ci: add zizmor pre-commit hook and fix issues (#462)

Author: radoering

.github/workflows/downstream.yaml

@@ -23,10 +23,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           path: cleo
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           path: poetry
           repository: python-poetry/poetry
           ref: ${{ matrix.ref }}

.github/workflows/news.yaml

@@ -12,11 +12,14 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           # `towncrier check` runs `git diff --name-only origin/main...`, which
           # needs a non-shallow clone.
           fetch-depth: 0
 
       - name: Check news entry
         if: "!contains(github.event.pull_request.labels.*.name, 'skip news')"
         run: |
-          pipx run towncrier check --compare-with origin/${{ github.base_ref }}
+          pipx run towncrier check --compare-with "origin/${BASE_REF}"
+        env:
+          BASE_REF: ${{ github.base_ref }}

.github/workflows/release.yaml

@@ -9,11 +9,13 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - run: pipx run build
 
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: distfiles
           path: dist/
@@ -27,16 +29,19 @@ jobs:
     needs: build
     steps:
       # We need to be in a git repo for gh to work.
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: distfiles
           path: dist/
 
-      - run: gh release upload ${{ github.event.release.tag_name }} dist/*.{tar.gz,whl}
+      - run: gh release upload "${TAG_NAME}" dist/*.{tar.gz,whl}
         env:
           GH_TOKEN: ${{ github.token }}
+          TAG_NAME: ${{ github.event.release.tag_name }}
 
   upload-pypi:
     name: Upload (PyPI)
@@ -48,11 +53,11 @@ jobs:
       id-token: write
     needs: build
     steps:
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: distfiles
           path: dist/
 
-      - uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14
+      - uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
         with:
           print-hash: true

.github/workflows/tests.yaml

@@ -29,6 +29,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install Poetry
         run: pipx install poetry

.pre-commit-config.yaml

@@ -26,3 +26,11 @@ repos:
     hooks:
       - id: ruff
       - id: ruff-format
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: zizmor
+        # types and files can be removed with https://github.com/woodruffw/zizmor-pre-commit/pull/2
+        types: [yaml]
+        files: \.github/workflows/.*$