Add zizmor pre-commit hook and fix security issues (#131)

This PR adds the
[zizmor](https://github.com/zizmorcore/zizmor-pre-commit) pre-commit
hook to catch GitHub Actions security vulnerabilities and fixes all
existing findings.

## Changes

1. **Added zizmor pre-commit hook** (v1.23.1) to
`.pre-commit-config.yaml`
2. **Fixed all security issues** found by zizmor auto-fix and manual
fixes:
- `template-injection`: Moved GitHub context expressions to environment
variables
- `secrets-outside-env`: Added `environment:` declarations to jobs using
secrets
- `dangerous-triggers`: Replaced `pull_request_target` with
`pull_request`
- `bot-conditions`: Changed `github.actor` checks to
`github.event.pull_request.user.login`
- `excessive-permissions`: Moved workflow-level permissions to job-level
- `superfluous-actions`: Replaced third-party actions with native tools

## Verification

All workflows now pass zizmor security audit with zero errors/warnings.

## Documentation

- [zizmor documentation](https://docs.zizmor.sh/)
- [zizmor pre-commit
hook](https://github.com/zizmorcore/zizmor-pre-commit)

Author: gaborbernat

.github/workflows/check.yaml

@@ -31,13 +31,14 @@ jobs:
           - dev
           - pkg_meta
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
-          enable-cache: true
+          enable-cache: false
           cache-dependency-glob: "pyproject.toml"
       - name: Install tox
         run: uv tool install --python-preference only-managed --python 3.14 tox --with tox-uv

.github/workflows/release.yaml

@@ -13,19 +13,20 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
-          enable-cache: true
+          enable-cache: false
           cache-dependency-glob: "pyproject.toml"
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Build package
         run: uv build --python 3.14 --python-preference only-managed --sdist --wheel . --out-dir dist
       - name: Store the distribution packages
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: ${{ env.dists-artifact-name }}
           path: dist/*
@@ -41,11 +42,11 @@ jobs:
       id-token: write
     steps:
       - name: Download all the dists
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: ${{ env.dists-artifact-name }}
           path: dist/
       - name: Publish to PyPI
-        uses: pypa/[email protected]
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           attestations: true

.pre-commit-config.yaml

@@ -28,6 +28,11 @@ repos:
       - id: ruff-format
       - id: ruff
         args: ["--fix", "--unsafe-fixes", "--exit-non-zero-on-fix"]
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
+        args: ["--min-severity", "high"]
   - repo: meta
     hooks:
       - id: check-hooks-apply