Merge pull request #438 from neutrinoceros/sec/gha-scan

neutrinoceros · web-flow · commit efea5f40261d · 2026-04-08T19:03:47.000+02:00
diff --git a/.github/workflows/bleeding-edge.yaml b/.github/workflows/bleeding-edge.yaml
@@ -13,6 +13,8 @@ on:
   - cron: 0 3 * * 3
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -27,6 +29,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
       with:
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -1,10 +1,14 @@
 name: CD
+
 on:
   push:
     tags: v*
   pull_request:
     paths:
     - .github/workflows/cd.yml
+
+permissions: {}
+
 jobs:
   pypi-publish:
     name: Upload release to PyPI
@@ -17,7 +21,11 @@ jobs:
     steps:
     - name: Checkout Source
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+      with:
+        enable-cache: false
     - name: Build distributions
       shell: bash -l {0}
       run: uv build
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,6 +12,8 @@ on:
   - cron: 0 3 * * 3
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   tests:
     strategy:
@@ -33,6 +35,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
       with:
         python-version: ${{ matrix.python-version }}
@@ -57,6 +61,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
       with:
         python-version: ${{ matrix.python-version }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -15,6 +15,11 @@ repos:
   - id: check-executables-have-shebangs
   - id: check-toml
 
+- repo: https://github.com/zizmorcore/zizmor-pre-commit
+  rev: v1.23.1
+  hooks:
+  - id: zizmor
+
 - repo: https://github.com/astral-sh/uv-pre-commit
   rev: 0.11.3
   hooks:
