Add zizmor to CI

Author: berquist

.github/workflows/ci.yml

@@ -10,6 +10,8 @@ concurrency:
   group: ci-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   prechecks:
     uses: ./.github/workflows/pre-commit.yml

.github/workflows/nix.yml

@@ -10,6 +10,8 @@ concurrency:
   group: nix-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   nix-build:
     runs-on: ubuntu-latest
@@ -25,5 +27,7 @@ jobs:
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
       # Checkout of the current head in the working dir
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       - name: Check nix flake
         run: nix flake check -L

.github/workflows/pre-commit.yml

@@ -9,13 +9,17 @@ concurrency:
   group: style-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       - name: install dependencies for sorting regressionfiles.yaml
         run: |
           python -m pip install 'ruamel.yaml'
-      - uses: pre-commit/action@v3.0.1
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.pre-commit-config.yaml

@@ -51,3 +51,8 @@ repos:
       - id: actionlint
         additional_dependencies:
           - "github.com/wasilibs/go-shellcheck/cmd/shellcheck@v0.10.0"
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: "v1.9.0"
+    hooks:
+      - id: zizmor
+        args: [--no-progress, --persona=pedantic]