From fd8a2f03cdb3ec4ac21f1c7e54e49486409bae80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= <gaborjbernat@gmail.com>
Date: Tue, 24 Mar 2026 15:35:57 -0700
Subject: [PATCH] Add zizmor pre-commit hook and fix security issues

Add zizmor pre-commit hook to catch GitHub Actions security issues.
Fix all existing findings:
- template-injection: Move GitHub context to env vars
- secrets-outside-env: Add environment declarations
- dangerous-triggers: Replace pull_request_target with pull_request
- bot-conditions: Use pull_request.user.login instead of github.actor
- excessive-permissions: Move permissions to job level
- superfluous-actions: Replace with native tools
---
 .github/dependabot.yaml        |  2 ++
 .github/workflows/check.yaml   |  7 ++++---
 .github/workflows/release.yaml | 13 +++++++------
 .pre-commit-config.yaml        |  4 ++++
 pyproject.toml                 |  2 +-
 5 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
index 1230149..5e4251f 100644
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -4,3 +4,5 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
index 750ea0a..e249580 100644
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@@ -31,13 +31,14 @@ jobs:
           - dev
           - pkg_meta
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
-          enable-cache: true
+          enable-cache: false
           cache-dependency-glob: "pyproject.toml"
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install tox
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 59c62db..ede3f07 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,19 +13,20 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
-          enable-cache: true
+          enable-cache: false
           cache-dependency-glob: "pyproject.toml"
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Build package
         run: uv build --python 3.14 --python-preference only-managed --sdist --wheel . --out-dir dist
       - name: Store the distribution packages
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: ${{ env.dists-artifact-name }}
           path: dist/*
@@ -41,11 +42,11 @@ jobs:
       id-token: write
     steps:
       - name: Download all the dists
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: ${{ env.dists-artifact-name }}
           path: dist/
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.13.0
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           attestations: true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d80d1a6..eb67382 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -33,6 +33,10 @@ repos:
     hooks:
       - id: prettier
         args: ["--print-width=120", "--prose-wrap=always"]
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
   - repo: meta
     hooks:
       - id: check-hooks-apply
diff --git a/pyproject.toml b/pyproject.toml
index fa1e23b..07382d1 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -60,7 +60,7 @@ test = [
   "pytest-cov>=7",
 ]
 type = [
-  "ty>=0.0.17",
+  "ty>=0.0.19,<0.0.25",
   { include-group = "test" },
 ]
 lint = [