Fix zizmor / ignore some errors

adamtheturtle · adamtheturtle · commit fb43e8b27a7f · 2025-12-29T14:36:41.000Z
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,5 +1,4 @@
 ---
-
 name: Test
 
 on:
@@ -12,9 +11,10 @@ on:
     # Run at 1:00 every day
     - cron: 0 1 * * *
 
+permissions: {}
+
 jobs:
   build:
-
     strategy:
       matrix:
         python-version: ['3.13']
@@ -24,6 +24,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
diff --git a/.github/workflows/dependabot-merge.yml b/.github/workflows/dependabot-merge.yml
@@ -1,5 +1,4 @@
 ---
-
 name: Dependabot auto-merge
 on: pull_request
 
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,5 +1,4 @@
 ---
-
 name: Lint
 
 on:
@@ -12,9 +11,10 @@ on:
     # Run at 1:00 every day
     - cron: 0 1 * * *
 
+permissions: {}
+
 jobs:
   build:
-
     strategy:
       matrix:
         python-version: ['3.13']
@@ -24,6 +24,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,4 @@
 ---
-
 name: Release
 
 on: workflow_dispatch
@@ -32,6 +31,7 @@ jobs:
           # Also, avoids
           # https://github.com/stefanzweifel/git-auto-commit-action/issues/99.
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
@@ -59,8 +59,8 @@ jobs:
         uses: jacobtomlinson/gha-find-replace@v3
         with:
           find: "Next\n----"
-          replace: "Next\n----\n\n${{ steps.calver.outputs.release }}\n${{ steps.changelog_underline.outputs.underline\
-            \ }}"
+          replace: |
+            "Next\n----\n\n${{ steps.calver.outputs.release }}\n${{ steps.changelog_underline.outputs.underline }}"
           include: CHANGELOG.rst
           regex: false
 
diff --git a/zizmor.yml b/zizmor.yml
@@ -2,3 +2,11 @@
 rules:
   unpinned-uses:
     disable: true
+  cache-poisoning:
+    disable: true
+  bot-conditions:
+    disable: true
+  dependabot-cooldown:
+    disable: true
+  template-injection:
+    disable: true

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,4 @@`
`1`	`1`	`---`
`2`		`-`
`3`	`2`	`name: Dependabot auto-merge`
`4`	`3`	`on: pull_request`
`5`	`4`