From efed73666a4cab3fc78b7dc4374ad8b32a272f27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Randy=20D=C3=B6ring?=
 <30527984+radoering@users.noreply.github.com>
Date: Mon, 9 Dec 2024 16:44:57 +0100
Subject: [PATCH] ci: add zizmor pre-commit hook and fix issues (#9895)

---
 .github/workflows/.tests-matrix.yaml | 10 +++++++++-
 .github/workflows/backport.yaml      |  2 +-
 .github/workflows/docs.yaml          |  5 ++++-
 .github/workflows/release.yaml       |  7 ++++++-
 .github/workflows/tests.yaml         |  8 ++++++++
 .pre-commit-config.yaml              |  8 ++++++++
 6 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/.tests-matrix.yaml b/.github/workflows/.tests-matrix.yaml
index c3869f1d572..41e93793168 100644
--- a/.github/workflows/.tests-matrix.yaml
+++ b/.github/workflows/.tests-matrix.yaml
@@ -32,6 +32,8 @@ jobs:
     if: inputs.run-mypy
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/bootstrap-poetry
         id: bootstrap-poetry
@@ -56,6 +58,8 @@ jobs:
     if: inputs.run-pytest
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/bootstrap-poetry
         with:
@@ -79,6 +83,7 @@ jobs:
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
+          persist-credentials: false
           path: poetry
 
       - uses: ./poetry/.github/actions/bootstrap-poetry
@@ -95,6 +100,7 @@ jobs:
       - name: Check out poetry-plugin-export
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
+          persist-credentials: false
           path: poetry-plugin-export
           repository: python-poetry/poetry-plugin-export
           ref: refs/tags/${{ steps.poetry-plugin-export-version.outputs.version }}
@@ -104,8 +110,10 @@ jobs:
         # Replace the python version to avoid conflicts
         # if the plugin still supports a wider range than Poetry itself.
         run: |
-          perl -pi -e 's/^python =.*$/python = "~${{ inputs.python-version }}"/' pyproject.toml
+          perl -pi -e 's/^python =.*$/python = "~'"${PYTHON_VERSION}"'"/' pyproject.toml
           poetry add --lock --group dev ../poetry
+        env:
+          PYTHON_VERSION: ${{ inputs.python-version }}
 
       # This step can be removed after having released a poetry-plugin-export version
       # that has cffi>=1.17.0 in its lock file.
diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml
index 0e7696f3b89..f05601e3526 100644
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -1,7 +1,7 @@
 name: Backport
 
 on:
-  pull_request_target:
+  pull_request_target:  # zizmor: ignore[dangerous-triggers]
     types:
       - closed
       - labeled
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 14b982f433d..c198812c75d 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -5,7 +5,7 @@ on:
     # allow repository maintainers to modify and test workflow
     paths:
       - ".github/workflows/docs.yaml"
-  pull_request_target:
+  pull_request_target:  # zizmor: ignore[dangerous-triggers]
     # enable runs for this workflow when labeled as documentation only
     # prevent execution when the workflow itself is modified from a fork
     types:
@@ -27,12 +27,14 @@ jobs:
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
+          persist-credentials: false
           repository: python-poetry/website
 
       # use .github from pull request target instead of pull_request.head
       # for pull_request_target trigger to avoid arbitrary code execution
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
+          persist-credentials: false
           path: poetry-github
           sparse-checkout: .github
 
@@ -40,6 +42,7 @@ jobs:
       # for pull_request_target trigger (security)
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
+          persist-credentials: false
           path: poetry-docs
           ref: ${{ github.event.pull_request.head.sha }}
           sparse-checkout: docs
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 93acf77946e..ee044515a9c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,6 +10,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - run: pipx run build
 
@@ -28,15 +30,18 @@ jobs:
     steps:
       # We need to be in a git repo for gh to work.
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: distfiles
           path: dist/
 
-      - run: gh release upload ${{ github.event.release.tag_name }} dist/*.{tar.gz,whl}
+      - run: gh release upload "${TAG_NAME}" dist/*.{tar.gz,whl}
         env:
           GH_TOKEN: ${{ github.token }}
+          TAG_NAME: ${{ github.event.release.tag_name }}
 
   upload-pypi:
     name: Upload (PyPI)
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index aa1392ae989..36eadec364b 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -24,6 +24,8 @@ jobs:
       tests: ${{ steps.changes.outputs.tests }}
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: changes
@@ -55,6 +57,8 @@ jobs:
     needs: changes
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/bootstrap-poetry
 
@@ -67,6 +71,8 @@ jobs:
     needs: lockfile
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - run: pipx run build
 
@@ -86,6 +92,8 @@ jobs:
     needs: changes
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/bootstrap-poetry
 
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 2ba688afbe8..1fdb4c688fb 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -31,3 +31,11 @@ repos:
     hooks:
       - id: ruff
       - id: ruff-format
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: zizmor
+        # types and files can be removed with https://github.com/woodruffw/zizmor-pre-commit/pull/2
+        types: [yaml]
+        files: \.github/workflows/.*$