fix: resolve zizmor workflow linter findings

Add permission comments, concurrency groups, job names, and fix
template injection patterns across all workflow files to satisfy
zizmor pedantic checks run by Super-Linter.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: zkoppert

.github/workflows/auto-labeler.yml

@@ -10,7 +10,7 @@ jobs:
   main:
     permissions:
       contents: read
-      pull-requests: write
+      pull-requests: write # Required to label PRs
     uses: github-community-projects/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       config-name: release-drafter.yml

.github/workflows/codeql.yml

@@ -20,6 +20,10 @@ on:
   schedule:
     - cron: "0 0 * * 1"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -28,9 +32,9 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
-      security-events: write
+      actions: read # Required for CodeQL analysis
+      contents: read # Required to checkout code
+      security-events: write # Required to upload SARIF results
 
     strategy:
       fail-fast: false

.github/workflows/contributors_report.yaml

@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: "3 2 1 * *"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 permissions:
   contents: read
 
@@ -13,7 +17,7 @@ jobs:
     name: contributor report
     runs-on: ubuntu-latest
     permissions:
-      issues: write
+      issues: write # Required to create/update issues
 
     steps:
       - name: Harden the runner (Audit all outbound calls)

.github/workflows/copilot-setup-steps.yml

@@ -11,6 +11,10 @@ on:
     paths:
       - .github/workflows/copilot-setup-steps.yml
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 # Set the permissions to the lowest permissions possible needed for your steps.
 # Copilot will be given its own token for its operations.
 permissions:
@@ -20,6 +24,7 @@ permissions:
 jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
   copilot-setup-steps:
+    name: Copilot setup steps
     runs-on: ubuntu-latest
 
     # You can define any steps you want, and they will run before the agent starts.

.github/workflows/dependency-review.yml

@@ -9,11 +9,16 @@
 name: "Dependency Review"
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
 jobs:
   dependency-review:
+    name: Dependency review
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)

.github/workflows/docker-ci.yml

@@ -7,11 +7,16 @@ on:
   pull_request:
     branches: [main]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
 jobs:
   build:
+    name: Build Docker image
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)

.github/workflows/mark-ready-when-ready.yml

@@ -16,10 +16,10 @@ jobs:
     name: Mark as ready after successful checks
     runs-on: ubuntu-latest
     permissions:
-      checks: read
-      contents: write
-      pull-requests: write
-      statuses: read
+      checks: read # Required to read check run results
+      contents: write # Required to merge PRs
+      pull-requests: write # Required to update PR status
+      statuses: read # Required to read check statuses
     if: |
       contains(github.event.pull_request.labels.*.name, 'Mark Ready When Ready') &&
       github.event.pull_request.draft == true

.github/workflows/pr-title.yml

@@ -10,8 +10,8 @@ jobs:
   main:
     permissions:
       contents: read
-      pull-requests: read
-      statuses: write
+      pull-requests: read # Required to read PR metadata
+      statuses: write # Required to update commit statuses
     uses: github-community-projects/ospo-reusable-workflows/.github/workflows/pr-title.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     secrets:
       github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/python-ci.yml

@@ -19,6 +19,7 @@ permissions:
 
 jobs:
   build:
+    name: Build and test
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -38,9 +39,13 @@ jobs:
           version: "0.10.9"
           enable-cache: true
       - name: Set up Python ${{ matrix.python-version }}
-        run: uv python install ${{ matrix.python-version }}
+        env:
+          PYTHON_VERSION: ${{ matrix.python-version }}
+        run: uv python install "$PYTHON_VERSION"
       - name: Install dependencies
-        run: uv sync --frozen --python ${{ matrix.python-version }}
+        env:
+          PYTHON_VERSION: ${{ matrix.python-version }}
+        run: uv sync --frozen --python "$PYTHON_VERSION"
       - name: Lint with flake8 and pylint
         run: |
           make lint

.github/workflows/release.yml

@@ -10,8 +10,8 @@ permissions:
 jobs:
   release:
     permissions:
-      contents: write
-      pull-requests: read
+      contents: write # Required to create releases
+      pull-requests: read # Required to read PR metadata
     uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       publish: true
@@ -21,10 +21,10 @@ jobs:
   release_image:
     needs: release
     permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
+      contents: read # Required to read repository contents
+      packages: write # Required to publish container images
+      id-token: write # Required for OIDC token signing
+      attestations: write # Required to create build attestations
     uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release-image.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       image-name: ${{ github.repository }}
@@ -38,8 +38,8 @@ jobs:
   release_discussion:
     needs: release
     permissions:
-      contents: read
-      discussions: write
+      contents: read # Required to read repository contents
+      discussions: write # Required to create release discussions
     uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       full-tag: ${{ needs.release.outputs.full-tag }}