ci: add zizmor pre-commit hook and fix issues (#125)

radoering · web-flow · commit 5124fb928db9 · 2024-12-09T18:50:08.000-08:00
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -31,6 +31,8 @@ jobs:
         shell: bash
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -10,6 +10,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - run: pipx run build
 
@@ -28,15 +30,18 @@ jobs:
     steps:
       # We need to be in a git repo for gh to work.
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: distfiles
           path: dist/
 
-      - run: gh release upload ${{ github.event.release.tag_name }} dist/*.{tar.gz,whl}
+      - run: gh release upload "${TAG_NAME}" dist/*.{tar.gz,whl}
         env:
           GH_TOKEN: ${{ github.token }}
+          TAG_NAME: ${{ github.event.release.tag_name }}
 
   upload-pypi:
     name: Upload (PyPI)
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -23,3 +23,11 @@ repos:
     hooks:
       - id: ruff
       - id: ruff-format
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: zizmor
+        # types and files can be removed with https://github.com/woodruffw/zizmor-pre-commit/pull/2
+        types: [yaml]
+        files: \.github/workflows/.*$
