ci: add zizmor (#1082)

henryiii · web-flow · commit 2577f31eb4d6 · 2026-04-09T21:13:51.000-04:00
Signed-off-by: Henry Schreiner &lt;henryfs@princeton.edu&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,3 +9,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,3 @@
+rules:
+  unpinned-uses:
+    disable: true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -66,3 +66,8 @@ repos:
       - id: rst-backticks
       - id: rst-directive-colons
       - id: rst-inline-touching-normal
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.22.0
+    hooks:
+      - id: zizmor
diff --git a/action.yml b/action.yml
@@ -21,8 +21,11 @@ runs:
     - name: "Validate input"
       id: helper
       run: >
-        '${{ steps.localpython.outputs.python-path }}' '${{ github.action_path }}/.github/action_helper.py' '${{ inputs.python-versions }}' >>${GITHUB_OUTPUT}
+        "${STEPS_LOCALPYTHON_OUTPUTS_PYTHON_PATH}" "${{ github.action_path }}/.github/action_helper.py" "${INPUTS_PYTHON_VERSIONS}" >> "${GITHUB_OUTPUT}"
       shell: bash
+      env:
+        STEPS_LOCALPYTHON_OUTPUTS_PYTHON_PATH: ${{ steps.localpython.outputs.python-path }}
+        INPUTS_PYTHON_VERSIONS: ${{ inputs.python-versions }}
 
     - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       id: allpython
