chore: add zizmor-pre-commit to limit GH Actions vulnerabilities (#972

)

* chore(pre-commit): add `zizmor-pre-commit`

* ci: fix vulnerabilities reported by zizmor

.github/workflows/main.yml

@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Check out
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v4
@@ -39,7 +41,7 @@ jobs:
         run: rustup component add clippy rustfmt
 
       - name: Run pre-commit
-        run: uvx pre-commit@${{ env.PRE_COMMIT_VERSION }} run -a --show-diff-on-failure
+        run: uvx pre-commit@${PRE_COMMIT_VERSION} run -a --show-diff-on-failure
         env:
           # renovate: datasource=pypi depName=pre-commit
           PRE_COMMIT_VERSION: '4.0.1'
@@ -64,6 +66,8 @@ jobs:
     steps:
       - name: Check out
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v4
@@ -101,6 +105,8 @@ jobs:
     steps:
       - name: Check out
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v4

.github/workflows/release.yml

@@ -15,6 +15,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Export tag
         id: vars
@@ -44,6 +46,8 @@ jobs:
     steps:
       - name: Check out
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Download updated pyproject.toml
         uses: actions/download-artifact@v4
@@ -83,6 +87,8 @@ jobs:
     steps:
       - name: Check out
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Download updated pyproject.toml
         uses: actions/download-artifact@v4
@@ -118,6 +124,8 @@ jobs:
     steps:
       - name: Check out
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Download updated pyproject.toml
         uses: actions/download-artifact@v4
@@ -148,6 +156,8 @@ jobs:
     needs: [set-version]
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install Python
         uses: actions/setup-python@v5
@@ -178,6 +188,8 @@ jobs:
     if: ${{ github.event_name == 'release' }}
     steps:
       - uses: actions/download-artifact@v4
+        with:
+          persist-credentials: false
 
       - name: Install Python
         uses: actions/setup-python@v5
@@ -199,6 +211,8 @@ jobs:
     steps:
       - name: Check out
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v4

.github/workflows/validate-codecov-config.yml

@@ -13,5 +13,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Validate codecov configuration
         run: curl -sSL --fail-with-body --data-binary @codecov.yaml https://codecov.io/validate

.github/workflows/validate-renovate-config.yml

@@ -17,6 +17,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VERSION }}

.pre-commit-config.yaml

@@ -51,3 +51,8 @@ repos:
         language: system
         types: [rust]
         pass_filenames: false
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: "v0.10.0"
+    hooks:
+      - id: zizmor