From d090934e1ce6c14ac7756c0e362293b3787f8d90 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Wed, 4 Feb 2026 11:48:35 +0100
Subject: [PATCH 1/2] zizmor workflow

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/.zizmor.yml | 61 +++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 .github/workflows/.zizmor.yml

diff --git a/.github/workflows/.zizmor.yml b/.github/workflows/.zizmor.yml
new file mode 100644
index 0000000..1559da8
--- /dev/null
+++ b/.github/workflows/.zizmor.yml
@@ -0,0 +1,61 @@
+name: .zizmor
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+      - 'releases/v*'
+  pull_request:
+
+env:
+  ZIZMOR_VERSION: 1.22.0 # https://github.com/zizmorcore/zizmor
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+    env:
+      TMPDIR: /tmp/zizmor
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      -
+        name: Setup uv
+        uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
+        with:
+          enable-cache: false
+      -
+        name: Install zizmor
+        run: |
+          set -ex
+          uv tool install zizmor@${ZIZMOR_VERSION}
+      -
+        name: Run zizmor
+        id: zizmor
+        run: |
+          mkdir -p ${TMPDIR}
+          set -ex
+          zizmor --min-severity=medium --min-confidence=medium --persona=pedantic --no-online-audits --format=sarif . > ${TMPDIR}/zizmor.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Zizmor crash report
+        if: ${{ failure() && steps.zizmor.conclusion == 'failure' }}
+        run: |
+          cat ${TMPDIR}/report-*.toml
+      -
+        name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
+        with:
+          sarif_file: ${{ env.TMPDIR }}/zizmor.sarif
+          category: zizmor

From e7ccc69a6e8072186cc2c7e0f227505fe083bcb6 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Wed, 4 Feb 2026 12:20:17 +0100
Subject: [PATCH 2/2] zizmor: fix issues

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/dependabot.yml                  |  3 +-
 .github/workflows/.pr-assign-author.yml | 40 +++++++++++++++++++++++--
 .github/workflows/.test-bake.yml        |  4 +++
 .github/workflows/.test-build.yml       |  4 +++
 .github/workflows/.zizmor.yml           |  4 +++
 .github/zizmor.yml                      |  9 ++++++
 6 files changed, 60 insertions(+), 4 deletions(-)
 create mode 100644 .github/zizmor.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index d942da5..9761fa1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,10 +1,11 @@
 version: 2
 updates:
   - package-ecosystem: "github-actions"
-    open-pull-requests-limit: 10
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
     labels:
       - "area/dependencies"
       - "bot"
diff --git a/.github/workflows/.pr-assign-author.yml b/.github/workflows/.pr-assign-author.yml
index 3f124d2..a806bd9 100644
--- a/.github/workflows/.pr-assign-author.yml
+++ b/.github/workflows/.pr-assign-author.yml
@@ -1,17 +1,51 @@
 name: .pr-assign-author
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: read
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
     types:
       - opened
       - reopened
 
 jobs:
-  run:
-    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@1b673f36fad86812f538c1df9794904038a23cbf
+  assign-author:
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       pull-requests: write
+    steps:
+      -
+        name: Assigning author to PR
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            try {
+              const dt = context.payload?.pull_request;
+              if (!dt) {
+                throw new Error(`No pull request payload found, skipping.`);
+              }
+            
+              const { assignees, number, user: { login: author, type } } = dt;
+              if (assignees.length > 0) {
+                throw new Error(`Pull request is already assigned to someone, skipping.`);
+              } else if (type !== 'User') {
+                throw new Error(`Not a user, skipping.`);
+              }
+            
+              const respAdd = await github.rest.issues.addAssignees({
+                ...context.repo,
+                issue_number: number,
+                assignees: [author]
+              });
+              core.debug(`addAssignees resp: ${JSON.stringify(respAdd, null, 2)}`);
+              if (respAdd.status !== 201) {
+                throw new Error(`Failed to assign @${author} to the pull request #${number}.`);
+              }
+            
+              core.info(`@${author} has been assigned to the pull request #${number}`);
+            } catch (e) {
+              core.warning(e.message);
+            }
diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml
index 6264422..f568c33 100644
--- a/.github/workflows/.test-bake.yml
+++ b/.github/workflows/.test-bake.yml
@@ -1,5 +1,9 @@
 name: .test-bake
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/.test-build.yml b/.github/workflows/.test-build.yml
index 1775397..aaaebe7 100644
--- a/.github/workflows/.test-build.yml
+++ b/.github/workflows/.test-build.yml
@@ -1,5 +1,9 @@
 name: .test-build
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/.zizmor.yml b/.github/workflows/.zizmor.yml
index 1559da8..56ff04f 100644
--- a/.github/workflows/.zizmor.yml
+++ b/.github/workflows/.zizmor.yml
@@ -4,6 +4,10 @@ name: .zizmor
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..efe8dec
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,9 @@
+rules:
+  # rule does not apply to reusable worfklows where permissions are defined by
+  # the caller workflow and not the reusable workflow itself: https://github.com/docker/github-builder/issues/24
+  # https://docs.zizmor.sh/audits/#excessive-permissions
+  excessive-permissions:
+    ignore:
+      - bake.yml
+      - build.yml
+      - verify.yml