Improve security of our GitHub Actions

.github/workflows/build_wheels.yml

@@ -5,15 +5,16 @@ on:
     branches: [main, master, 'release*']
     tags: ['*']
 
-permissions:
-  contents: write
-
 jobs:
   build-wheels:
     if: github.repository == 'python/mypy'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.11'

.github/workflows/docs.yml

@@ -35,6 +35,8 @@ jobs:
       VERIFY_MYPY_ERROR_CODES: 1
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.12'

.github/workflows/mypy_primer.yml

@@ -26,8 +26,6 @@ jobs:
   mypy_primer:
     name: Run mypy_primer
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     strategy:
       matrix:
         shard-index: [0, 1, 2, 3, 4]
@@ -38,6 +36,7 @@ jobs:
         with:
           path: mypy_to_test
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"
@@ -93,12 +92,20 @@ jobs:
     name: Join artifacts
     runs-on: ubuntu-latest
     needs: [mypy_primer]
-    permissions:
-      contents: read
     steps:
       - name: Merge artifacts
         uses: actions/upload-artifact/merge@v4
         with:
           name: mypy_primer_diffs
           pattern: mypy_primer_diffs-*
           delete-merged: true
+
+  call_comment_workflow:
+    name: Call mypy_primer_comment workflow
+    needs: [join_artifacts]
+    permissions:
+      contents: read
+      pull-requests: write
+    uses: ./.github/workflows/mypy_primer_comment.yml
+    with:
+      workflow_id: ${{ github.run_id }}

.github/workflows/mypy_primer_comment.yml

@@ -1,11 +1,11 @@
 name: Comment with mypy_primer diff
 
 on:
-  workflow_run:
-    workflows:
-      - Run mypy_primer
-    types:
-      - completed
+  workflow_call:
+    inputs:
+      workflow_id:
+        required: true
+        type: number
 
 permissions:
   contents: read
@@ -15,17 +15,18 @@ jobs:
   comment:
     name: Comment PR from mypy_primer
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - name: Download diffs
         uses: actions/github-script@v7
+        env:
+          WORKFLOW_ID: ${{ inputs.workflow_id }}
         with:
           script: |
             const fs = require('fs');
             const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
                owner: context.repo.owner,
                repo: context.repo.repo,
-               run_id: ${{ github.event.workflow_run.id }},
+               run_id: process.env.WORKFLOW_ID,
             });
             const [matchArtifact] = artifacts.data.artifacts.filter((artifact) =>
               artifact.name == "mypy_primer_diffs");

.github/workflows/sync_typeshed.yml

@@ -5,20 +5,20 @@ on:
   schedule:
     - cron: "0 0 1,15 * *"
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   sync_typeshed:
     name: Sync typeshed
     if: github.repository == 'python/mypy'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
         # TODO: use whatever solution ends up working for
         # https://github.com/python/typeshed/issues/8434
       - uses: actions/setup-python@v5

.github/workflows/test.yml

@@ -136,6 +136,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Debug build
       if: ${{ matrix.debug_build }}
@@ -217,6 +219,8 @@ jobs:
       CC: i686-linux-gnu-gcc
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install 32-bit build dependencies
         run: |
           sudo dpkg --add-architecture i386 && \

.github/workflows/test_stubgenc.yml

@@ -29,6 +29,8 @@ jobs:
     steps:
 
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Setup 🐍 3.9
       uses: actions/setup-python@v5

.pre-commit-config.yaml

@@ -18,7 +18,6 @@ repos:
   - repo: https://github.com/python-jsonschema/check-jsonschema
     rev: 0.30.0
     hooks:
-      - id: check-dependabot
       - id: check-github-workflows
   - repo: https://github.com/rhysd/actionlint
     rev: v1.7.4
@@ -29,5 +28,15 @@ repos:
           -ignore=property "allow_failure" is not defined,
           -ignore=SC2(046|086),
         ]
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.0.0
+    hooks:
+      - id: zizmor
+  # Should be the last one:
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes
+
 ci:
   autoupdate_schedule: quarterly