From d731fa5c4de7e98692081a0d52b2c67511955a58 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Sun, 8 Dec 2024 14:08:37 +0200
Subject: [PATCH] Fix zizmor findings on CI and add to pre-commit

---
 .github/workflows/deploy.yml | 1 +
 .github/workflows/lint.yml   | 2 ++
 .github/workflows/test.yml   | 2 ++
 .pre-commit-config.yaml      | 5 +++++
 4 files changed, 10 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index d110b45..edc7cb9 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -27,6 +27,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
 
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index d553e49..70ff819 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -15,6 +15,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.x"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 60a0f19..ff424ca 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -19,6 +19,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index ed70e52..5b41703 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -33,6 +33,11 @@ repos:
     hooks:
       - id: actionlint
 
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: zizmor
+
   - repo: https://github.com/tox-dev/pyproject-fmt
     rev: 2.2.4
     hooks: