Merge pull request #1017 from minrk/zizmor

add zizmor config

Author: minrk

.github/workflows/release.yml

@@ -18,15 +18,19 @@ concurrency:
     ${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
-          python-version: 3.11
-          cache: pip
+          python-version: "3.13"
 
       - name: install build package
         run: |
@@ -50,7 +54,7 @@ jobs:
           jupyter server extension list 2>&1 | grep ipyparallel
 
       # ref: https://github.com/actions/upload-artifact#readme
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: ipyparallel-${{ github.sha }}
           path: "dist/*"
@@ -60,14 +64,14 @@ jobs:
     permissions:
       id-token: write
     environment: release
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: startsWith(github.ref, 'refs/tags/')
     needs:
       - build-release
     steps:
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           path: dist
           merge-multiple: true
       - name: Publish wheels to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

.github/workflows/test-docs.yml

@@ -10,6 +10,9 @@ on:
       - "**"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   # UTF-8 content may be interpreted as ascii and causes errors without this.
   LANG: C.UTF-8
@@ -24,6 +27,7 @@ jobs:
           # make rediraffecheckdiff requires git history to compare current
           # commit with the main branch and previous releases.
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/setup-python@v6
         with:
@@ -54,7 +58,7 @@ jobs:
         if: github.event_name == 'pull_request'
         run: |
           cd docs
-          export REDIRAFFE_BRANCH=origin/${{ github.base_ref }}
+          export REDIRAFFE_BRANCH=origin/${GITHUB_BASE_REF}
           make rediraffecheckdiff
 
       # this should check currently published 'stable' links for redirects

.github/workflows/test-ssh.yml

@@ -27,6 +27,9 @@ concurrency:
     ${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
   # UTF-8 content may be interpreted as ascii and causes errors without this.
   LANG: C.UTF-8
@@ -49,6 +52,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Get Docker infos
         run: |

.github/workflows/test.yml

@@ -14,6 +14,9 @@ concurrency:
     ${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
   # UTF-8 content may be interpreted as ascii and causes errors without this.
   LANG: C.UTF-8
@@ -51,6 +54,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Cache conda environment
         uses: actions/cache@v5

.github/workflows/windows-ssh-image.yaml

@@ -20,6 +20,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Log in to the Container registry
         uses: docker/login-action@v4

.pre-commit-config.yaml

@@ -24,7 +24,7 @@ repos:
   # than ruff itself
   # but has trouble with isort rules
   - repo: https://github.com/nbQA-dev/nbQA
-    rev: f96ec7f3b26a32619435686eb5813235f7e3327e # frozen: 1.9.1
+    rev: d31b7eae1767c43460afb3ba130e0a6602933abe # frozen: 1.9.1
     hooks:
       - id: nbqa-ruff-format
       - id: nbqa-ruff-check
@@ -36,6 +36,19 @@ repos:
     rev: 515f543f5718ebfd6ce22e16708bb32c68ff96e1 # frozen: v3.8.3
     hooks:
       - id: prettier
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: a4727cbbcd26d7098e96b9cb738169b59711ae51 # frozen: v1.24.1
+    hooks:
+      - id: zizmor
+        args:
+          - --fix=all
+      - id: zizmor
+        args:
+          - --fix=all
+          - --config=zizmor-strict.yaml
+        files: .github/workflows/release.yml
+
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0
     hooks:

docs/source/changelog.md

@@ -6,6 +6,12 @@ Changes in IPython Parallel
 
 ## 9.1
 
+### 9.2.0 - 2026-05
+
+9.2.0 updates JupyterLab extension dependencies and removes some use of deprecated APIs in ipykernel.
+
+([full changelog](https://github.com/ipython/ipyparallel/compare/9.1.0...9.2.0))
+
 ### 9.1.0 - 2026-03
 
 9.1.0 introduces a new task labeling feature for filtering task results (Thanks, @ottointhesky!).

zizmor-strict.yaml

@@ -0,0 +1,7 @@
+# separate zizmor config for workflows with
+# default
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": hash-pin

zizmor.yaml

@@ -0,0 +1,5 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": ref-pin