From 9683665b3cc25c947c7523d7b3c0373c93c8e1b4 Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Tue, 22 Apr 2025 15:07:23 -0400
Subject: [PATCH] ci: Add zizmor config file

This restores behavior of version 1.5.2 to be more lenient for
pypa and astral-sh repos.
---
 .github/zizmor.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 .github/zizmor.yml

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 00000000..a71e19fa
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,14 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # Allow trusted repositories to use ref-pinning instead of hash-pinning.
+        #
+        # Defaults, from 
+        # https://github.com/woodruffw/zizmor/blob/7b4e76e94be2f4d7b455664ba5252b2b4458b91d/src/audit/unpinned_uses.rs#L172-L193
+        actions/*: ref-pin
+        github/*: ref-pin
+        dependabot/*: ref-pin
+        # Additional trusted repositories
+        pypa/*: ref-pin
+        astral-sh/setup-uv: ref-pin
\ No newline at end of file
-- 
2.47.2