From 92e02c621231a3da588c1de29305c8980dbbe899 Mon Sep 17 00:00:00 2001
From: Nicholas Junge <nicholas.junge@web.de>
Date: Wed, 8 Jan 2025 19:35:25 +0100
Subject: [PATCH] Add zizmor pre-commit hook (#195)

* Add zizmor pre-commit hook, update remaining hooks

via `pre-commit autoupdate`.

* Add `persist-credentials: false` to actions/checkout uses, fix up mike action

Based on zizmor's findings.

Fixing mike works by supplying the shell command-line inputs as envvars, since
they are always fully expanded by the shell, preventing surprise injections at
the template level.
---
 .github/actions/mike-docs/action.yaml |  7 +++++--
 .github/workflows/lint-and-test.yaml  |  5 +++++
 .github/workflows/release.yaml        |  1 +
 .pre-commit-config.yaml               | 11 ++++++++---
 4 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/.github/actions/mike-docs/action.yaml b/.github/actions/mike-docs/action.yaml
index 1cf2783c..1a6e7313 100644
--- a/.github/actions/mike-docs/action.yaml
+++ b/.github/actions/mike-docs/action.yaml
@@ -26,10 +26,13 @@ runs:
     shell: bash
   - env:
       DOCS_PRERELEASE: ${{ inputs.pre_release }}
+      INPUTS_PUSH: ${{ inputs.push }}
+      INPUTS_VERSION: ${{ inputs.version }}
+      INPUTS_ALIAS: ${{ inputs.alias }}
     run: |
       MIKE_OPTIONS=( "--update-aliases" )
-      if [ "true" = "${{ inputs.push }}" ]; then
+      if [ "true" = "${INPUTS_PUSH}" ]; then
         MIKE_OPTIONS+=( "--push" )
       fi
-      uv run mike deploy ${{ inputs.version }} ${{ inputs.alias }} "${MIKE_OPTIONS[@]}"
+      uv run mike deploy "${INPUTS_VERSION}" ${INPUTS_ALIAS} "${MIKE_OPTIONS[@]}"
     shell: bash
diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml
index 0b07668d..4f12ae03 100644
--- a/.github/workflows/lint-and-test.yaml
+++ b/.github/workflows/lint-and-test.yaml
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
@@ -30,6 +32,8 @@ jobs:
         python-version: [ "3.10", 3.11, 3.12, 3.13 ]
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
@@ -43,6 +47,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 4ca5e0b4..c764d5cd 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -15,6 +15,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index add2c7cd..4ef0f21a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -10,19 +10,24 @@ repos:
       - id: end-of-file-fixer
       - id: mixed-line-ending
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.13.0
+    rev: v1.14.1
     hooks:
      - id: mypy
        types_or: [ python, pyi ]
        args: [--ignore-missing-imports, --explicit-package-bases]
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.8.3
+    rev: v0.8.6
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]
       - id: ruff-format
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.5.10
+    rev: 0.5.15
     hooks:
       - id: uv-lock
         name: Lock project dependencies
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.0.1
+    hooks:
+      - id: zizmor
+        args: [--min-severity=medium]