Merge pull request #2770 from VWS-Python/add-zizmor

Add zizmor for GitHub Actions security linting

Author: adamtheturtle

.github/workflows/ci.yml

@@ -1,5 +1,4 @@
 ---
-
 name: Test
 
 on:
@@ -12,9 +11,10 @@ on:
     # Run at 1:00 every day
     - cron: 0 1 * * *
 
+permissions: {}
+
 jobs:
   build:
-
     strategy:
       matrix:
         python-version: ['3.13']
@@ -24,6 +24,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7

.github/workflows/dependabot-merge.yml

@@ -1,5 +1,4 @@
 ---
-
 name: Dependabot auto-merge
 on: pull_request
 

.github/workflows/lint.yml

@@ -1,5 +1,4 @@
 ---
-
 name: Lint
 
 on:
@@ -12,9 +11,10 @@ on:
     # Run at 1:00 every day
     - cron: 0 1 * * *
 
+permissions: {}
+
 jobs:
   build:
-
     strategy:
       matrix:
         python-version: ['3.13']
@@ -24,6 +24,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7

.github/workflows/release.yml

@@ -1,5 +1,4 @@
 ---
-
 name: Release
 
 on: workflow_dispatch
@@ -22,7 +21,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
-        with:
+        with:  # zizmor: ignore[artipacked] git-auto-commit-action requires credentials
           # See
           # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#push-to-protected-branches
           token: ${{ secrets.RELEASE_PAT }}

.pre-commit-config.yaml

@@ -40,6 +40,7 @@ ci:
     - vulture
     - vulture-docs
     - yamlfix
+    - zizmor
     - pyrefly
     - pyrefly-docs
 
@@ -371,6 +372,15 @@ repos:
         additional_dependencies: [uv==0.9.5]
         stages: [pre-commit]
 
+      - id: zizmor
+        name: zizmor
+        entry: uv run --extra=dev zizmor .github
+        language: python
+        pass_filenames: false
+        types_or: [yaml]
+        additional_dependencies: [uv==0.9.5]
+        stages: [pre-commit]
+
       - id: sphinx-lint
         name: sphinx-lint
         entry: uv run --extra=dev sphinx-lint --enable=all --disable=line-too-long

pyproject.toml

@@ -79,6 +79,7 @@ optional-dependencies.dev = [
     "vws-python-mock==2025.3.10.1",
     "vws-test-fixtures==2023.3.5",
     "yamlfix==1.19.1",
+    "zizmor==1.19.0",
 ]
 optional-dependencies.release = [ "check-wheel-contents==0.6.3" ]
 urls.Documentation = "https://vws-python.github.io/vws-python/"
@@ -301,6 +302,7 @@ ignore = [
     "tests/**",
     "vuforia_secrets.env.example",
     "lint.mk",
+    "zizmor.yml",
 ]
 
 [tool.deptry]

zizmor.yml

@@ -0,0 +1,12 @@
+---
+rules:
+  unpinned-uses:
+    disable: true
+  cache-poisoning:
+    disable: true
+  bot-conditions:
+    disable: true
+  dependabot-cooldown:
+    disable: true
+  template-injection:
+    disable: true