ci: add zizmor pre-commit hook and fix issues (#170)

Author: radoering

.github/workflows/deploy-preview.yaml

@@ -5,7 +5,7 @@ on:
     # allow repository maintainers to modify and test workflow
     paths:
       - ".github/workflows/deploy-preview.yaml"
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     # enable runs for this workflow when labeled as safe only
     # prevent execution when the workflow itself is modified from a fork
     types:
@@ -27,6 +27,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
+          persist-credentials: false
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up Python

.github/workflows/deploy-production.yaml

@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@v4

.pre-commit-config.yaml

@@ -31,3 +31,11 @@ repos:
         additional_dependencies:
           - [email protected]
           - [email protected]
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: zizmor
+        # types and files can be removed with https://github.com/woodruffw/zizmor-pre-commit/pull/2
+        types: [yaml]
+        files: \.github/workflows/.*$