Add zizmor as pre-commit hook (#87)

* Run zizmor to pre-commit and update other hooks

* Address feedback from zizmor

* Address new suggestions from ruff

Author: lagru

.github/workflows/cd.yml

@@ -26,6 +26,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/setup-python@v6
         with:

.github/workflows/ci.yml

@@ -7,6 +7,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -30,10 +32,11 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: "3.x"
-      - uses: pre-commit/action@v3.0.1
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  # v3.0.1
         with:
           extra_args: --hook-stage manual --all-files
 
@@ -53,6 +56,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/setup-python@v6
         with:

.pre-commit-config.yaml

@@ -27,8 +27,13 @@ repos:
         args: [--markdown-linebreak-ext=md]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: "0acff885bcb16381b67930fefb91e460202f172c"  # frozen: v0.12.10
+    rev: "f298305809c552671cc47e0fec0ba43e96c146a2"  # frozen: v0.13.2
     hooks:
       - id: ruff-check
         args: ["--fix", "--show-fixes", "--exit-non-zero-on-fix"]
       - id: ruff-format
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: 3c10df247c55cf21f75003105b879f145096bd4a  # frozen: v1.14.2
+    hooks:
+      - id: zizmor

tests/test_cache.py

@@ -8,7 +8,7 @@
 
 def test_directory_size():
     assert _cache._directory_size(Path(__file__).parent) > 0
-    with pytest.raises(FileNotFoundError, match="doesn't exist, can't determine size"):
+    with pytest.raises(FileNotFoundError, match=r"doesn't exist, can't determine size"):
         _cache._directory_size(Path("i/don't/exist"))
 
 
@@ -42,7 +42,7 @@ def test_create_validate_cache(tmp_path):
     _cache.create_cache(cache_dir)
     _cache.validate_cache(cache_dir)
 
-    with pytest.raises(FileNotFoundError, match="expected directory .* named .*"):
+    with pytest.raises(FileNotFoundError, match=r"expected directory .* named .*"):
         _cache.validate_cache(tmp_path)
 
 

tests/test_docstrings.py

@@ -29,7 +29,7 @@ def test_as_return_tuple(self):
         assert return_annotation.imports == path_anno.imports | sequence_anno.imports
 
     def test_unexpected_value(self):
-        with pytest.raises(ValueError, match="unexpected '~' in annotation value"):
+        with pytest.raises(ValueError, match=r"unexpected '~' in annotation value"):
             Annotation(value="~.foo")
 
 

tests/test_path_utils.py

@@ -46,7 +46,7 @@ def test_not_a_package(self, tmp_path):
         top_script = tmp_path / "script.py"
         top_script.touch()
 
-        with pytest.raises(TypeError, match=".* must be a Python file or package"):
+        with pytest.raises(TypeError, match=r".* must be a Python file or package"):
             next(walk_source_package(tmp_path))
 
     def test_single_with_docstub_generated_stub(self, tmp_path):