Zizmor fixes

.github/workflows/bandit.yml

@@ -14,13 +14,17 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   bandit-analysis:
     name: Run Bandit
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      security-events: write
+      security-events: write  # allow uploading code scanning results
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

.github/workflows/lint.yml

@@ -3,6 +3,10 @@ name: Lint
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     tags-ignore:
@@ -22,6 +26,7 @@ on:
 jobs:
 
   lint:
+    name: Run Static Analysis
     runs-on: ubuntu-latest
     permissions:
       contents: read

.github/workflows/release.yml

@@ -1,6 +1,7 @@
 name: Publish Release
 
-permissions: read-all
+permissions:
+  contents: read
 
 concurrency:
   # stop previous release runs if tag is recreated
@@ -16,22 +17,19 @@ jobs:
   lint:
     permissions:
       contents: read
-      actions: write
     uses: ./.github/workflows/lint.yml
 
   test:
     permissions:
       contents: read
-      actions: write
-      id-token: write
+      id-token: write  # to allow codecov oidc upload
     uses: ./.github/workflows/test.yml
 
   build:
     name: Build Package
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     outputs:
       PACKAGE_NAME: ${{ steps.set-package.outputs.package_name }}
       RELEASE_VERSION: ${{ steps.set-package.outputs.release_version }}

.github/workflows/scorecard.yml

@@ -9,7 +9,12 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   analysis:
@@ -19,8 +24,9 @@ jobs:
       name: scorecard
       deployment: false  # Prevents creating a GitHub deployment object
     permissions:
-      security-events: write
-      id-token: write
+      contents: read
+      security-events: write  # allow uploading code scanning results
+      id-token: write  # to allow OIDC authentication for publishing results to OpenSSF REST API
 
     steps:
       - name: "Checkout code"

.github/workflows/test.yml

@@ -3,6 +3,10 @@ name: Test
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     tags-ignore:
@@ -41,13 +45,12 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     # Service containers to run with `container-job`
     strategy:
       fail-fast: false
       matrix:
         python-version: ['3.10', '3.11', '3.12', '3.13', '3.14']
-        postgres-version: ['12', '14', 'latest']
+        postgres-version: ['12', '14@sha256:bbb8851608e3ff4901156bf6a4bf90735a9d44ae014c03811bfdb2f9c354b18b', 'latest']
         psycopg-version: ['psycopg2', 'psycopg3']
         django-version:
           - 'dj42' # LTS April 2026
@@ -173,7 +176,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     env:
       RDBMS: sqlite
       COVERAGE_FILE: linux-py${{ matrix.python-version }}-${{ matrix.django-version }}-sqlite.coverage
@@ -247,7 +249,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -361,7 +362,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     env:
       RDBMS: mariadb
       COVERAGE_FILE: linux-py${{ matrix.python-version }}-${{ matrix.django-version }}-${{ matrix.mysqlclient-version }}-mariadb${{ matrix.mariadb-version }}.coverage
@@ -485,7 +485,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: write
     env:
       RDBMS: oracle
       TEST_PYTHON_VERSION: ${{ matrix.python-version }}
@@ -620,7 +619,6 @@ jobs:
     runs-on: windows-latest
     permissions:
       contents: read
-      actions: write
     env:
       RDBMS: sqlite
       COVERAGE_FILE: windows-py${{ matrix.python-version }}-${{ matrix.django-version }}-sqlite.coverage
@@ -691,7 +689,6 @@ jobs:
     runs-on: macos-latest
     permissions:
       contents: read
-      actions: write
     env:
       RDBMS: sqlite
       COVERAGE_FILE: macos-py${{ matrix.python-version }}-${{ matrix.django-version }}-sqlite.coverage
@@ -762,11 +759,12 @@ jobs:
 
 
   coverage-combine:
+    name: Combine Coverage and Upload to Codecov
     needs: [postgres, sqlite, mysql, mariadb, oracle, windows, macos]
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write
+      id-token: write  # for codecov oidc authentication
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:

.github/workflows/update_coc.yml

@@ -1,6 +1,11 @@
 name: Update Code of Conduct
 
-permissions: read-all
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 on:
   workflow_dispatch:
@@ -11,10 +16,10 @@ on:
 
 jobs:
   update_code_of_conduct:
+    name: Update Code of Conduct
     permissions:
-     contents: write
-     issues: write
-     pull-requests: write
+     contents: write  # allow updating the CODE_OF_CONDUCT.md file
+     pull-requests: write  # needed for CoC PR
 
     runs-on: ubuntu-latest
 
@@ -43,12 +48,23 @@ jobs:
       # Create a pull request to merge the changes into the main branch
       - name: Create Pull Request
         if: steps.check_changes.outputs.changed == 'true'
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1
-        with:
-            token: ${{ secrets.GITHUB_TOKEN }}
-            branch: bot-update-coc
-            add-paths: |
-                CODE_OF_CONDUCT.md
-            title: "🤖 Update Code of Conduct 🤖"
-            body: "Update the Code of Conduct with the latest version from the django-commons repository."
-            commit-message: "Update CODE_OF_CONDUCT.md from django-commons"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          BRANCH: update-coc
+          REF_NAME: ${{ github.ref_name }}
+          GH_ACTOR: ${{ github.actor }}
+          GH_ACTOR_ID: ${{ github.actor_id }}
+        run: |
+          git config user.name "$GH_ACTOR"
+          git config user.email "$GH_ACTOR_ID+$GH_ACTOR@users.noreply.github.com"
+
+          git checkout -B "$BRANCH"
+          git add CODE_OF_CONDUCT.md
+          git commit -m "Update Code of Conduct"
+          git push --force-with-lease origin "$BRANCH"
+
+          gh pr view "$BRANCH" >/dev/null 2>&1 || gh pr create \
+            --base "$REF_NAME" \
+            --head "$BRANCH" \
+            --title "Update Code of Conduct" \
+            --body "Automated update."

.github/workflows/zizmor.yml

@@ -14,13 +14,17 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   zizmor-analysis:
     name: Run Zizmor
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      security-events: write
+      security-events: write  # allow uploading code scanning results
 
     steps:
       - name: Checkout repository