pypi · woodruffw · Aug 20, 2025 · Aug 19, 2025 · Aug 20, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,6 +7,8 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   test:
     strategy:
@@ -37,7 +39,7 @@ jobs:
     if: always()
 
     needs:
-    - test
+      - test
 
     runs-on: ubuntu-latest
 

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -6,6 +6,8 @@ on:
       - main
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/listgen.yml b/.github/workflows/listgen.yml
@@ -10,6 +10,8 @@ on:
   schedule:
     - cron: "0 0 * * 2"
 
+permissions: {}
+
 jobs:
   pre-list-legacy:
     strategy:
@@ -49,8 +51,8 @@ jobs:
     strategy:
       matrix:
         python:
-          - "3.7"
-          - "3.8"
+          # - "3.7" # EOL
+          # - "3.8" # EOL
           - "3.9"
 
     runs-on: ubuntu-latest
@@ -124,7 +126,6 @@ jobs:
         with:
           persist-credentials: false
 
-
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: ${{ matrix.python }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,6 +5,8 @@ on:
 
 name: release
 
+permissions: {}
+
 jobs:
   pypi:
     name: upload release to PyPI
@@ -19,21 +21,21 @@ jobs:
       contents: write
 
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
-        persist-credentials: false
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
-    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
-      with:
-        python-version: "3.x"
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.x"
 
-    - name: deps
-      run: python -m pip install -U build
+      - name: deps
+        run: python -m pip install -U build
 
-    - name: build
-      run: python -m build
+      - name: build
+        run: python -m build
 
-    - name: publish
-      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
-      with:
-        attestations: true
+      - name: publish
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+        with:
+          attestations: true
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -6,31 +6,19 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions: {}
+
 jobs:
   zizmor:
-    name: zizmor latest via PyPI
+    name: Run zizmor 🌈
     runs-on: ubuntu-latest
     permissions:
       security-events: write
-      # required for workflows in private repositories
-      contents: read
-      actions: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
-      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0
-
       - name: Run zizmor 🌈
-        run: uvx zizmor --format sarif . > results.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.5
-        with:
-          sarif_file: results.sarif
-          category: zizmor
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,6 +6,8 @@ on: @@
           - main
       workflow_dispatch:
+    permissions: {}
     jobs:
       build:
         runs-on: ubuntu-latest
@@ Expand Down @@