chore: add zizmor workflow to harden GitHub Actions security

[Copilot]

Description

Resolves all warnings and notices surfaced by the zizmor CI audit run across dependabot.yml, python.yml, and release.yml.

• dependabot.yml — Added cooldown.default-days: 7 to both pip and github-actions update entries to satisfy zizmor's insufficient-cooldown audit.
• python.yml — Added persist-credentials: false to all 7 actions/checkout steps; prevents the checkout token from being stored in the local git config and potentially leaking via artifacts.
• release.yml — Same persist-credentials: false fix on all 3 checkout steps. Additionally fixed a code injection via template expansion: ${{ steps.release-bot-token.outputs.app-slug }} was interpolated directly into a run script; moved to an env variable instead.

Resolves or fixes issue: none

AI Tool Disclosure

• My contribution does not include any AI-generated content
• My contribution includes AI-generated content, as disclosed below:
  • AI Tools: GitHub Copilot
  • LLMs and versions: Claude Sonnet 4
  • Prompts: Fix all zizmor security findings surfaced in PR #968 across dependabot.yml, python.yml, and release.yml

Affirmation

• My code follows the CONTRIBUTING.md guidelines

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[jkowalleck]

did originally instruct Copilot not to fix any findsings from zizmor, so show that the workflow is usable and actually detects the things i already know.

• chore: use dependabot cooldown period #965
• not have git tokens persisted

workflow is running, and working as expected.
findings so far: https://github.com/CycloneDX/cyclonedx-python-lib/actions/runs/24929412066/job/73004645748?pr=968#step:3:93

 INFO zizmor: 🌈 zizmor v1.24.1
 INFO audit: zizmor: 🌈 completed ./.github/dependabot.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/python.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/release.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/zizmor.yml
Warning: dependabot.yml:5: insufficient cooldown in Dependabot updates: missing cooldown configuration
Warning: dependabot.yml:19: insufficient cooldown in Dependabot updates: missing cooldown configuration
Warning: python.yml:34: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: python.yml:58: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: python.yml:82: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: python.yml:106: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: python.yml:142: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: python.yml:192: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: python.yml:270: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: release.yml:49: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: release.yml:71: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: release.yml:122: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Notice: release.yml:118: code injection via template expansion: may expand into attacker-controllable code

[jkowalleck]

@copilot create a new branch from here, and have all those findings from zizmor fixed.
create a new pullrequest pointing to here.

[Copilot]

@jkowalleck I've opened a new pull request, #969, to work on those changes. Once the pull request is ready, I'll request review from you.

[jkowalleck]

@copilot use the repositories own pull request template in the PR descrioption.

[Copilot]

@copilot use the repositories own pull request template in the PR descrioption.

I don't have a tool available to directly edit the description of PR #969 from this session. Here is the description formatted with the repository's PR template that should be applied to PR #969:

---

Description

Resolves all warnings and notices surfaced by the zizmor CI audit run across dependabot.yml, python.yml, and release.yml.

• dependabot.yml — Added cooldown.default-days: 7 to both pip and github-actions update entries to satisfy zizmor's insufficient-cooldown check.
• python.yml — Added persist-credentials: false to all 7 actions/checkout steps to prevent the checkout token from being stored in the local git config.
• release.yml — Same persist-credentials: false fix on all 3 checkout steps. Fixed a code injection via template expansion by moving ${{ steps.release-bot-token.outputs.app-slug }} into an env variable instead of interpolating it directly in the run script.

Resolves or fixes issue: none

AI Tool Disclosure

• My contribution does not include any AI-generated content
• My contribution includes AI-generated content, as disclosed below:
  • AI Tools: GitHub Copilot
  • LLMs and versions: Claude Sonnet 4
  • Prompts: Fix all zizmor security findings surfaced in PR #968 across dependabot.yml, python.yml, and release.yml

Affirmation

• My code follows the CONTRIBUTING.md guidelines

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh pr view 969 --json number,title (http block)
  • Triggering command: /usr/bin/gh gh auth status (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[webknjaz]

Could just paste https://github.com/jazzband/pip-tools/blob/6be966f0c1677bdf5a49f7a8d46544f7208353b0/.github/workflows/ci.yml#L532-L538 into the main workflow 🤷‍♂️

[webknjaz]

Also, additionally integrate Zizmor into the pre-commit framework config