Harden CI (#1035)

sloria · web-flow · commit be929f32f10c · 2026-04-15T03:06:57.000Z
same as marshmallow-code/marshmallow#2952
diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
@@ -7,6 +7,8 @@ on:
   # Run builds nightly to catch incompatibilities with new marshmallow releases
   schedule:
     - cron: "0 0 * * *"
+permissions:
+  contents: read
 jobs:
   tests:
     name: ${{ matrix.name }}
@@ -23,17 +25,21 @@ jobs:
           - { name: "3.14-madev", tox: py314-marshmallowdev }
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+        with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
           enable-cache: true
       - run: uv run tox -e${{ matrix.tox }}
   build:
     name: Build package
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+        with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
           enable-cache: true
       - run: uv build
       - run: uvx twine check --strict dist/*
@@ -49,8 +55,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+        with: # zizmor: ignore[cache-poisoning] cache key is lockfile-derived
           enable-cache: true
       - run: uv run tox -e lint
   publish-to-pypi:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -11,6 +11,10 @@ repos:
   hooks:
     - id: check-github-workflows
     - id: check-readthedocs
+- repo: https://github.com/zizmorcore/zizmor-pre-commit
+  rev: v1.24.0
+  hooks:
+    - id: zizmor
 - repo: https://github.com/asottile/blacken-docs
   rev: 1.20.0
   hooks:
