From 603f5fb7b9573eb2be90d61beb121977adc612a3 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Tue, 19 Aug 2025 19:23:15 -0400
Subject: [PATCH 1/2] chore(ci): clean up, drop old EOL Pythons

---
 .github/workflows/ci.yml      |  4 +++-
 .github/workflows/docs.yml    |  2 ++
 .github/workflows/listgen.yml |  7 ++++---
 .github/workflows/release.yml | 30 ++++++++++++++++--------------
 .github/workflows/zizmor.yml  | 22 +++++-----------------
 5 files changed, 30 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index de00e08..8d556b2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,8 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   test:
     strategy:
@@ -37,7 +39,7 @@ jobs:
     if: always()
 
     needs:
-    - test
+      - test
 
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 2431bfd..84eb735 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -6,6 +6,8 @@ on:
       - main
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/listgen.yml b/.github/workflows/listgen.yml
index f2d4399..db69f45 100644
--- a/.github/workflows/listgen.yml
+++ b/.github/workflows/listgen.yml
@@ -10,6 +10,8 @@ on:
   schedule:
     - cron: "0 0 * * 2"
 
+permissions: {}
+
 jobs:
   pre-list-legacy:
     strategy:
@@ -49,8 +51,8 @@ jobs:
     strategy:
       matrix:
         python:
-          - "3.7"
-          - "3.8"
+          # - "3.7" # EOL
+          # - "3.8" # EOL
           - "3.9"
 
     runs-on: ubuntu-latest
@@ -124,7 +126,6 @@ jobs:
         with:
           persist-credentials: false
 
-
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: ${{ matrix.python }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a2f34b2..0d7b502 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,8 @@ on:
 
 name: release
 
+permissions: {}
+
 jobs:
   pypi:
     name: upload release to PyPI
@@ -19,21 +21,21 @@ jobs:
       contents: write
 
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
-        persist-credentials: false
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
-    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
-      with:
-        python-version: "3.x"
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.x"
 
-    - name: deps
-      run: python -m pip install -U build
+      - name: deps
+        run: python -m pip install -U build
 
-    - name: build
-      run: python -m build
+      - name: build
+        run: python -m build
 
-    - name: publish
-      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
-      with:
-        attestations: true
+      - name: publish
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+        with:
+          attestations: true
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 8ecdb83..ee656d7 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -6,31 +6,19 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions: {}
+
 jobs:
   zizmor:
-    name: zizmor latest via PyPI
+    name: Run zizmor 🌈
     runs-on: ubuntu-latest
     permissions:
       security-events: write
-      # required for workflows in private repositories
-      contents: read
-      actions: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
-      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0
-
       - name: Run zizmor 🌈
-        run: uvx zizmor --format sarif . > results.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.5
-        with:
-          sarif_file: results.sarif
-          category: zizmor
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1

From aa10573830d0aa304fc8a0aa375ba098cd269be6 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Tue, 19 Aug 2025 22:51:56 -0400
Subject: [PATCH 2/2] rebump checkout

---
 .github/workflows/zizmor.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index ee656d7..6caae81 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -16,7 +16,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false