From 7c83689501e75f13ea41668161387cf74f9464ac Mon Sep 17 00:00:00 2001
From: pdmurray <peynmurray@gmail.com>
Date: Mon, 18 May 2026 10:55:51 -0700
Subject: [PATCH] Fix security-related issues in github actions flagged by
 zizmor

Signed-off-by: pdmurray <peynmurray@gmail.com>
---
 .github/workflows/build.yaml    | 20 ++++++++++++--------
 .github/workflows/validate.yaml | 12 +++++++++---
 2 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 0f2db54..84258da 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,5 +1,7 @@
 name: Build
 
+permissions: {}
+
 on:
   push:
   pull_request:
@@ -19,17 +21,19 @@ jobs:
     name: Source and wheel distributions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       - name: Build distributions
         run: pipx run build[virtualenv] --sdist --wheel
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: dist
           path: dist/*
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: test-deps
           path: |
@@ -47,14 +51,14 @@ jobs:
         python_version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
     steps:
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4
       with:
         python-version: ${{ matrix.python_version }}-dev
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       with:
         name: dist
         path: dist
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       with:
         name: test-deps
         path: .
@@ -78,9 +82,9 @@ jobs:
     permissions:
       id-token: write # Required to retrieve a Trusted Publishing token
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: dist
           path: dist
 
-      - uses: pypa/gh-action-pypi-publish@v1.13.0
+      - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml
index a4f4155..6b2de3d 100644
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -1,5 +1,7 @@
 name: Validate
 
+permissions: {}
+
 on:
   push:
     branches:
@@ -14,9 +16,11 @@ jobs:
     name: 'Lint'
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      with:
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4
       with:
         python-version: '3.12-dev'
     - name: Install Python dependencies
@@ -27,4 +31,6 @@ jobs:
         python3 -m pip install -e .
     - name: Lint sources
       run: |
-        make PYTHON=python${{matrix.python_version}} lint
+        make lint
+    - name: Run zizmor 🌈
+      uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6