Add zizmor and harden GitHub Actions workflows

.github/workflows/docs.yml

@@ -10,6 +10,9 @@ on:
 env:
   FORCE_COLOR: 1
 
+permissions:
+  contents: read
+
 jobs:
   Docs:
     uses: tskit-dev/.github/.github/workflows/docs.yml@v17

.github/workflows/lint.yml

@@ -4,6 +4,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   Lint:
     uses: tskit-dev/.github/.github/workflows/lint.yml@v17

.github/workflows/release-c.yml

@@ -8,16 +8,24 @@ on:
 env:
   FORCE_COLOR: 1
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
+        with:
+          persist-credentials: false
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39  # v8.2.0
         with:
           version: "0.10.0"
+          enable-cache: false
       - name: Install system deps
         run: |
           sudo apt-get update
@@ -34,7 +42,7 @@ jobs:
           meson c build-gcc
           meson dist -C build-gcc
       - name: C Release
-        uses: softprops/action-gh-release@v2.5.0
+        uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b  # v3.0.1 # zizmor: ignore[superfluous-actions] intentionally use the maintained release action rather than a bespoke gh release script
         if: startsWith(github.ref, 'refs/tags/') && contains(github.event.ref, 'C_')
         with:
           draft: True

.github/workflows/tests.yml

@@ -9,6 +9,9 @@ on:
 env:
   FORCE_COLOR: 1
 
+permissions:
+  contents: read
+
 jobs:
 
   packaging:
@@ -23,15 +26,15 @@ jobs:
     uses: tskit-dev/.github/.github/workflows/c-tests.yml@v17
     with:
       library-directory: c
-    secrets: inherit
+    secrets: inherit  # zizmor: ignore[secrets-inherit] trusted first-party tskit-dev reusable workflow; needs CODECOV_TOKEN
 
   test-python-c:
     name: Python-C tests
     uses: tskit-dev/.github/.github/workflows/python-c-tests.yml@v17
     with:
       tests: python/tests/test_python_c.py python/tests/test_dict_encoding.py
       pyproject-directory: python
-    secrets: inherit
+    secrets: inherit  # zizmor: ignore[secrets-inherit] trusted first-party tskit-dev reusable workflow; needs CODECOV_TOKEN
 
 
   test:
@@ -42,7 +45,7 @@ jobs:
       python-version: ${{ matrix.python }}
       pyproject-directory: python
       coverage-directory: python/tskit
-    secrets: inherit
+    secrets: inherit  # zizmor: ignore[secrets-inherit] trusted first-party tskit-dev reusable workflow; needs CODECOV_TOKEN
     strategy:
       matrix:
         python: [ 3.11, 3.13 ]
@@ -62,15 +65,17 @@ jobs:
         shell: msys2 {0}
     steps:
     - name: Cancel Previous Runs
-      uses: styfle/cancel-workflow-action@0.13.0
+      uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66  # 0.13.1
       with:
         access_token: ${{ github.token }}
 
     - name: 'Checkout'
-      uses: actions/checkout@v6.0.2
+      uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
+      with:
+        persist-credentials: false
 
     - name: Setup MSYS2 ${{matrix.sys}}
-      uses: msys2/setup-msys2@v2.27.0
+      uses: msys2/setup-msys2@66cd2cce69caa17b53920067426061ca1de3a884  # v2.32.0
       with:
         msystem: ${{matrix.sys}}
         update: true
@@ -98,17 +103,18 @@ jobs:
 
     steps:
       - name: Cancel Previous Runs
-        uses: styfle/cancel-workflow-action@0.13.0
+        uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66  # 0.13.1
         with:
           access_token: ${{ github.token }}
 
       - name: Checkout
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Install uv and set the python version
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39  # v8.2.0
         with:
           python-version: 3.11
           version: "0.10.0"
@@ -132,7 +138,7 @@ jobs:
             python/tests/test_jit.py
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v7.0.0
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f  # v7.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: true
@@ -158,22 +164,23 @@ jobs:
 
     steps:
       - name: Cancel Previous Runs
-        uses: styfle/cancel-workflow-action@0.13.0
+        uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66  # 0.13.1
         with:
           access_token: ${{ github.token }}
 
       - name: Checkout
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Install system deps
         run: |
           sudo apt-get update
           sudo apt-get install -y libcunit1-dev ninja-build clang
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39  # v8.2.0
         with:
           version: "0.10.0"
 

.github/workflows/wheels.yml

@@ -6,6 +6,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build-wheels:
     if: "!startsWith(github.ref, 'refs/tags/C_')"
@@ -21,7 +24,7 @@ jobs:
       id-token: write
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           pattern: build-*
           path: dist
@@ -32,11 +35,11 @@ jobs:
 
       - name: Publish distribution to Test PyPI
         if: github.event_name == 'push' && github.ref_name == 'test-publish'
-        uses: pypa/gh-action-pypi-publish@v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
         with:
           repository-url: https://test.pypi.org/legacy/
           verbose: true
 
       - name: Publish distribution to Production PyPI
         if: github.event_name == 'release'
-        uses: pypa/gh-action-pypi-publish@v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0

.github/zizmor.yml

@@ -0,0 +1,9 @@
+# zizmor configuration for tskit-dev repos.
+# Third-party actions must be hash-pinned; first-party tskit-dev reusable
+# workflows are trusted and may stay pinned to a version tag (e.g. @v17).
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        tskit-dev/*: ref-pin
+        "*": hash-pin

prek.toml

@@ -53,3 +53,16 @@ hooks = [
     verbose = true,
   },
 ]
+
+[[repos]]
+repo = "local"
+hooks = [
+  {
+    id = "zizmor",
+    name = "zizmor",
+    language = "system",
+    entry = "uv run --project=python --only-group=lint zizmor",
+    files = "^\\.github/workflows/.*\\.ya?ml$",
+    pass_filenames = true,
+  },
+]

python/pyproject.toml

@@ -114,6 +114,7 @@ lint = [
     "clang-format==21.1.8",
     "ruff==0.15.1",
     "prek==0.3.3",
+    "zizmor==1.26.1",
 ]
 
 dev = [