Replace pre-commit with prek in CI and add zizmor (#172)

Author: hugovk

.github/workflows/deploy.yml

@@ -8,8 +8,7 @@ on:
       - published
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   FORCE_COLOR: 1
@@ -32,7 +31,7 @@ jobs:
   release-test-pypi:
     name: Publish in-dev package to test.pypi.org
     if: |
-      github.repository_owner == 'python'
+      github.event.repository.fork == false
       && github.event_name == 'push'
       && github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
@@ -58,7 +57,7 @@ jobs:
     name: Publish to PyPI
     # Only run for published releases.
     if: |
-      github.repository_owner == 'python'
+      github.event.repository.fork == false
       && github.event.action == 'published'
     runs-on: ubuntu-latest
     needs: build-package

.github/workflows/lint.yml

@@ -2,11 +2,11 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
-permissions:
-  contents: read
 
 jobs:
   lint:
@@ -19,5 +19,6 @@ jobs:
       - uses: actions/setup-python@v6
         with:
           python-version: "3.x"
-      - uses: tox-dev/action-pre-commit-uv@v1
+      - uses: astral-sh/setup-uv@v7
+      - uses: j178/prek-action@v1
       - run: uvx safety check

.github/workflows/main.yml

@@ -2,8 +2,7 @@ name: tests
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   FORCE_COLOR: 1

.github/zizmor.yml

@@ -0,0 +1,6 @@
+# https://docs.zizmor.sh/configuration/
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": ref-pin

.pre-commit-config.yaml

@@ -49,6 +49,11 @@ repos:
         pass_filenames: false
         additional_dependencies: ["types-requests"]
 
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.14.2
+    hooks:
+      - id: zizmor
+
   - repo: https://github.com/tox-dev/pyproject-fmt
     rev: v2.11.1
     hooks: