From d5645835317caa2ed4272831abf9e6377e8e9087 Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Fri, 21 Feb 2025 09:53:14 -0500
Subject: [PATCH] ci: Analyze github action configs with zizmor

---
 .github/workflows/build.yml |  2 ++
 .github/workflows/test.yml  | 14 ++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3308fb72f..a4db35068 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,6 +17,8 @@ on:
   workflow_dispatch:
     # Allow this workflow to be run manually (pushing to testpypi instead of pypi)
 
+permissions: {}
+
 env:
   python-version: '3.9'
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f00947fa3..f601494da 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,6 +9,8 @@ name: Test
 
 on: pull_request
 
+permissions: {}
+
 jobs:
   # Before starting the full build matrix, run one test configuration
   # and the linter (the `black` linter is especially likely to catch
@@ -103,3 +105,15 @@ jobs:
       - name: Run test suite
         # TODO: figure out what's up with these log messages
         run: py -m tornado.test --fail-if-logs=false
+
+  zizmor:
+    name: Analyze action configs with zizmor
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@v5
+        name: Install uv
+      - name: Run zizmor
+        run: uvx zizmor .github/workflows