ci: adopt zizmor for this repo's own workflows (#799)

Add the zizmor pre-commit hook and a .github/zizmor.yml (unpinned-uses
relaxed to ref-pin, since actions are maintained via Dependabot), then make
all workflows and the composite action zizmor-clean:

- excessive-permissions: top-level permissions: {} with minimal per-job
  grants in ci.yml and cd.yml.
- artipacked: persist-credentials: false on all checkouts.
- template-injection: pass inputs through env vars in action.yml.
- github-app: scope the bump bot's app token to contents + pull-requests.
- dependabot-cooldown: add a 7-day cooldown for actions.
- dangerous-triggers: documented ignore for the RTD preview
  pull_request_target (no untrusted checkout, gated on fork == false).

Assisted-by: ClaudeCode:claude-opus-4.8

Author: henryiii

.github/dependabot.yml

@@ -5,6 +5,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
     groups:
       actions:
         patterns:

.github/workflows/bump.yml

@@ -18,7 +18,12 @@ jobs:
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          # Scope the token to only what the PR creation needs
+          permission-contents: write
+          permission-pull-requests: write
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: astral-sh/setup-uv@v8.2.0
       - run: uvx nox -s pc_bump
         env:

.github/workflows/cd.yml

@@ -6,14 +6,19 @@ on:
     types:
       - published
 
+permissions: {}
+
 jobs:
   dist:
     name: Distribution build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - uses: hynek/build-and-inspect-python-package@v2

.github/workflows/ci.yml

@@ -11,23 +11,34 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   change-detection:
+    permissions:
+      contents: read
+      pull-requests: read
     uses: ./.github/workflows/reusable-change-detection.yml
 
   cookie:
     needs: change-detection
     if: fromJSON(needs.change-detection.outputs.run-cookie)
+    permissions:
+      contents: read
     uses: ./.github/workflows/reusable-cookie.yml
 
   rr-tests:
     needs: change-detection
     if: fromJSON(needs.change-detection.outputs.run-rr)
+    permissions:
+      contents: read
     uses: ./.github/workflows/reusable-rr-tests.yml
 
   docs:
     needs: change-detection
     if: fromJSON(needs.change-detection.outputs.run-docs)
+    permissions:
+      contents: read
     uses: ./.github/workflows/reusable-docs.yml
 
   pass:

.github/workflows/docs-link.yml

@@ -1,6 +1,9 @@
 name: Read the Docs PR preview
 
 on:
+  # zizmor: ignore[dangerous-triggers]
+  # pull_request_target is required so the RTD preview can comment on PRs from
+  # forks; no untrusted code is checked out, and it is gated on `fork == false`.
   pull_request_target:
     types:
       - opened

.github/workflows/reusable-change-detection.yml

@@ -23,6 +23,8 @@ jobs:
       run-docs: ${{ steps.docs-changes.outputs.run-docs || false }}
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Changed cookie-related files
         if: github.event_name == 'pull_request'

.github/workflows/reusable-cookie.yml

@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Lint all
         run: pipx run nox -s 'lint'
@@ -33,6 +35,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v6
         with:
@@ -105,6 +109,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v6
         with:
@@ -172,6 +178,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Build sdist and wheel
         run: pipx run nox -s dist

.github/workflows/reusable-docs.yml

@@ -10,6 +10,8 @@ jobs:
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: oven-sh/setup-bun@v2
 

.github/workflows/reusable-rr-tests.yml

@@ -21,6 +21,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - uses: actions/setup-python@v6
@@ -41,6 +42,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Run sp-repo-review action
@@ -52,6 +54,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - uses: actions/setup-python@v6
@@ -71,6 +74,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - uses: actions/setup-python@v6

.github/zizmor.yml

@@ -0,0 +1,8 @@
+# Configuration for zizmor (https://docs.zizmor.sh)
+rules:
+  unpinned-uses:
+    config:
+      # Actions are kept up to date with Dependabot, so a ref (tag) pin is
+      # sufficient; hash pinning is not required.
+      policies:
+        "*": ref-pin