From 938783824955c5ce351b767b756eac2ffadc61c6 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 15 Jan 2026 16:50:09 +0100
Subject: [PATCH 1/2] feat: Add zizmor pre-commit hook

---
 .pre-commit-config.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index cf87cb1..0f11990 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -33,6 +33,12 @@ repos:
     hooks:
       - id: actionlint
 
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: 7fc963270df722f37707d47ff41265fe8f460822 # v1.20.0
+    hooks:
+      - id: zizmor
+        args: ["--no-progress", "--min-confidence", "medium"]
+
   - repo: local
     hooks:
       - id: update-readme-list

From c1aeb04bfd098092521c5f0dc9f642f432a46860 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 15 Jan 2026 16:51:29 +0100
Subject: [PATCH 2/2] chore: Update workflows based on zizmor audits

---
 .github/workflows/pr_interu.yml      | 2 ++
 .github/workflows/pr_pre-commit.yml  | 2 ++
 .github/workflows/release_interu.yml | 4 ++++
 .github/workflows/smoke-build.yaml   | 2 ++
 shard/action.yaml                    | 3 ++-
 5 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pr_interu.yml b/.github/workflows/pr_interu.yml
index e6c9116..8912053 100644
--- a/.github/workflows/pr_interu.yml
+++ b/.github/workflows/pr_interu.yml
@@ -11,6 +11,8 @@ on:
       - tools/interu/**
       - Cargo.toml
 
+permissions: {}
+
 jobs:
   build:
     uses: ./.github/workflows/build_interu.yml
diff --git a/.github/workflows/pr_pre-commit.yml b/.github/workflows/pr_pre-commit.yml
index 804d230..5966ef3 100644
--- a/.github/workflows/pr_pre-commit.yml
+++ b/.github/workflows/pr_pre-commit.yml
@@ -4,6 +4,8 @@ name: pre-commit
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release_interu.yml b/.github/workflows/release_interu.yml
index 0edb3e8..622b5f3 100644
--- a/.github/workflows/release_interu.yml
+++ b/.github/workflows/release_interu.yml
@@ -6,6 +6,8 @@ on:
     tags:
       - "interu-[0-9]+.[0-9]+.[0-9]+**"
 
+permissions: {}
+
 jobs:
   build:
     uses: ./.github/workflows/build_interu.yml
@@ -23,6 +25,8 @@ jobs:
   release:
     runs-on: ubuntu-latest
     needs: [build]
+    permissions:
+      contents: write
     steps:
       - name: Download Artifacts
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
diff --git a/.github/workflows/smoke-build.yaml b/.github/workflows/smoke-build.yaml
index c03e9ae..3015fdc 100644
--- a/.github/workflows/smoke-build.yaml
+++ b/.github/workflows/smoke-build.yaml
@@ -15,6 +15,8 @@ on:
       - shard/action.yaml
       - smoke/*
 
+permissions: {}
+
 jobs:
   generate-matrix:
     name: Generate Version List
diff --git a/shard/action.yaml b/shard/action.yaml
index 09b5fae..764dc6f 100644
--- a/shard/action.yaml
+++ b/shard/action.yaml
@@ -38,9 +38,10 @@ runs:
     - name: Print Shards
       env:
         GITHUB_DEBUG: ${{ runner.debug }}
+        VERSIONS: ${{ steps.generate_shards.outputs.VERSIONS }}
       shell: bash
       run: |
         set -euo pipefail
         [ -n "$GITHUB_DEBUG" ] && set -x
 
-        echo versions=${{ steps.generate_shards.outputs.VERSIONS }}
+        echo "versions=$VERSIONS"