From: Ben Darnell <ben@bendarnell.com>
Date: Tue, 22 Apr 2025 19:07:23 +0000 (-0400)
Subject: ci: Add zizmor config file
X-Git-Tag: v6.5.0b1~12^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3484%2Fhead;p=thirdparty%2Ftornado.git

ci: Add zizmor config file

This restores behavior of version 1.5.2 to be more lenient for
pypa and astral-sh repos.
---

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 00000000..a71e19fa
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,14 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # Allow trusted repositories to use ref-pinning instead of hash-pinning.
+        #
+        # Defaults, from 
+        # https://github.com/woodruffw/zizmor/blob/7b4e76e94be2f4d7b455664ba5252b2b4458b91d/src/audit/unpinned_uses.rs#L172-L193
+        actions/*: ref-pin
+        github/*: ref-pin
+        dependabot/*: ref-pin
+        # Additional trusted repositories
+        pypa/*: ref-pin
+        astral-sh/setup-uv: ref-pin
\ No newline at end of file