From fea91257fd9284688302c33726c8f8dbe0257957 Mon Sep 17 00:00:00 2001
From: Ben Mares <services-git-throwaway2@tensorial.com>
Date: Wed, 12 Nov 2025 08:58:30 +0100
Subject: [PATCH 1/4] Add dependabot cooldown to avoid bleeding edge

---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b1c4d80b13..c86dd26fd5 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,3 +8,5 @@ updates:
     labels:
       - "Github CI/CD"
       - "no releasenotes"
+    cooldown:
+      default-days: 7

From c272adc361e4f0a78a8f5e469a9a45150439a024 Mon Sep 17 00:00:00 2001
From: Ben Mares <services-git-throwaway2@tensorial.com>
Date: Wed, 12 Nov 2025 15:40:05 +0100
Subject: [PATCH 2/4] Restrict workflow-level permissions in all workflows

---
 .github/workflows/devcontainer-docker-image.yml          | 2 ++
 .github/workflows/docker-image.yml                       | 2 ++
 .github/workflows/mypy.yml                               | 2 ++
 .github/workflows/pr-auto-label.yml                      | 3 +++
 .github/workflows/publish-release-notes-to-discourse.yml | 2 ++
 .github/workflows/release.yml                            | 2 ++
 .github/workflows/slash_dispatch.yml                     | 3 +++
 .github/workflows/tests.yml                              | 2 ++
 .github/workflows/zizmor.yml                             | 2 ++
 9 files changed, 20 insertions(+)

diff --git a/.github/workflows/devcontainer-docker-image.yml b/.github/workflows/devcontainer-docker-image.yml
index 6ca56d7c3b..a616d78e4d 100644
--- a/.github/workflows/devcontainer-docker-image.yml
+++ b/.github/workflows/devcontainer-docker-image.yml
@@ -1,5 +1,7 @@
 name: devcontainer-docker-image
 
+permissions: {}
+
 on:
   workflow_dispatch:
   schedule:
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index fc0f4f7a5e..32cbf4d4cf 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -1,5 +1,7 @@
 name: docker-image
 
+permissions: {}
+
 on:
   release:
     types:
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index f4e1667dc6..97acc61175 100644
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -1,5 +1,7 @@
 name: mypy
 
+permissions: {}
+
 on:
   pull_request:
   push:
diff --git a/.github/workflows/pr-auto-label.yml b/.github/workflows/pr-auto-label.yml
index e3ba52d1c4..4149f9d5ad 100644
--- a/.github/workflows/pr-auto-label.yml
+++ b/.github/workflows/pr-auto-label.yml
@@ -1,4 +1,7 @@
 name: "Pull Request Labeler"
+
+permissions: {}
+
 on:
 # The labeler doesn't execute any contributed code, so it should be fairly safe.
 - pull_request_target  # zizmor: ignore[dangerous-triggers]
diff --git a/.github/workflows/publish-release-notes-to-discourse.yml b/.github/workflows/publish-release-notes-to-discourse.yml
index 9c09dd2355..2ac445a974 100644
--- a/.github/workflows/publish-release-notes-to-discourse.yml
+++ b/.github/workflows/publish-release-notes-to-discourse.yml
@@ -1,5 +1,7 @@
 name: Publish Release Notes to Discourse
 
+permissions: {}
+
 on:
   release:
     types: [published]
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 468bccd929..ab14c1993c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,7 @@
 name: release-pipeline
 
+permissions: {}
+
 on:
   push:
     branches:
diff --git a/.github/workflows/slash_dispatch.yml b/.github/workflows/slash_dispatch.yml
index 8fc1ddf34d..50eb79f759 100644
--- a/.github/workflows/slash_dispatch.yml
+++ b/.github/workflows/slash_dispatch.yml
@@ -1,4 +1,7 @@
 name: Slash Command Dispatch
+
+permissions: {}
+
 on:
   issue_comment:
     types: [created]
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 6474583cea..97b3afcb59 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,5 +1,7 @@
 name: tests
 
+permissions: {}
+
 on:
   pull_request:
   push:
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index cb5fd714c1..51a19b1b8f 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -7,6 +7,8 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions: {}
+
 jobs:
   zizmor:
     name: zizmor latest via PyPI

From 1aacabc82cb0cf692101d73de200d3cd2953effd Mon Sep 17 00:00:00 2001
From: Ben Mares <services-git-throwaway2@tensorial.com>
Date: Wed, 12 Nov 2025 15:51:45 +0100
Subject: [PATCH 3/4] Switch Zizmor workflow to use official Action

---
 .github/workflows/zizmor.yml | 22 +++++-----------------
 1 file changed, 5 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 51a19b1b8f..13a30cbdbf 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -1,5 +1,5 @@
-# https://github.com/woodruffw/zizmor
-name: zizmor GHA analysis
+# Source: <https://github.com/zizmorcore/zizmor-action>
+name: GitHub Actions Security Analysis with zizmor 🌈
 
 on:
   push:
@@ -11,28 +11,16 @@ permissions: {}
 
 jobs:
   zizmor:
-    name: zizmor latest via PyPI
     runs-on: ubuntu-latest
     permissions:
       security-events: write
+      contents: read # only needed for private repos
+      actions: read # only needed for private repos
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
-      - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
-
       - name: Run zizmor 🌈
-        run: uvx zizmor --format sarif . > results.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
-        with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: results.sarif
-          # Optional category for the results
-          # Used to differentiate multiple results for one commit
-          category: zizmor
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0

From d22fc2d40fb437fd8598fee0efa632f2eab9113a Mon Sep 17 00:00:00 2001
From: Ben Mares <services-git-throwaway2@tensorial.com>
Date: Wed, 12 Nov 2025 16:08:58 +0100
Subject: [PATCH 4/4] Tighten a few permissions

---
 .github/workflows/devcontainer-docker-image.yml | 1 -
 .github/workflows/zizmor.yml                    | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/devcontainer-docker-image.yml b/.github/workflows/devcontainer-docker-image.yml
index a616d78e4d..59c96586a2 100644
--- a/.github/workflows/devcontainer-docker-image.yml
+++ b/.github/workflows/devcontainer-docker-image.yml
@@ -20,7 +20,6 @@ jobs:
     # Set permissions for GitHub token
     # <https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-on-github>
     permissions:
-      contents: read
       packages: write
 
     steps:
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 13a30cbdbf..9a058503af 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -14,8 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
-      contents: read # only needed for private repos
-      actions: read # only needed for private repos
+      # contents: read # only needed for private repos
+      # actions: read # only needed for private repos
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0