Merge pull request #52 from berquist/zizmor

pre-commit: add zizmor

.github/workflows/docker.yml

@@ -10,6 +10,8 @@ concurrency:
   group: docker-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -18,6 +20,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       - name: Gather metadata
         id: meta
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
@@ -67,7 +71,7 @@ jobs:
           cache-source: cargo
           cache-target: /code/boys/target
       - name: Build
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6  # zizmor: ignore[cache-poisoning]
         with:
           file: Dockerfile
           push: true

.github/workflows/nix.yml

@@ -10,6 +10,8 @@ concurrency:
   group: nix-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   nix-build:
     runs-on: ubuntu-latest
@@ -24,6 +26,8 @@ jobs:
           name: nix-qchem
       # Checkout of the current head in the working dir
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       # Build the nix package
       - name: Build nix package
         run: nix flake check -L

.pre-commit-config.yaml

@@ -19,3 +19,8 @@ repos:
     rev: "v1.7.4.20"
     hooks:
       - id: actionlint
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.3.1
+    hooks:
+      - id: zizmor
+        args: [--persona=pedantic]