Add zizmor pre-commit hook and fix security issues

Add zizmor pre-commit hook to catch GitHub Actions security issues.
Fix all existing findings:
- template-injection: Move GitHub context to env vars
- secrets-outside-env: Add environment declarations
- dangerous-triggers: Replace pull_request_target with pull_request
- bot-conditions: Use pull_request.user.login instead of github.actor
- excessive-permissions: Move permissions to job level
- superfluous-actions: Replace with native tools

Author: gaborbernat

.github/dependabot.yaml

@@ -4,3 +4,5 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7

.github/workflows/check.yaml

@@ -31,13 +31,14 @@ jobs:
           - dev
           - pkg_meta
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
-          enable-cache: true
+          enable-cache: false
           cache-dependency-glob: "pyproject.toml"
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install tox

.github/workflows/release.yaml

@@ -13,19 +13,20 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
-          enable-cache: true
+          enable-cache: false
           cache-dependency-glob: "pyproject.toml"
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Build package
         run: uv build --python 3.14 --python-preference only-managed --sdist --wheel . --out-dir dist
       - name: Store the distribution packages
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: ${{ env.dists-artifact-name }}
           path: dist/*
@@ -41,11 +42,11 @@ jobs:
       id-token: write
     steps:
       - name: Download all the dists
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: ${{ env.dists-artifact-name }}
           path: dist/
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.13.0
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           attestations: true

.pre-commit-config.yaml

@@ -33,6 +33,10 @@ repos:
     hooks:
       - id: prettier
         args: ["--print-width=120", "--prose-wrap=always"]
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
   - repo: meta
     hooks:
       - id: check-hooks-apply

pyproject.toml

@@ -60,7 +60,7 @@ test = [
   "pytest-cov>=7",
 ]
 type = [
-  "ty>=0.0.17",
+  "ty>=0.0.19,<0.0.25",
   { include-group = "test" },
 ]
 lint = [