jdx 46bb674500 chore(ci): add zizmor workflow for github actions security analysis (#471) ... Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub Actions workflows for security issues. Runs on push to main and on PRs that change `.github/workflows/**`. Fails CI on any finding. 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Mostly CI/workflow hardening, but it also changes release automation (`postversion.sh`) and workflow permissions/credentials behavior, which could break tagging/publishing if misconfigured. > > **Overview** > Adds a new `zizmor` workflow that runs on PRs/pushes touching `.github/workflows/**` to security-audit workflows. > > Hardens existing workflows by defaulting to least-privilege `permissions`, setting `actions/checkout` to `persist-credentials: false`, and adjusting related behavior (e.g., `scripts/postversion.sh` now runs `gh auth setup-git` so `git push` still works; `ci.yml` disables `mise-action` caching; `test.yml` avoids interpolating `steps.bad.outcome` inside a shell string by passing it via env). > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit d878aee510. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-05-12 15:00:12 -05:00
..
postversion.sh	chore(ci): add zizmor workflow for github actions security analysis (#471)	2026-05-12 15:00:12 -05:00
release-plz.sh	chore: remove duplicate release-plz logic	2025-08-18 11:57:51 -05:00
test.sh	chore: fix release-plz	2025-08-18 11:51:16 -05:00
version.sh	docs: hide version commits in CHANGELOG	2025-04-22 23:07:01 -05:00