Add zizmor to CI and fix findings

Author: hugovk

.github/dependabot.yml

@@ -10,3 +10,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 14

.github/workflows/lint.yml

@@ -2,18 +2,19 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
-permissions:
-  contents: read
-
 jobs:
   lint:
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: "3.x"

.github/workflows/pypi-package.yml

@@ -8,8 +8,7 @@ on:
       - published
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   FORCE_COLOR: 1
@@ -22,6 +21,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
 
       - name: Compile translations

.github/workflows/tests.yml

@@ -2,6 +2,8 @@ name: Tests
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
@@ -15,6 +17,8 @@ jobs:
         branch: ["3.14", "3.13", "3.12"]
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.branch }}
@@ -60,6 +64,8 @@ jobs:
         python-version: ["3.12", "3"]
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}

.github/zizmor.yml

@@ -0,0 +1,10 @@
+# Configuration for the zizmor static analysis tool, run via pre-commit in CI
+# https://woodruffw.github.io/zizmor/configuration/
+rules:
+  dangerous-triggers:
+    ignore:
+      - documentation-links.yml
+  unpinned-uses:
+    config:
+      policies:
+        "*": ref-pin

.pre-commit-config.yaml

@@ -32,6 +32,11 @@ repos:
     hooks:
       - id: actionlint
 
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.17.0
+    hooks:
+      - id: zizmor
+
   - repo: https://github.com/tox-dev/pyproject-fmt
     rev: v2.5.0
     hooks: