From 9d5c5b8e2cf929e07032eef489b91e2bf6032fde Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:36:35 +0200
Subject: [PATCH 1/9] ci: Pin third-party actions to a commit hash.

This detects changed action code for the same tag.
---
 .github/workflows/main.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 89d990ac..c30bbd42 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -102,7 +102,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Decide whether the needed jobs succeeded or failed
-      uses: re-actors/alls-green@release/v1
+      uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
       with:
         jobs: ${{ toJSON(needs) }}
     - uses: actions/checkout@v4
@@ -124,7 +124,7 @@ jobs:
         coverage combine
         coverage xml
     - name: Upload coverage report
-      uses: codecov/codecov-action@v5
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d  # v5.4.2
       with:
         files: coverage.xml
         fail_ci_if_error: true
@@ -184,7 +184,7 @@ jobs:
       run: |
         tree dist
     - name: PyPI upload
-      uses: pypa/gh-action-pypi-publish@v1.12.4
+      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4
       with:
         attestations: true
         packages-dir: dist
@@ -195,7 +195,7 @@ jobs:
         name: release-notes.md
         path: release-notes.md
     - name: GitHub Release
-      uses: ncipollo/release-action@v1
+      uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174  # v1.16.0
       with:
         name: pytest-asyncio ${{ needs.lint.outputs.version }}
         artifacts: dist/*

From 6791c49164c2d21ef6d3780f57d3b1ac7a74c1d3 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:41:28 +0200
Subject: [PATCH 2/9] ci: Avoid persisting credentials in the checkout action.

see https://docs.zizmor.sh/audits/#artipacked
---
 .github/workflows/main.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index c30bbd42..ca602d88 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -24,6 +24,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: ${{ env.PYTHON_LATEST }}
@@ -75,6 +76,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
@@ -106,6 +109,8 @@ jobs:
       with:
         jobs: ${{ toJSON(needs) }}
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v5
       with:
         python-version: ${{ env.PYTHON_LATEST }}
@@ -139,6 +144,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - name: Install Python
       uses: actions/setup-python@v5
     - name: Install towncrier

From 81a5273b76776d2a5acca6396af37b9181f26dc7 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:52:18 +0200
Subject: [PATCH 3/9] ci: Narrow permissions of Github Actions.

see https://docs.zizmor.sh/audits/#excessive-permissions
---
 .github/workflows/main.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index ca602d88..efe31827 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -10,6 +10,8 @@ on:
   merge_group:
   workflow_dispatch:
 
+permissions: {}
+
 env:
   PYTHON_LATEST: 3.13
 
@@ -180,6 +182,8 @@ jobs:
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     needs: [lint, check, prepare-release-notes]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
     - name: Download distributions
       uses: actions/download-artifact@v4

From 4af8586e34cfc70c40786545ad3c98f7df0e9ec0 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:55:29 +0200
Subject: [PATCH 4/9] ci: Silence zizmore warning about not using trusted
 publishing.

This is already tracked in #700
---
 .github/workflows/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index efe31827..06191c77 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -194,7 +194,7 @@ jobs:
       run: |
         tree dist
     - name: PyPI upload
-      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4
+      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4  # zizmor: ignore[use-trusted-publishing] # see #700
       with:
         attestations: true
         packages-dir: dist

From 7583d225b3c4ceea72c01d8a5ac1f2ee9753a671 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:59:18 +0200
Subject: [PATCH 5/9] ci: Avoid template expression in Bash script for
 assembling release notes.

---
 .github/workflows/main.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 06191c77..0d424beb 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -158,7 +158,9 @@ jobs:
       run: pip install .
     - name: Compile Release Notes Draft
       if: ${{ !contains(github.ref, 'refs/tags/') }}
-      run: towncrier build --draft --version "${{ needs.lint.outputs.version }}" > release-notes.rst
+      run: towncrier build --draft --version "${version}" > release-notes.rst
+      env:
+        version: ${{ needs.lint.outputs.version }}
     - name: Extract release notes from Git tag
       if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
       run: |

From 6adaba40f3bf4947249e7d71a65384c0e8cdd77c Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 06:59:27 +0200
Subject: [PATCH 6/9] build: Add zizmor to the pre-commit hooks.

---
 .pre-commit-config.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 959d43ec..38d06dd0 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -74,6 +74,10 @@ repos:
   - id: pyproject-fmt
       # https://pyproject-fmt.readthedocs.io/en/latest/#calculating-max-supported-python-version
     additional_dependencies: [tox>=4.9]
+- repo: https://github.com/zizmorcore/zizmor-pre-commit
+  rev: v1.7.0
+  hooks:
+  - id: zizmor
 ci:
   skip:
   - actionlint-docker

From c60f3c7ef0ea1d926ca6a10857c857197e2c9df9 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Thu, 15 May 2025 07:05:00 +0200
Subject: [PATCH 7/9] ci: Add linting job with GitHub Actions with zizmor.

---
 .github/workflows/main.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 0d424beb..eae98219 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -100,6 +100,12 @@ jobs:
         path: coverage/coverage.*
         if-no-files-found: error
 
+  lint-github-actions:
+    name: Lint GitHub Actions
+    permissions:
+      security-events: write
+    uses: zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@1ae473d8672fe7613e809d86d202a35063736e16
+
   check:
     name: Check
     if: always()

From d6e646deec7ab338523b8c8766a92b0d84c2be6c Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Tue, 24 Jun 2025 06:06:51 +0200
Subject: [PATCH 8/9] ci: Update zizmor workflow.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
---
 .github/workflows/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index eae98219..5fea86c5 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -104,7 +104,7 @@ jobs:
     name: Lint GitHub Actions
     permissions:
       security-events: write
-    uses: zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@1ae473d8672fe7613e809d86d202a35063736e16
+    uses: zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@3bb5e95068d0f44b6d2f3f7e91379bed1d2f96a8
 
   check:
     name: Check

From 3ad8609de6aa48d6bb73bf60642007c8a2351d62 Mon Sep 17 00:00:00 2001
From: Michael Seifert <m.seifert@digitalernachschub.de>
Date: Tue, 24 Jun 2025 06:05:21 +0200
Subject: [PATCH 9/9] ci: Remove obsolete password from PyPI upload.

---
 .github/workflows/main.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 5fea86c5..05026310 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -206,7 +206,6 @@ jobs:
       with:
         attestations: true
         packages-dir: dist
-        password: ${{ secrets.PYPI_API_TOKEN }}
     - name: Download Release Notes
       uses: actions/download-artifact@v4
       with: