Merge pull request #20 from maykinmedia/chore/harden-ci-with-zizmor #56

	name: Run CI

	# Run this workflow every time a new commit pushed to your repository
	on:
	push:
	branches:
	- main
	tags:
	- '*'
	pull_request:
	workflow_dispatch:

	permissions: {}

	jobs:
	tests:
	runs-on: ubuntu-latest

	name: Test the creation of a Django project from the template

	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
	with:
	python-version: '3.12'

	- name: Install Django 5.2
	run: pip install django~=5.2.0

	- name: Run the startproject command
	run: \|
	mkdir tmp
	django-admin startproject \
	--template . \
	--extension=py-tpl,rst,gitignore,in,ini,cfg,toml,yml,yaml \
	--name LICENSE \
	-x tmp \
	-x .github \
	defaultapp tmp/

	- name: Run basic checks (following README instructions)
	run: \|
	pip install -e .[tests]
	django-admin check
	pytest
	env:
	PYTHONPATH: .
	DJANGO_SETTINGS_MODULE: testapp.settings
	working-directory: tmp

	- name: Run dummy package build
	run: \|
	pip install build
	python -m build
	working-directory: tmp

	# self-check with zizmor :-)
	zizmor:
	name: GitHub Actions Security Analysis with zizmor 🌈
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	contents: read
	actions: read
	steps:
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

	- name: Run zizmor 🌈
	uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3

Provide feedback