feat: Add zizmor pre-commit hook (#95)

* feat: Add zizmor pre-commit hook

* chore: Update workflows based on zizmor audits

Author: Techassi

.github/workflows/pr_interu.yml

@@ -11,6 +11,8 @@ on:
       - tools/interu/**
       - Cargo.toml
 
+permissions: {}
+
 jobs:
   build:
     uses: ./.github/workflows/build_interu.yml

.github/workflows/pr_pre-commit.yml

@@ -4,6 +4,8 @@ name: pre-commit
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest

.github/workflows/release_interu.yml

@@ -6,6 +6,8 @@ on:
     tags:
       - "interu-[0-9]+.[0-9]+.[0-9]+**"
 
+permissions: {}
+
 jobs:
   build:
     uses: ./.github/workflows/build_interu.yml
@@ -23,6 +25,8 @@ jobs:
   release:
     runs-on: ubuntu-latest
     needs: [build]
+    permissions:
+      contents: write
     steps:
       - name: Download Artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0

.github/workflows/smoke-build.yaml

@@ -15,6 +15,8 @@ on:
       - shard/action.yaml
       - smoke/*
 
+permissions: {}
+
 jobs:
   generate-matrix:
     name: Generate Version List

.pre-commit-config.yaml

@@ -33,6 +33,12 @@ repos:
     hooks:
       - id: actionlint
 
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: 7fc963270df722f37707d47ff41265fe8f460822 # v1.20.0
+    hooks:
+      - id: zizmor
+        args: ["--no-progress", "--min-confidence", "medium"]
+
   - repo: local
     hooks:
       - id: update-readme-list

shard/action.yaml

@@ -38,9 +38,10 @@ runs:
     - name: Print Shards
       env:
         GITHUB_DEBUG: ${{ runner.debug }}
+        VERSIONS: ${{ steps.generate_shards.outputs.VERSIONS }}
       shell: bash
       run: |
         set -euo pipefail
         [ -n "$GITHUB_DEBUG" ] && set -x
 
-        echo versions=${{ steps.generate_shards.outputs.VERSIONS }}
+        echo "versions=$VERSIONS"