From ab3c1cbc0ed74693bd2566a07a79aa9d65f4cab8 Mon Sep 17 00:00:00 2001
From: Adam Dangoor <adamdangoor@gmail.com>
Date: Mon, 29 Dec 2025 13:11:32 +0000
Subject: [PATCH 1/5] Add zizmor for GitHub Actions security linting

---
 .pre-commit-config.yaml | 10 ++++++++++
 pyproject.toml          |  1 +
 2 files changed, 11 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 90934191..f80c2aa4 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -40,6 +40,7 @@ ci:
     - vulture
     - vulture-docs
     - yamlfix
+    - zizmor
     - pyrefly
     - pyrefly-docs
 
@@ -371,6 +372,15 @@ repos:
         additional_dependencies: [uv==0.9.5]
         stages: [pre-commit]
 
+      - id: zizmor
+        name: zizmor
+        entry: uv run --extra=dev zizmor .github
+        language: python
+        pass_filenames: false
+        types_or: [yaml]
+        additional_dependencies: [uv==0.9.5]
+        stages: [pre-commit]
+
       - id: sphinx-lint
         name: sphinx-lint
         entry: uv run --extra=dev sphinx-lint --enable=all --disable=line-too-long
diff --git a/pyproject.toml b/pyproject.toml
index fffc77ad..c4fd55a7 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -79,6 +79,7 @@ optional-dependencies.dev = [
     "vws-python-mock==2025.3.10.1",
     "vws-test-fixtures==2023.3.5",
     "yamlfix==1.19.1",
+    "zizmor==1.19.0",
 ]
 optional-dependencies.release = [ "check-wheel-contents==0.6.3" ]
 urls.Documentation = "https://vws-python.github.io/vws-python/"

From 8e33271b8df067abfb6f40170d644c0a79dd805e Mon Sep 17 00:00:00 2001
From: Adam Dangoor <adamdangoor@gmail.com>
Date: Mon, 29 Dec 2025 13:42:59 +0000
Subject: [PATCH 2/5] Add zizmor config

---
 zizmor.yml | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 zizmor.yml

diff --git a/zizmor.yml b/zizmor.yml
new file mode 100644
index 00000000..fd4a958a
--- /dev/null
+++ b/zizmor.yml
@@ -0,0 +1,4 @@
+---
+rules:
+  unpinned-uses:
+    disable: true

From fb43e8b27a7f85b3250a39b7541aeed8d7d050c2 Mon Sep 17 00:00:00 2001
From: Adam Dangoor <adamdangoor@gmail.com>
Date: Mon, 29 Dec 2025 14:36:32 +0000
Subject: [PATCH 3/5] Fix zizmor / ignore some errors

---
 .github/workflows/ci.yml               | 6 ++++--
 .github/workflows/dependabot-merge.yml | 1 -
 .github/workflows/lint.yml             | 6 ++++--
 .github/workflows/release.yml          | 6 +++---
 zizmor.yml                             | 8 ++++++++
 5 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 73e6ce82..ca86af4b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,4 @@
 ---
-
 name: Test
 
 on:
@@ -12,9 +11,10 @@ on:
     # Run at 1:00 every day
     - cron: 0 1 * * *
 
+permissions: {}
+
 jobs:
   build:
-
     strategy:
       matrix:
         python-version: ['3.13']
@@ -24,6 +24,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
diff --git a/.github/workflows/dependabot-merge.yml b/.github/workflows/dependabot-merge.yml
index 5238c9f6..4932493c 100644
--- a/.github/workflows/dependabot-merge.yml
+++ b/.github/workflows/dependabot-merge.yml
@@ -1,5 +1,4 @@
 ---
-
 name: Dependabot auto-merge
 on: pull_request
 
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index fbdc4c6c..4c01f743 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,5 +1,4 @@
 ---
-
 name: Lint
 
 on:
@@ -12,9 +11,10 @@ on:
     # Run at 1:00 every day
     - cron: 0 1 * * *
 
+permissions: {}
+
 jobs:
   build:
-
     strategy:
       matrix:
         python-version: ['3.13']
@@ -24,6 +24,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 60b4f939..305cecb7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,4 @@
 ---
-
 name: Release
 
 on: workflow_dispatch
@@ -32,6 +31,7 @@ jobs:
           # Also, avoids
           # https://github.com/stefanzweifel/git-auto-commit-action/issues/99.
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
@@ -59,8 +59,8 @@ jobs:
         uses: jacobtomlinson/gha-find-replace@v3
         with:
           find: "Next\n----"
-          replace: "Next\n----\n\n${{ steps.calver.outputs.release }}\n${{ steps.changelog_underline.outputs.underline\
-            \ }}"
+          replace: |
+            "Next\n----\n\n${{ steps.calver.outputs.release }}\n${{ steps.changelog_underline.outputs.underline }}"
           include: CHANGELOG.rst
           regex: false
 
diff --git a/zizmor.yml b/zizmor.yml
index fd4a958a..f63e179d 100644
--- a/zizmor.yml
+++ b/zizmor.yml
@@ -2,3 +2,11 @@
 rules:
   unpinned-uses:
     disable: true
+  cache-poisoning:
+    disable: true
+  bot-conditions:
+    disable: true
+  dependabot-cooldown:
+    disable: true
+  template-injection:
+    disable: true

From 502ec2e4c18d91ab4c4556bbe5354031f1d7fc17 Mon Sep 17 00:00:00 2001
From: Adam Dangoor <adamdangoor@gmail.com>
Date: Mon, 29 Dec 2025 14:37:41 +0000
Subject: [PATCH 4/5] Ignore zizmor in check-manifest

---
 pyproject.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pyproject.toml b/pyproject.toml
index c4fd55a7..d1c81f7e 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -302,6 +302,7 @@ ignore = [
     "tests/**",
     "vuforia_secrets.env.example",
     "lint.mk",
+    "zizmor.yml",
 ]
 
 [tool.deptry]

From 30aee41db18d59beb0864ddef49bf181947a4460 Mon Sep 17 00:00:00 2001
From: Adam Dangoor <adamdangoor@gmail.com>
Date: Mon, 29 Dec 2025 16:11:22 +0000
Subject: [PATCH 5/5] Fix bugbot issues

---
 .github/workflows/release.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 305cecb7..8bbb38a0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
-        with:
+        with:  # zizmor: ignore[artipacked] git-auto-commit-action requires credentials
           # See
           # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#push-to-protected-branches
           token: ${{ secrets.RELEASE_PAT }}
@@ -31,7 +31,6 @@ jobs:
           # Also, avoids
           # https://github.com/stefanzweifel/git-auto-commit-action/issues/99.
           fetch-depth: 0
-          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
@@ -59,8 +58,8 @@ jobs:
         uses: jacobtomlinson/gha-find-replace@v3
         with:
           find: "Next\n----"
-          replace: |
-            "Next\n----\n\n${{ steps.calver.outputs.release }}\n${{ steps.changelog_underline.outputs.underline }}"
+          replace: "Next\n----\n\n${{ steps.calver.outputs.release }}\n${{ steps.changelog_underline.outputs.underline\
+            \ }}"
           include: CHANGELOG.rst
           regex: false