ci: add zizmor pre-commit hook and fix issues (#9895)

.github/workflows/.tests-matrix.yaml

@@ -32,6 +32,8 @@ jobs:
     if: inputs.run-mypy
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/bootstrap-poetry
         id: bootstrap-poetry
@@ -56,6 +58,8 @@ jobs:
     if: inputs.run-pytest
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/bootstrap-poetry
         with:
@@ -79,6 +83,7 @@ jobs:
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
+          persist-credentials: false
           path: poetry
 
       - uses: ./poetry/.github/actions/bootstrap-poetry
@@ -95,6 +100,7 @@ jobs:
       - name: Check out poetry-plugin-export
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
+          persist-credentials: false
           path: poetry-plugin-export
           repository: python-poetry/poetry-plugin-export
           ref: refs/tags/${{ steps.poetry-plugin-export-version.outputs.version }}
@@ -104,8 +110,10 @@ jobs:
         # Replace the python version to avoid conflicts
         # if the plugin still supports a wider range than Poetry itself.
         run: |
-          perl -pi -e 's/^python =.*$/python = "~${{ inputs.python-version }}"/' pyproject.toml
+          perl -pi -e 's/^python =.*$/python = "~'"${PYTHON_VERSION}"'"/' pyproject.toml
           poetry add --lock --group dev ../poetry
+        env:
+          PYTHON_VERSION: ${{ inputs.python-version }}
 
       # This step can be removed after having released a poetry-plugin-export version
       # that has cffi>=1.17.0 in its lock file.

.github/workflows/backport.yaml

@@ -1,7 +1,7 @@
 name: Backport
 
 on:
-  pull_request_target:
+  pull_request_target:  # zizmor: ignore[dangerous-triggers]
     types:
       - closed
       - labeled

.github/workflows/docs.yaml

@@ -5,7 +5,7 @@ on:
     # allow repository maintainers to modify and test workflow
     paths:
       - ".github/workflows/docs.yaml"
-  pull_request_target:
+  pull_request_target:  # zizmor: ignore[dangerous-triggers]
     # enable runs for this workflow when labeled as documentation only
     # prevent execution when the workflow itself is modified from a fork
     types:
@@ -27,19 +27,22 @@ jobs:
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
+          persist-credentials: false
           repository: python-poetry/website
 
       # use .github from pull request target instead of pull_request.head
       # for pull_request_target trigger to avoid arbitrary code execution
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
+          persist-credentials: false
           path: poetry-github
           sparse-checkout: .github
 
       # only checkout docs from pull_request.head to not use something else by accident
       # for pull_request_target trigger (security)
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
+          persist-credentials: false
           path: poetry-docs
           ref: ${{ github.event.pull_request.head.sha }}
           sparse-checkout: docs

.github/workflows/release.yaml

@@ -10,6 +10,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - run: pipx run build
 
@@ -28,15 +30,18 @@ jobs:
     steps:
       # We need to be in a git repo for gh to work.
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: distfiles
           path: dist/
 
-      - run: gh release upload ${{ github.event.release.tag_name }} dist/*.{tar.gz,whl}
+      - run: gh release upload "${TAG_NAME}" dist/*.{tar.gz,whl}
         env:
           GH_TOKEN: ${{ github.token }}
+          TAG_NAME: ${{ github.event.release.tag_name }}
 
   upload-pypi:
     name: Upload (PyPI)

.github/workflows/tests.yaml

@@ -24,6 +24,8 @@ jobs:
       tests: ${{ steps.changes.outputs.tests }}
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: changes
@@ -55,6 +57,8 @@ jobs:
     needs: changes
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/bootstrap-poetry
 
@@ -67,6 +71,8 @@ jobs:
     needs: lockfile
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - run: pipx run build
 
@@ -86,6 +92,8 @@ jobs:
     needs: changes
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/bootstrap-poetry
 

.pre-commit-config.yaml

@@ -31,3 +31,11 @@ repos:
     hooks:
       - id: ruff
       - id: ruff-format
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: zizmor
+        # types and files can be removed with https://github.com/woodruffw/zizmor-pre-commit/pull/2
+        types: [yaml]
+        files: \.github/workflows/.*$