From: Ben Darnell <ben@bendarnell.com>
Date: Fri, 21 Feb 2025 14:53:14 +0000 (-0500)
Subject: ci: Analyze github action configs with zizmor
X-Git-Tag: v6.5.0b1~24^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3463%2Fhead;p=thirdparty%2Ftornado.git

ci: Analyze github action configs with zizmor
---

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3308fb72..a4db3506 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,6 +17,8 @@ on:
   workflow_dispatch:
     # Allow this workflow to be run manually (pushing to testpypi instead of pypi)
 
+permissions: {}
+
 env:
   python-version: '3.9'
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f00947fa..f601494d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,6 +9,8 @@ name: Test
 
 on: pull_request
 
+permissions: {}
+
 jobs:
   # Before starting the full build matrix, run one test configuration
   # and the linter (the `black` linter is especially likely to catch
@@ -103,3 +105,15 @@ jobs:
       - name: Run test suite
         # TODO: figure out what's up with these log messages
         run: py -m tornado.test --fail-if-logs=false
+
+  zizmor:
+    name: Analyze action configs with zizmor
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@v5
+        name: Install uv
+      - name: Run zizmor
+        run: uvx zizmor .github/workflows