chore: use zizmor action and resolve findings (#261)

miketheman · web-flow · commit 24ce731d9635 · 2026-02-06T11:51:56.000-05:00
* chore(ci): use zizmor action

Signed-off-by: Mike Fiedler &lt;miketheman@gmail.com&gt;

* chore: ratchet down findings

Signed-off-by: Mike Fiedler &lt;miketheman@gmail.com&gt;

---------

Signed-off-by: Mike Fiedler &lt;miketheman@gmail.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -8,7 +8,11 @@ updates:
       all:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,6 +14,8 @@ jobs:
        id-token: write
      steps:
        - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+         with:
+           persist-credentials: false
        - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
          with:
            python-version: '3.11'
@@ -32,4 +34,4 @@ jobs:
            --outdir dist/
            .
        - name: Publish package distributions to PyPI
-         uses: pypa/gh-action-pypi-publish@release/v1
+         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -2,11 +2,15 @@ name: CI
 
 on: [push, pull_request]
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -18,15 +18,5 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-      - name: Run zizmor
-        run: pipx run zizmor --format sarif . > results.sarif
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
-        with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: results.sarif
-          # Optional category for the results
-          # Used to differentiate multiple results for one commit
-          category: zizmor
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
