Add Zizmor workflow and make initial updates

nateprewitt · sigmavirus24 · commit cbce031327be · 2026-03-31T21:28:16.000-05:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,3 +9,5 @@ updates:
       # upgrade if we run into a bug and need a fix.
       - dependency-name: "*"
         update-types: ["version-update:semver-patch"]
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/close-issues.yml b/.github/workflows/close-issues.yml
@@ -5,11 +5,12 @@ on:
     types:
       - labeled
 
-permissions:
-  issues: write
+permissions: {}
 
 jobs:
   close_qa:
+    permissions:
+      issues: write
     if: github.event.label.name == 'actions/autoclose-qa'
     runs-on: ubuntu-latest
     steps:
@@ -22,6 +23,8 @@ jobs:
             --reason completed
           gh issue lock $ISSUE_URL --reason off_topic
   close_feature_request:
+    permissions:
+      issues: write
     if: github.event.label.name == 'actions/autoclose-feat'
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -37,6 +37,7 @@ jobs:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
+        persist-credentials: false
 
     # If this run was triggered by a pull request event, then checkout
     # the head of the pull request instead of the merge commit.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -12,6 +12,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -22,6 +22,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
@@ -45,6 +47,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: 'Set up Python 3.10'
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
@@ -65,6 +69,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: 'Set up Python 3.10'
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,24 @@
+# Sourced from https://github.com/zizmorcore/zizmor-action
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
