ci: Add zizmor config file

bdarnell · bdarnell · commit 0f1321817161 · 2025-04-22T15:07:23.000-04:00
This restores behavior of version 1.5.2 to be more lenient for
pypa and astral-sh repos.
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,9 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # By default, actions/*, github/*, and dependabot/* are allowed to be ref-pinned,
+        # while the rest must be hash-pinned. Add pypa and astral-sh as trusted repos
+        # as well.
+        pypa/*: ref-pin
+        astral-sh/setup-uv: ref-pin
