Merge pull request #53 from hugovk/fix-zizmor

hugovk · web-flow · commit 11174ce8ef9b · 2024-12-08T14:13:29.000+02:00
Fix zizmor findings on CI and add to pre-commit
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -27,6 +27,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
 
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -15,6 +15,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.x"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -19,6 +19,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -33,6 +33,11 @@ repos:
     hooks:
       - id: actionlint
 
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: zizmor
+
   - repo: https://github.com/tox-dev/pyproject-fmt
     rev: v2.5.0
     hooks:
