From 31cdc584c58fc66097d9623fc92cd5a6242c650d Mon Sep 17 00:00:00 2001
From: dhernando <david.hernando91@gmail.com>
Date: Mon, 30 Mar 2026 11:02:51 +0200
Subject: [PATCH 1/3] chore fix zizmor ignore rule setting with a config file
 instead of inlining

---
 .github/workflows/release.yml | 4 ++--
 .github/zizmor.yaml           | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 .github/zizmor.yaml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7a79b4c..59e16b8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,8 +17,8 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      # zizmor: ignore[cache-poisoning] -- mise verifies tool checksums via mise.lock
-      - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
+      
+      - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3 zizmor: ignore[cache-poisoning] -- mise verifies tool checksums via mise.lock
         with:
           version: 2026.3.8
 
diff --git a/.github/zizmor.yaml b/.github/zizmor.yaml
new file mode 100644
index 0000000..9b282cd
--- /dev/null
+++ b/.github/zizmor.yaml
@@ -0,0 +1,4 @@
+rules:
+  cache-poisoning:
+    ignore:
+      - release.yml

From 39bf60e2a0498fcd508ebf35925f500b1ce21d44 Mon Sep 17 00:00:00 2001
From: dhernando <david.hernando91@gmail.com>
Date: Mon, 30 Mar 2026 11:04:51 +0200
Subject: [PATCH 2/3] remove zizmor comment after version

---
 .github/workflows/release.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 59e16b8..69483dd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,8 +17,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      
-      - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3 zizmor: ignore[cache-poisoning] -- mise verifies tool checksums via mise.lock
+      - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3 
         with:
           version: 2026.3.8
 

From 7c9669841440e63a7a11e1d8fe03aeb864e6d6d1 Mon Sep 17 00:00:00 2001
From: dhernando <david.hernando91@gmail.com>
Date: Mon, 30 Mar 2026 11:06:05 +0200
Subject: [PATCH 3/3] clarify why release.yml ignore rule on cache poisoning

---
 .github/zizmor.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/zizmor.yaml b/.github/zizmor.yaml
index 9b282cd..4826ac7 100644
--- a/.github/zizmor.yaml
+++ b/.github/zizmor.yaml
@@ -1,4 +1,4 @@
 rules:
   cache-poisoning:
     ignore:
-      - release.yml
+      - release.yml # cache poisoning on mise is handled with a lockfile