fix zizmor issues

john0isaac · john0isaac · commit 9356fe4bbcf3 · 2026-05-09T22:46:01.000+03:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -11,6 +11,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
     groups:
       github-actions:
         patterns:
@@ -21,6 +23,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
     groups:
       python-requirements:
         patterns:
diff --git a/.github/workflows/devcontainer-ci.yaml b/.github/workflows/devcontainer-ci.yaml
@@ -21,6 +21,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Use Node.js 20.x
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml
@@ -2,7 +2,7 @@ name: Pull Request Labeler
 
 on:
   workflow_dispatch:
-  pull_request_target:
+  pull_request:
 
 permissions:
   contents: read
@@ -13,4 +13,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   release-pypi:
@@ -27,6 +28,4 @@ jobs:
       - name: Build distributions
         run: uv build
       - name: Upload to PyPI
-        env:
-          UV_PUBLISH_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
-        run: uv publish
+        run: uv publish --trusted-publishing always
