ci: run zizmor in CI and noxfile

gotmax23 · gotmax23 · commit c920ae8005c8 · 2025-11-06T19:52:56.000-06:00
- Adds lockfile
- Adds nox session
- Adds nox session to CI matrix
diff --git a/.github/workflows/reusable-nox.yml b/.github/workflows/reusable-nox.yml
@@ -34,6 +34,8 @@ jobs:
           - session: "pip-compile"
             extra-args: "--check"
             python-versions: "3.12"
+          - session: "zizmor"
+            python-versions: "3.12"
     name: "Run nox ${{ matrix.session }} session"
     steps:
       - name: Check out repo
diff --git a/noxfile.py b/noxfile.py
@@ -140,6 +140,15 @@ def actionlint(session: nox.Session) -> None:
     )
 
 
+@nox.session
+def zizmor(session: nox.Session) -> None:
+    """
+    Ren zizmor, a Github Actions security checker
+    """
+    install(session, req="zizmor")
+    session.run("zizmor", "--persona=regular", ".github/workflows")
+
+
 @nox.session
 def lint(session: nox.Session):
     session.notify("typing")
diff --git a/tests/zizmor.in b/tests/zizmor.in
@@ -0,0 +1 @@
+zizmor
diff --git a/tests/zizmor.txt b/tests/zizmor.txt
@@ -0,0 +1,4 @@
+# This file was autogenerated by uv via the following command:
+#    uv pip compile --universal --output-file tests/zizmor.txt tests/zizmor.in
+zizmor==1.16.0
+    # via -r tests/zizmor.in
