chore(security): Pin deps to hash & unify CI templates

Author: vavkamil

.github/workflows/security-zizmor.yml

@@ -1,6 +1,6 @@
 # https://github.com/woodruffw/zizmor
 
-name: Security
+name: Security - zizmor
 
 on:
   push:
@@ -12,28 +12,32 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   zizmor:
-    # name: zizmor via PyPI
-    runs-on: ubuntu-latest
+    # name: zizmor latest via PyPI
+    runs-on: ubuntu-slim
     permissions:
       contents: read
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6.0.2 # zizmor: ignore[unpinned-uses]
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v6 # zizmor: ignore[unpinned-uses]
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: '3.10.4'
+          python-version-file: '.python-version'
 
       - name: Install Zizmor
         run: |
           python -m pip install --upgrade pip
           pip install $(grep '^zizmor==' requirements.txt)
 
       - name: Run Zizmor
-        run: zizmor .github/workflows
+        run: zizmor --config zizmor.yml .github/workflows

.github/workflows/stargazers.yml

@@ -7,6 +7,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   check-new-links:
     runs-on: ubuntu-latest

.python-version

@@ -0,0 +1 @@
+3.14.3

requirements.txt

@@ -1 +1 @@
-zizmor==1.22.0
+zizmor==1.23.1