From 43ac931443671c4bb077edcc8aa707ef90288bb1 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:36:35 +0200
Subject: [PATCH 1/7] ci: Pin third-party actions to a commit hash.

This detects changed action code for the same tag.
---
 .github/workflows/main.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 89d990ac..c30bbd42 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -102,7 +102,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Decide whether the needed jobs succeeded or failed
-      uses: re-actors/alls-green@release/v1
+      uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
       with:
         jobs: ${{ toJSON(needs) }}
     - uses: actions/checkout@v4
@@ -124,7 +124,7 @@ jobs:
         coverage combine
         coverage xml
     - name: Upload coverage report
-      uses: codecov/codecov-action@v5
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d  # v5.4.2
       with:
         files: coverage.xml
         fail_ci_if_error: true
@@ -184,7 +184,7 @@ jobs:
       run: |
         tree dist
     - name: PyPI upload
-      uses: pypa/gh-action-pypi-publish@v1.12.4
+      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4
       with:
         attestations: true
         packages-dir: dist
@@ -195,7 +195,7 @@ jobs:
         name: release-notes.md
         path: release-notes.md
     - name: GitHub Release
-      uses: ncipollo/release-action@v1
+      uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174  # v1.16.0
       with:
         name: pytest-asyncio ${{ needs.lint.outputs.version }}
         artifacts: dist/*

From 3ad2311fb10aeaa18cf35a0473e83dd0e751d2a1 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:41:28 +0200
Subject: [PATCH 2/7] ci: Avoid persisting credentials in the checkout action.

see https://docs.zizmor.sh/audits/#artipacked
---
 .github/workflows/main.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index c30bbd42..ca602d88 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -24,6 +24,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: ${{ env.PYTHON_LATEST }}
@@ -75,6 +76,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
@@ -106,6 +109,8 @@ jobs:
       with:
         jobs: ${{ toJSON(needs) }}
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: ${{ env.PYTHON_LATEST }}
@@ -139,6 +144,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - name: Install Python
       uses: actions/setup-python@v5
     - name: Install towncrier

From 65841d2b0c4bd01f77651f6669f7872e730ad5e7 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:52:18 +0200
Subject: [PATCH 3/7] ci: Narrow permissions of Github Actions.

see https://docs.zizmor.sh/audits/#excessive-permissions
---
 .github/workflows/main.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index ca602d88..efe31827 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -10,6 +10,8 @@ on:
   merge_group:
   workflow_dispatch:
 
+permissions: {}
+
 env:
   PYTHON_LATEST: 3.13
 
@@ -180,6 +182,8 @@ jobs:
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     needs: [lint, check, prepare-release-notes]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
     - name: Download distributions
       uses: actions/download-artifact@v4

From 197c6ad713819556bd6502ca069a3d5ea1f17cd9 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:55:29 +0200
Subject: [PATCH 4/7] ci: Silence zizmore warning about not using trusted
 publishing.

This is already tracked in #700
---
 .github/workflows/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index efe31827..06191c77 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -194,7 +194,7 @@ jobs:
       run: |
         tree dist
     - name: PyPI upload
-      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4
+      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4  # zizmor: ignore[use-trusted-publishing] # see #700
       with:
         attestations: true
         packages-dir: dist

From f2454e8aad0f9147a42374969f593bd84f77ec0b Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:59:18 +0200
Subject: [PATCH 5/7] ci: Avoid template expression in Bash script for
 assembling release notes.

---
 .github/workflows/main.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 06191c77..0d424beb 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -158,7 +158,9 @@ jobs:
       run: pip install .
     - name: Compile Release Notes Draft
       if: ${{ !contains(github.ref, 'refs/tags/') }}
-      run: towncrier build --draft --version "${{ needs.lint.outputs.version }}" > release-notes.rst
+      run: towncrier build --draft --version "${version}" > release-notes.rst
+      env:
+        version: ${{ needs.lint.outputs.version }}
     - name: Extract release notes from Git tag
       if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
       run: |

From eb2c785399e7d019d6a94db7af893bc8f1745938 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:59:27 +0200
Subject: [PATCH 6/7] build: Add zizmor to the pre-commit hooks.

---
 .pre-commit-config.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 26ccbf6e..4db7e233 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -74,6 +74,10 @@ repos:
   - id: pyproject-fmt
       # https://pyproject-fmt.readthedocs.io/en/latest/#calculating-max-supported-python-version
     additional_dependencies: [tox>=4.9]
+- repo: https://github.com/zizmorcore/zizmor-pre-commit
+  rev: v1.7.0
+  hooks:
+  - id: zizmor
 ci:
   skip:
   - actionlint-docker

From 60cd123aaefc3f1308cd3931513423f89b70ee37 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 07:05:00 +0200
Subject: [PATCH 7/7] ci: Add linting job with GitHub Actions with zizmor.

---
 .github/workflows/main.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 0d424beb..54ed76f3 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -100,10 +100,16 @@ jobs:
         path: coverage/coverage.*
         if-no-files-found: error
 
+  lint-github-actions:
+    name: Lint GitHub Actions
+    permissions:
+      security-events: write
+    uses: zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@1ae473d8672fe7613e809d86d202a35063736e16
+
   check:
     name: Check
     if: always()
-    needs: [lint, test]
+    needs: [lint, lint-github-actions, test]
     runs-on: ubuntu-latest
     steps:
     - name: Decide whether the needed jobs succeeded or failed