chore: add zizmor

Author: drmorr0

.config/zizmor.yml

@@ -0,0 +1,4 @@
+---
+rules:
+  secrets-outside-env:
+    disable: true

.github/workflows/verify.yml

@@ -16,34 +16,38 @@ env:
   RUSTC_WRAPPER: sccache
   IN_CI: "true"
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo and build scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           submodules: recursive
+          persist-credentials: false
       - name: Run sccache
-        uses: mozilla-actions/sccache-action@v0.0.7
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
       - name: Build
         run: make build
 
   lint:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo and build scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           submodules: recursive
+          persist-credentials: false
       - name: Run sccache
-        uses: mozilla-actions/sccache-action@v0.0.7
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
       - name: rustfmt nightly
         run: |
           rustup toolchain install nightly-x86_64-unknown-linux-gnu
           rustup component add rustfmt --toolchain nightly-x86_64-unknown-linux-gnu
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.13"
       - name: Install pre-commit
@@ -55,20 +59,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo and build scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           submodules: recursive
+          persist-credentials: false
       - name: Run sccache
-        uses: mozilla-actions/sccache-action@v0.0.7
-      - name: Install grcov
-        run: cargo install grcov
-      - name: Add llvm-tools
-        run: rustup component add llvm-tools-preview
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
+      - name: Install cargo-nextest
+        uses: taiki-e/install-action@0fde6d128a3d980ceac30be8c8b8739abd963b81  # v2.70.0
+        with:
+          tool: cargo-nextest
+      - name: Install cargo-llvm-cov
+        uses: taiki-e/install-action@0fde6d128a3d980ceac30be8c8b8739abd963b81  # v2.70.0
+        with:
+          tool: cargo-llvm-cov
       - name: Test
-        run: make test
-      - name: Compute coverage
-        run: make cover
+        run: make test cover
       - name: Upload coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2  # v6.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.pre-commit-config.yaml

@@ -20,3 +20,11 @@ repos:
     hooks:
       - id: fmt
         args: ['--', '--unstable-features']
+  - repo: "https://github.com/zizmorcore/zizmor-pre-commit"
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
+        args:
+          - --fix=all
+          - --config
+          - .config/zizmor.yml