🔒️ Add zizmor and fix audit findings (#15316)

2026-04-17 13:28:08 -04:00 · 2026-04-16 14:21:03 +02:00
parent 708606c982
commit 3f4169be1a
23 changed files with 266 additions and 135 deletions
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -6,6 +6,8 @@ on:
      - opened
      - synchronize

+permissions: {}
+
 env:
  # Forks and Dependabot don't have access to secrets
  HAS_SECRETS: ${{ secrets.PRE_COMMIT != '' }}
@@ -18,7 +20,7 @@ jobs:
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
        run: echo "$GITHUB_CONTEXT"
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        name: Checkout PR for own repo
        if: env.HAS_SECRETS == 'true'
        with:
@@ -28,22 +30,25 @@ jobs:
          # And it needs the full history to be able to compute diffs
          fetch-depth: 0
          # A token other than the default GITHUB_TOKEN is needed to be able to trigger CI
-          token: ${{ secrets.PRE_COMMIT }}
+          token: ${{ secrets.PRE_COMMIT }} # zizmor: ignore[secrets-outside-env]
+          persist-credentials: true # Required for `git push` command
      # pre-commit lite ci needs the default checkout configs to work
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        name: Checkout PR for fork
        if: env.HAS_SECRETS == 'false'
        with:
        # To be able to commit it needs the head branch of the PR, the remote one
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
+          persist-credentials: false
      - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version-file: ".python-version"
      - name: Setup uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
        with:
+          version: "0.11.4"
          cache-dependency-glob: |
            pyproject.toml
            uv.lock
@@ -51,7 +56,7 @@ jobs:
        run: uv sync --locked --extra all
      - name: Run prek - pre-commit
        id: precommit
-        run: uvx prek run --from-ref origin/${GITHUB_BASE_REF} --to-ref HEAD --show-diff-on-failure
+        run: uv run prek run --from-ref origin/${GITHUB_BASE_REF} --to-ref HEAD --show-diff-on-failure
        continue-on-error: true
      - name: Commit and push changes
        if: env.HAS_SECRETS == 'true'
@@ -65,7 +70,7 @@ jobs:
            git commit -m "🎨 Auto format"
            git push
          fi
-      - uses: pre-commit-ci/lite-action@v1.1.0
+      - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0
        if: env.HAS_SECRETS == 'false'
        with:
          msg: 🎨 Auto format
@@ -85,6 +90,6 @@ jobs:
          GITHUB_CONTEXT: ${{ toJson(github) }}
        run: echo "$GITHUB_CONTEXT"
      - name: Decide whether the needed jobs succeeded or failed
-        uses: re-actors/alls-green@release/v1
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
        with:
          jobs: ${{ toJSON(needs) }}