SEC: enable security scans with zizmor and fix existing lints (#5344)

Author: neutrinoceros

.github/dependabot.yml

@@ -4,10 +4,12 @@ updates:
   directory: /.github/workflows
   schedule:
     interval: monthly
+  cooldown:
+    default-days: 7
   groups:
-     actions:
-       patterns:
-       - '*'
+     gha-patches:
+      update-types:
+      - patch
 
 - package-ecosystem: uv
   directory: /

.github/workflows/bleeding-edge.yaml

@@ -18,6 +18,8 @@ on:
     - cron: 0 3 * * 3
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -31,10 +33,12 @@ jobs:
 
     steps:
     - name: Checkout repo
-      uses: actions/checkout@v6
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
 
     - name: Set up Python (newest testable version)
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
       with:
         # this version should be upgraded as often as possible, typically once a year when
         # Cython, numpy and matplotlib are known to be compatible
@@ -74,7 +78,7 @@ jobs:
 
     steps:
     - name: Create issue on failure
-      uses: imjohnbo/issue-bot@v3
+      uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd # v3.4.4
       with:
         title: 'TST: Upcoming dependency test failures'
         body: |

.github/workflows/build-test.yaml

@@ -11,6 +11,8 @@ defaults:
   run:
     shell: bash
 
+permissions: {}
+
 jobs:
   check-lock-file:
     # validate uv.lock against requirements
@@ -22,9 +24,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repo
-      uses: actions/checkout@v6
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
     - name: Set up uv
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
       with:
         version: ">=0.9.11,<0.10.0" # pin uv to avoid the lock file format going out-of-sync
         python-version: 3.14
@@ -95,18 +99,21 @@ jobs:
     steps:
     - name: Checkout repo (bare)
       if: matrix.tests-type != 'answer'
-      uses: actions/checkout@v6
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
     - name: Set up Python
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
       with:
         python-version: ${{ matrix.python-version }}
         cache-suffix: ${{ matrix.cache-suffix }}
         prune-cache: false
     - name: Checkout repo (with submodules)
       if: matrix.tests-type == 'answer'
-      uses: actions/checkout@v6
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         submodules: true
+        persist-credentials: false
     - name: Install dependencies and yt
       shell: bash
       env:
@@ -145,11 +152,12 @@ jobs:
 
     steps:
     - name: Checkout repo (with submodules)
-      uses: actions/checkout@v6
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         submodules: true
+        persist-credentials: false
     - name: Set up Python
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
       with:
         python-version: '3.11'
         enable-cache: false
@@ -186,14 +194,14 @@ jobs:
     # (and especially) in case of failure.
     - name: Upload pytest-mpl report
       if: always()
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: yt_pytest_mpl_results
         path: pytest_mpl_results/*
 
     - name: Upload pytest-mpl baseline
       if: always()
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: yt_pytest_mpl_new_baseline
         path: pytest_mpl_new_baseline/*

.github/workflows/type-checking.yaml

@@ -11,6 +11,8 @@ on:
       - .github/workflows/type-checking.yaml
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -24,10 +26,12 @@ jobs:
 
     steps:
     - name: Checkout repo
-      uses: actions/checkout@v6
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
 
     - name: Set up Python
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
       with:
         # run with oldest supported python version
         # so that we always get compatible versions of

.github/workflows/wheels.yaml

@@ -16,6 +16,7 @@ on:
       - setupext.py
   workflow_dispatch:
 
+permissions: {}
 
 jobs:
   build_wheels:
@@ -48,18 +49,20 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Build wheels for CPython
-        uses: pypa/[email protected]
+        uses: pypa/cibuildwheel@63fd63b352a9a8bdcc24791c9dbee952ee9a8abc # v3.3.0
         with:
           extras: uv
           output-dir: dist
         env:
           CIBW_ARCHS: ${{ matrix.archs }}
           CIBW_BUILD: ${{ matrix.select }}
 
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: wheels-${{ matrix.os }}-${{ matrix.id }}
           path: ./dist/*.whl
@@ -69,10 +72,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
         with:
           python-version: '3.10'
           enable-cache: false
@@ -81,7 +86,7 @@ jobs:
         run: uv build --sdist
 
       - name: Upload sdist
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: sdist
           path: dist/*.tar.gz
@@ -93,7 +98,7 @@ jobs:
           cp conftest.py cfg
 
       - name: Upload pytest configuration files
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: pytest-conf
           path: cfg
@@ -104,20 +109,20 @@ jobs:
     needs: [build_sdist]
     steps:
       - name: Download sdist
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: sdist
           path: dist
 
       - name: Set up Python
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
         with:
           python-version: '3.10'
           enable-cache: false
           activate-environment: true # allows using uv pip directly
 
       - name: Download pytest configuration files
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: pytest-conf
           path: cfg
@@ -140,11 +145,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repo
-      uses: actions/checkout@v6
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         submodules: true
+        persist-credentials: false
     - name: Set up Python
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
       with:
         python-version: '3.13'
         enable-cache: false
@@ -159,20 +165,20 @@ jobs:
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/yt-')
     steps:
       - name: Download sdist
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: sdist
           path: dist
 
       - name: Download wheels
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           path: dist
           pattern: wheels-*
           merge-multiple: true
 
       - name: Publish to PyPI
-        uses: pypa/[email protected]
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 # zizmor: ignore[use-trusted-publishing]
         with:
           user: __token__
           password: ${{ secrets.pypi_token }}

.pre-commit-config.yaml

@@ -27,6 +27,11 @@ repos:
     - id: check-executables-have-shebangs
     - id: check-yaml
 
+- repo: https://github.com/zizmorcore/zizmor-pre-commit
+  rev: v1.18.0
+  hooks:
+    - id: zizmor
+
 # TODO: replace this with ruff when it supports embedded python blocks
 # see https://github.com/astral-sh/ruff/issues/8237
 -   repo: https://github.com/adamchainz/blacken-docs