From c739ae2d45c07dd51668beeb46aea4b8a2e69d47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Randy=20D=C3=B6ring?= <30527984+radoering@users.noreply.github.com> Date: Sat, 2 May 2026 10:22:07 +0200 Subject: [PATCH] ci: use zizmor and harden actions --- .github/dependabot.yml | 2 ++ .github/workflows/installer.yml | 6 ++++++ .pre-commit-config.yaml | 5 +++++ 3 files changed, 13 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3a626c3..cd83dc8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,5 @@ updates: directory: / schedule: interval: monthly + cooldown: + default-days: 7 diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index 8342dec..6fa8e9e 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -18,6 +18,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: {} + jobs: default: name: ${{ matrix.os }} / ${{ matrix.python-version }} / install-poetry.py ${{ matrix.args }} @@ -48,6 +50,8 @@ jobs: shell: bash steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -103,6 +107,8 @@ jobs: shell: bash steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Packages run: | diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6e3d155..74df1b8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,3 +18,8 @@ repos: rev: v0.15.10 hooks: - id: ruff + + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor