From 92476cfae639d442283682a0346d05f8130f9b77 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Tue, 26 May 2026 22:19:37 +0200
Subject: [PATCH 1/3] Add zizmor to pre-commit and fix findings

---
 .github/dependabot.yml     |  7 +++++++
 .github/workflows/ci.yml   |  8 +++++---
 .github/workflows/lint.yml |  8 +++++---
 .pre-commit-config.yaml    | 11 ++++++++---
 4 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 23f03616cf..1c0343afa3 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -10,6 +10,11 @@ updates:
     actions:
       patterns:
         - "*"
+  cooldown:
+    # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+    # Cooldowns protect against supply chain attacks by avoiding the
+    # highest-risk window immediately after new releases.
+    default-days: 14
 
 - package-ecosystem: pip
   directory: "/"
@@ -21,3 +26,5 @@ updates:
     pip:
       patterns:
         - "*"
+  cooldown:
+    default-days: 14
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 723151d189..e60db2ddca 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,12 +14,14 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3"
       - name: Install uv
-        uses: hynek/setup-cached-uv@v2
+        uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
       - name: Build docs
         run: make html
       - name: Link check
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 6519953670..6bae7bbdea 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -10,8 +10,10 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.x"
-      - uses: pre-commit/action@v3.0.1
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index c5beee4a37..07fdda903c 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.5.7
+    rev: v0.15.14
     hooks:
       - id: ruff
         name: Run Ruff (lint)
@@ -9,7 +9,7 @@ repos:
         name: Run Ruff (format)
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v6.0.0
     hooks:
       - id: check-case-conflict
       - id: check-merge-conflict
@@ -18,8 +18,13 @@ repos:
       - id: end-of-file-fixer
       - id: trailing-whitespace
 
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.25.2
+    hooks:
+      - id: zizmor
+
   - repo: https://github.com/sphinx-contrib/sphinx-lint
-    rev: v0.9.1
+    rev: v1.0.2
     hooks:
       - id: sphinx-lint
         args: [--enable=default-role]

From a2b3a3c680fa11070979552d009d3f2d2236c6d0 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Tue, 26 May 2026 22:20:53 +0200
Subject: [PATCH 2/3] Add handy env vars

---
 .github/workflows/lint.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 6bae7bbdea..ab229a13d6 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -4,6 +4,10 @@ on: [push, pull_request, workflow_dispatch]
 
 permissions: {}
 
+env:
+  FORCE_COLOR: 1
+  RUFF_OUTPUT_FORMAT: github
+
 jobs:
   lint:
     runs-on: ubuntu-latest

From ea5ef9de799fee9b72c3c00f610c80e6002f0892 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Tue, 26 May 2026 22:22:53 +0200
Subject: [PATCH 3/3] Replace pre-commit with prek to remove Node.js 20
 deprecation warning

---
 .github/workflows/lint.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index ab229a13d6..ab3911a36d 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -20,4 +20,4 @@ jobs:
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.x"
-      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
+      - uses: j178/prek-action@cbc2f23eb5539cf20d82d1aabd0d0ecbcc56f4e3 # v2.0.2