ci: use zizmor

branchv · branchv · commit ffc827e66d92 · 2026-01-02T15:55:23.000-08:00
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -4,3 +4,6 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    groups:
+      github-actions:
+        patterns: ["*"]
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -12,12 +12,16 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: j178/prek-action@v1
+      - uses: actions/checkout@v6 # zizmor: ignore[unpinned-uses]
+        with:
+          persist-credentials: false
+      - uses: j178/prek-action@v1 # zizmor: ignore[unpinned-uses]
 
   bootstrap:
     runs-on: ${{ matrix.os }}-latest
diff --git a/.github/workflows/pre_commit_autoupdate.yaml b/.github/workflows/pre_commit_autoupdate.yaml
@@ -4,17 +4,27 @@ on:
   schedule: [cron: "0 0 * * 0"] # weekly
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   update:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
-      - run: pipx install prek
-      - run: prek autoupdate
-      - uses: peter-evans/create-pull-request@v8
         with:
-          branch: pre-commit-autoupdate
-          title: "pre-commit: autoupdate"
-          body: ""
-          commit-message: "pre-commit: autoupdate"
-          labels: automerge
+          persist-credentials: false
+      - run: pipx install prek
+      - run: prek autoupdate; echo >>.pre-commit-config.yaml
+      - name: Create PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git diff --exit-code && echo No changes to commit && exit 0
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git checkout -b pre-commit-autoupdate
+          git commit -am "pre-commit: autoupdate"
+          git push -u origin && gh pr create --fill
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -32,6 +32,12 @@ repos:
       - id: codespell
         args: [--ignore-words-list=protols]
 
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.19.0
+    hooks:
+      - id: zizmor
+        args: [--fix=all]
+
   - repo: local
     hooks:
       - id: fish_indent
