From 354d0559aa6f3ccc7bfa3eaf10c2918498836c69 Mon Sep 17 00:00:00 2001
From: flakey5 <73616808+flakey5@users.noreply.github.com>
Date: Wed, 20 May 2026 19:39:21 -0700
Subject: [PATCH] ci: apply zizmor suggestions

Closes #113

Signed-off-by: flakey5 <73616808+flakey5@users.noreply.github.com>
---
 .github/dependabot.yml                        |  2 +-
 .github/workflows/auto-merge.yml              |  5 ++-
 .github/workflows/codeql.yml                  |  2 ++
 .github/workflows/dependency-review.yml       |  2 ++
 .../inactive-collaborator-report.yml          |  2 ++
 .github/workflows/notify-on-push.yml          |  3 ++
 .github/workflows/zizmor.yml                  | 32 +++++++++++++++++++
 actions/setup-environment/action.yml          |  5 +--
 8 files changed, 49 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index df137e5..eb768a6 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,4 +11,4 @@ updates:
       - "github_actions"
       - "auto-merge"
     cooldown:
-      default-days: 3
+      default-days: 7
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index 5fed469..b698679 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -13,7 +13,7 @@ jobs:
   auto-merge:
     if: github.repository == 'nodejs/web-team'
     runs-on: ubuntu-latest
-    
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
@@ -21,6 +21,9 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: true
+
       - uses: ./actions/auto-merge-prs
         with:
           merge-method: queue
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 6482aa7..0c0110e 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -48,6 +48,8 @@ jobs:
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index ec6c407..d2e2697 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -13,6 +13,8 @@ jobs:
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: "Dependency Review"
         uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
diff --git a/.github/workflows/inactive-collaborator-report.yml b/.github/workflows/inactive-collaborator-report.yml
index 4e114d5..1ba7ab4 100644
--- a/.github/workflows/inactive-collaborator-report.yml
+++ b/.github/workflows/inactive-collaborator-report.yml
@@ -22,6 +22,8 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: true
 
       - name: Report inactive collaborators
         id: inactive
diff --git a/.github/workflows/notify-on-push.yml b/.github/workflows/notify-on-push.yml
index 2647730..923e863 100644
--- a/.github/workflows/notify-on-push.yml
+++ b/.github/workflows/notify-on-push.yml
@@ -16,6 +16,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
       - uses: ./actions/notify-on-push
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK }}
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..d1ca342
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,32 @@
+name: Zizmor
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  zizmor:
+    name: Zizmor Security Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
diff --git a/actions/setup-environment/action.yml b/actions/setup-environment/action.yml
index e0e5603..3d5c5ec 100644
--- a/actions/setup-environment/action.yml
+++ b/actions/setup-environment/action.yml
@@ -45,6 +45,7 @@ runs:
     - name: Checkout repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.ref }}
         fetch-depth: ${{ inputs.fetch-depth }}
         token: ${{ inputs.token }}
@@ -72,9 +73,9 @@ runs:
     - name: Install dependencies with pnpm
       if: inputs.pnpm == 'true'
       shell: bash
-      run: pnpm install --frozen-lockfile ${{ inputs.install-flags }}
+      run: pnpm install --frozen-lockfile ${{ inputs.install-flags }} # zizmor: ignore[template-injection] intentional
 
     - name: Install dependencies with npm
       if: inputs.pnpm != 'true'
       shell: bash
-      run: npm ci ${{ inputs.install-flags }}
+      run: npm ci ${{ inputs.install-flags }} # zizmor: ignore[template-injection] intentional