From 7635bc4f260877f201c984c586e3eb2cc9e24395 Mon Sep 17 00:00:00 2001
From: estebany-qd <esteban.yusunguaira@qdrant.com>
Date: Fri, 27 Mar 2026 15:15:46 -0500
Subject: [PATCH 1/4] feat: add zizmor security scanner

---
 .github/workflows/lint-workflows.yaml | 23 +++++++++++++++++++++++
 .zizmor.yml                           |  5 +++++
 2 files changed, 28 insertions(+)
 create mode 100644 .github/workflows/lint-workflows.yaml
 create mode 100644 .zizmor.yml

diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml
new file mode 100644
index 0000000..f55fa06
--- /dev/null
+++ b/.github/workflows/lint-workflows.yaml
@@ -0,0 +1,23 @@
+name: Lint workflows
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+
+jobs:
+  zizmor:
+    name: Security audit
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          persona: regular
+          min-severity: medium
+          config: .zizmor.yml
diff --git a/.zizmor.yml b/.zizmor.yml
new file mode 100644
index 0000000..13fddac
--- /dev/null
+++ b/.zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  secrets-outside-env:
+    disable: true
+  dangerous-triggers:
+    disable: true

From f4b2b2d73d7ea8a05a9976bfc74d8a57ee40af5b Mon Sep 17 00:00:00 2001
From: estebany-qd <esteban.yusunguaira@qdrant.com>
Date: Fri, 27 Mar 2026 15:20:20 -0500
Subject: [PATCH 2/4] fix: address security findings

---
 .github/workflows/build.yml   | 1 +
 .github/workflows/ci.yml      | 6 ++++++
 .github/workflows/release.yml | 2 ++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 81386c7..788854f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,6 +19,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up tools
         uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index dc2183c..0d145a5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,6 +17,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up tools
         uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
@@ -34,6 +36,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up tools
         uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
@@ -48,6 +52,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up tools
         uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 62fc476..4fbc8eb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,10 +15,12 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
         with:
           version: 2026.3.8
+          cache: false
 
       - name: Run GoReleaser
         run: goreleaser release --clean

From c8b0fd12d40e9027aaf906d4f7af045a037698e6 Mon Sep 17 00:00:00 2001
From: dhernando <david.hernando91@gmail.com>
Date: Mon, 30 Mar 2026 10:17:12 +0200
Subject: [PATCH 3/4] chore: remove config file and inline the rule ignoring so
 that it's tunable by workflow instead of global

Added mise.lock file so that sha checksums are done when downloading
dependencies so that they can be cached
---
 .github/workflows/lint-workflows.yaml  |   1 -
 .github/workflows/release.yml          |   3 +-
 .github/workflows/releaser-pleaser.yml |   4 +-
 .zizmor.yml                            |   5 -
 mise.lock                              | 125 +++++++++++++++++++++++++
 mise.toml                              |   3 +
 6 files changed, 131 insertions(+), 10 deletions(-)
 delete mode 100644 .zizmor.yml
 create mode 100644 mise.lock

diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml
index f55fa06..7b173c1 100644
--- a/.github/workflows/lint-workflows.yaml
+++ b/.github/workflows/lint-workflows.yaml
@@ -20,4 +20,3 @@ jobs:
         with:
           persona: regular
           min-severity: medium
-          config: .zizmor.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4fbc8eb..040688c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,9 +20,8 @@ jobs:
       - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
         with:
           version: 2026.3.8
-          cache: false
 
       - name: Run GoReleaser
         run: goreleaser release --clean
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
diff --git a/.github/workflows/releaser-pleaser.yml b/.github/workflows/releaser-pleaser.yml
index 99826f5..c9b3d95 100644
--- a/.github/workflows/releaser-pleaser.yml
+++ b/.github/workflows/releaser-pleaser.yml
@@ -3,7 +3,7 @@ name: releaser-pleaser
 on:
   push:
     branches: [main]
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types:
       - edited
       - labeled
@@ -23,6 +23,6 @@ jobs:
       - name: releaser-pleaser
         uses: apricote/releaser-pleaser@a1ce9493fd3f3abe60f22c37249d257bc10081dc # v0.8.0
         with:
-          token: ${{ secrets.RELEASER_PLEASER_TOKEN }}
+          token: ${{ secrets.RELEASER_PLEASER_TOKEN }} # zizmor: ignore[secrets-outside-env]
           extra-files: |
             cmd/qcloud/main.go
diff --git a/.zizmor.yml b/.zizmor.yml
deleted file mode 100644
index 13fddac..0000000
--- a/.zizmor.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-rules:
-  secrets-outside-env:
-    disable: true
-  dangerous-triggers:
-    disable: true
diff --git a/mise.lock b/mise.lock
new file mode 100644
index 0000000..b07ea17
--- /dev/null
+++ b/mise.lock
@@ -0,0 +1,125 @@
+# @generated - this file is auto-generated by `mise lock` https://mise.jdx.dev/dev-tools/mise-lock.html
+
+[[tools."github:golangci/golangci-lint"]]
+version = "2.11.3"
+backend = "github:golangci/golangci-lint"
+
+[tools."github:golangci/golangci-lint"."platforms.linux-arm64"]
+checksum = "sha256:ee3d95f301359e7d578e6d99c8ad5aeadbabc5a13009a30b2b0df11c8058afe9"
+url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-linux-arm64.tar.gz"
+url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370749014"
+provenance = "github-attestations"
+
+[tools."github:golangci/golangci-lint"."platforms.linux-arm64-musl"]
+checksum = "sha256:ee3d95f301359e7d578e6d99c8ad5aeadbabc5a13009a30b2b0df11c8058afe9"
+url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-linux-arm64.tar.gz"
+url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370749014"
+provenance = "github-attestations"
+
+[tools."github:golangci/golangci-lint"."platforms.linux-x64"]
+checksum = "sha256:87bb8cddbcc825d5778b64e8a91b46c0526b247f4e2f2904dea74ec7450475d1"
+url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-linux-amd64.tar.gz"
+url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370748984"
+provenance = "github-attestations"
+
+[tools."github:golangci/golangci-lint"."platforms.linux-x64-musl"]
+checksum = "sha256:87bb8cddbcc825d5778b64e8a91b46c0526b247f4e2f2904dea74ec7450475d1"
+url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-linux-amd64.tar.gz"
+url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370748984"
+provenance = "github-attestations"
+
+[tools."github:golangci/golangci-lint"."platforms.macos-arm64"]
+checksum = "sha256:30ee39979c516b9d1adca289a3f93429d130c4c0fda5e57d637850894221f6cc"
+url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-darwin-arm64.tar.gz"
+url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370749042"
+provenance = "github-attestations"
+
+[tools."github:golangci/golangci-lint"."platforms.macos-x64"]
+checksum = "sha256:f93bda1f2cc981fd1326464020494be62f387bbf262706e1b3b644e5afacc440"
+url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-darwin-amd64.tar.gz"
+url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370749038"
+provenance = "github-attestations"
+
+[tools."github:golangci/golangci-lint"."platforms.windows-x64"]
+checksum = "sha256:cd42e890176bc5cfeb36225a77e66b9410ddd3a59a03551e23f6b210d29e1f67"
+url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-windows-amd64.zip"
+url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370749053"
+provenance = "github-attestations"
+
+[[tools."github:goreleaser/goreleaser"]]
+version = "2.14.3"
+backend = "github:goreleaser/goreleaser"
+
+[tools."github:goreleaser/goreleaser"."platforms.linux-arm64"]
+checksum = "sha256:581a10e53c1176b3e81ee45cf531e02dbf899db0bc7b795669347df4276ce948"
+url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Linux_arm64.tar.gz"
+url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190230"
+provenance = "github-attestations"
+
+[tools."github:goreleaser/goreleaser"."platforms.linux-arm64-musl"]
+checksum = "sha256:581a10e53c1176b3e81ee45cf531e02dbf899db0bc7b795669347df4276ce948"
+url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Linux_arm64.tar.gz"
+url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190230"
+provenance = "github-attestations"
+
+[tools."github:goreleaser/goreleaser"."platforms.linux-x64"]
+checksum = "sha256:dc7faeeeb6da8bdfda788626263a4ae725892a8c7504b975c3234127d4a44579"
+url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Linux_x86_64.tar.gz"
+url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190264"
+provenance = "github-attestations"
+
+[tools."github:goreleaser/goreleaser"."platforms.linux-x64-musl"]
+checksum = "sha256:dc7faeeeb6da8bdfda788626263a4ae725892a8c7504b975c3234127d4a44579"
+url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Linux_x86_64.tar.gz"
+url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190264"
+provenance = "github-attestations"
+
+[tools."github:goreleaser/goreleaser"."platforms.macos-arm64"]
+checksum = "sha256:6dae42fecaed39f36d0ac9ce98f36ee14804e483f5c1446e205796ac91b7be4e"
+url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Darwin_arm64.tar.gz"
+url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190287"
+provenance = "github-attestations"
+
+[tools."github:goreleaser/goreleaser"."platforms.macos-x64"]
+checksum = "sha256:d8fcc408826058986df90950ce2824ed037e57e3229eb23dcf0badc8d23123bc"
+url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Darwin_x86_64.tar.gz"
+url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190276"
+provenance = "github-attestations"
+
+[tools."github:goreleaser/goreleaser"."platforms.windows-x64"]
+checksum = "sha256:3deea8ff471aa258a2d99f3e5302971d7028647ae8ddaf103257a8113e485a31"
+url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Windows_x86_64.zip"
+url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190313"
+provenance = "github-attestations"
+
+[[tools.go]]
+version = "1.26.0"
+backend = "core:go"
+
+[tools.go."platforms.linux-arm64"]
+checksum = "sha256:bd03b743eb6eb4193ea3c3fd3956546bf0e3ca5b7076c8226334afe6b75704cd"
+url = "https://dl.google.com/go/go1.26.0.linux-arm64.tar.gz"
+
+[tools.go."platforms.linux-arm64-musl"]
+checksum = "sha256:bd03b743eb6eb4193ea3c3fd3956546bf0e3ca5b7076c8226334afe6b75704cd"
+url = "https://dl.google.com/go/go1.26.0.linux-arm64.tar.gz"
+
+[tools.go."platforms.linux-x64"]
+checksum = "sha256:aac1b08a0fb0c4e0a7c1555beb7b59180b05dfc5a3d62e40e9de90cd42f88235"
+url = "https://dl.google.com/go/go1.26.0.linux-amd64.tar.gz"
+
+[tools.go."platforms.linux-x64-musl"]
+checksum = "sha256:aac1b08a0fb0c4e0a7c1555beb7b59180b05dfc5a3d62e40e9de90cd42f88235"
+url = "https://dl.google.com/go/go1.26.0.linux-amd64.tar.gz"
+
+[tools.go."platforms.macos-arm64"]
+checksum = "sha256:b1640525dfe68f066d56f200bef7bf4dce955a1a893bd061de6754c211431023"
+url = "https://dl.google.com/go/go1.26.0.darwin-arm64.tar.gz"
+
+[tools.go."platforms.macos-x64"]
+checksum = "sha256:1ca28b7703cbea05a65b2a1d92d6b308610ef92f8824578a0874f2e60c9d5a22"
+url = "https://dl.google.com/go/go1.26.0.darwin-amd64.tar.gz"
+
+[tools.go."platforms.windows-x64"]
+checksum = "sha256:9bbe0fc64236b2b51f6255c05c4232532b8ecc0e6d2e00950bd3021d8a4d07d4"
+url = "https://dl.google.com/go/go1.26.0.windows-amd64.zip"
diff --git a/mise.toml b/mise.toml
index 9462334..43fcd2b 100644
--- a/mise.toml
+++ b/mise.toml
@@ -2,3 +2,6 @@
 go = "1.26.0"
 "github:golangci/golangci-lint" = "2.11.3"
 "github:goreleaser/goreleaser" = "v2.14.3"
+
+[settings]
+lockfile = true

From ed0f070be96559ac8f9b06be61b5fa4a991b0dca Mon Sep 17 00:00:00 2001
From: dhernando <david.hernando91@gmail.com>
Date: Mon, 30 Mar 2026 10:23:21 +0200
Subject: [PATCH 4/4] chore: remove zizmor tag on GITHUB_TOKEN, it's an exempt
 case

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 040688c..92e6440 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,4 +24,4 @@ jobs:
       - name: Run GoReleaser
         run: goreleaser release --clean
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}