Pass on pedantic Zizmor (#119)

* Add concurrency limits * ci: pass on pedantic zizmor
2026-03-29 05:49:01 -04:00 · 2026-03-29 05:49:01 -04:00 · 2c740a9551
commit 2c740a9551
parent 0126ae476f
4 changed files with 28 additions and 24 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -13,6 +13,10 @@ env:
  PIP_NO_PYTHON_VERSION_WARNING: 1
  SETUPTOOLS_SCM_PRETEND_VERSION: "1.0" # avoid warnings about shallow checkout

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -3,19 +3,21 @@ name: CodeQL

 on:
  schedule:
-    - cron: "30 22 * * 4"
+    - cron: "41 3 * * 6"
+  workflow_dispatch:

-permissions:
-  contents: read
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
+permissions: {}

 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
-      actions: read
-      contents: read
-      security-events: write
+      security-events: write  # necessary according to docs

    strategy:
      fail-fast: false
--- a/.github/workflows/wheels.yml
+++ b/.github/workflows/wheels.yml
@ -10,6 +10,10 @@ on:
  schedule:
    - cron: "30 4 15 * *"

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}


--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@ -1,39 +1,33 @@
+---
 # https://github.com/woodruffw/zizmor
-name: Zizmor
+name: Zizmor 🌈

 on:
  push:
    branches: ["main"]
  pull_request:
-    branches: ["*"]
+    branches: ["**"]

-permissions:
-  contents: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true

+permissions: {}

 jobs:
  zizmor:
-    name: Zizmor latest via PyPI
+    name: Run zizmor 🌈
    runs-on: ubuntu-latest
    permissions:
-      security-events: write
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
-      - uses: hynek/setup-cached-uv@0b9e52652c2d5d4fb6af4598efa3d14e60e934d1 # v2.4.0

      - name: Run zizmor 🌈
-        run: uvx zizmor --format sarif . > results.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
        with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: results.sarif
-          # Optional category for the results
-          # Used to differentiate multiple results for one commit
-          category: zizmor
+          persona: pedantic
+...