permissions, pins actions by SHA, and disables checkout credential persistence.
.github/workflows/documentation.yaml	Adds explicit permissions, pins actions by SHA, and disables checkout credential persistence; keeps deploy job permissions scoped.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 13 out of 14 changed files in this pull request and generated 1 comment.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud