Bump zizmor pre-commit hook to the latest version and fix new warnings (#15022)

.github/workflows/ci.yaml

@@ -290,7 +290,9 @@ jobs:
           file: "Cargo.toml"
           field: "workspace.package.rust-version"
       - name: "Install Rust toolchain"
-        run: rustup default ${{ steps.msrv.outputs.value }}
+        env:
+          MSRV: ${{ steps.msrv.outputs.value }}
+        run: rustup default "${MSRV}"
       - name: "Install mold"
         uses: rui314/setup-mold@v1
       - name: "Install cargo nextest"
@@ -306,7 +308,8 @@ jobs:
         shell: bash
         env:
           NEXTEST_PROFILE: "ci"
-        run: cargo +${{ steps.msrv.outputs.value }} insta test --all-features --unreferenced reject --test-runner nextest
+          MSRV: ${{ steps.msrv.outputs.value }}
+        run: cargo "+${MSRV}" insta test --all-features --unreferenced reject --test-runner nextest
 
   cargo-fuzz-build:
     name: "cargo fuzz build"
@@ -354,16 +357,18 @@ jobs:
           name: ruff
           path: ruff-to-test
       - name: Fuzz
+        env:
+          DOWNLOAD_PATH: ${{ steps.download-cached-binary.outputs.download-path }}
         run: |
           # Make executable, since artifact download doesn't preserve this
-          chmod +x ${{ steps.download-cached-binary.outputs.download-path }}/ruff
+          chmod +x "${DOWNLOAD_PATH}/ruff"
 
           (
             uvx \
-            --python=${{ env.PYTHON_VERSION }} \
+            --python="${PYTHON_VERSION}" \
             --from=./python/py-fuzzer \
             fuzz \
-            --test-executable=${{ steps.download-cached-binary.outputs.download-path }}/ruff \
+            --test-executable="${DOWNLOAD_PATH}/ruff" \
             --bin=ruff \
             0-500
           )
@@ -429,14 +434,16 @@ jobs:
 
       - name: Run `ruff check` stable ecosystem check
         if: ${{ needs.determine_changes.outputs.linter == 'true' }}
+        env:
+          DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }}
         run: |
           # Make executable, since artifact download doesn't preserve this
-          chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff
+          chmod +x ./ruff "${DOWNLOAD_PATH}/ruff"
 
           # Set pipefail to avoid hiding errors with tee
           set -eo pipefail
 
-          ruff-ecosystem check ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown | tee ecosystem-result-check-stable
+          ruff-ecosystem check ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown | tee ecosystem-result-check-stable
 
           cat ecosystem-result-check-stable > "$GITHUB_STEP_SUMMARY"
           echo "### Linter (stable)"  > ecosystem-result
@@ -445,14 +452,16 @@ jobs:
 
       - name: Run `ruff check` preview ecosystem check
         if: ${{ needs.determine_changes.outputs.linter == 'true' }}
+        env:
+          DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }}
         run: |
           # Make executable, since artifact download doesn't preserve this
-          chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff
+          chmod +x ./ruff "${DOWNLOAD_PATH}/ruff"
 
           # Set pipefail to avoid hiding errors with tee
           set -eo pipefail
 
-          ruff-ecosystem check ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-check-preview
+          ruff-ecosystem check ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-check-preview
 
           cat ecosystem-result-check-preview > "$GITHUB_STEP_SUMMARY"
           echo "### Linter (preview)" >> ecosystem-result
@@ -461,14 +470,16 @@ jobs:
 
       - name: Run `ruff format` stable ecosystem check
         if: ${{ needs.determine_changes.outputs.formatter == 'true' }}
+        env:
+          DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }}
         run: |
           # Make executable, since artifact download doesn't preserve this
-          chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff
+          chmod +x ./ruff "${DOWNLOAD_PATH}/ruff"
 
           # Set pipefail to avoid hiding errors with tee
           set -eo pipefail
 
-          ruff-ecosystem format ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown | tee ecosystem-result-format-stable
+          ruff-ecosystem format ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown | tee ecosystem-result-format-stable
 
           cat ecosystem-result-format-stable > "$GITHUB_STEP_SUMMARY"
           echo "### Formatter (stable)" >> ecosystem-result
@@ -477,14 +488,16 @@ jobs:
 
       - name: Run `ruff format` preview ecosystem check
         if: ${{ needs.determine_changes.outputs.formatter == 'true' }}
+        env:
+          DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }}
         run: |
           # Make executable, since artifact download doesn't preserve this
-          chmod +x ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff
+          chmod +x ./ruff "${DOWNLOAD_PATH}/ruff"
 
           # Set pipefail to avoid hiding errors with tee
           set -eo pipefail
 
-          ruff-ecosystem format ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-format-preview
+          ruff-ecosystem format ./ruff "${DOWNLOAD_PATH}/ruff" --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-format-preview
 
           cat ecosystem-result-format-preview > "$GITHUB_STEP_SUMMARY"
           echo "### Formatter (preview)" >> ecosystem-result
@@ -541,7 +554,7 @@ jobs:
           args: --out dist
       - name: "Test wheel"
         run: |
-          pip install --force-reinstall --find-links dist ${{ env.PACKAGE_NAME }}
+          pip install --force-reinstall --find-links dist "${PACKAGE_NAME}"
           ruff --help
           python -m ruff --help
       - name: "Remove wheels from cache"
@@ -676,11 +689,13 @@ jobs:
           just install
 
       - name: Run ruff-lsp tests
+        env:
+          DOWNLOAD_PATH: ${{ steps.ruff-target.outputs.download-path }}
         run: |
           # Setup development binary
           pip uninstall --yes ruff
-          chmod +x ${{ steps.ruff-target.outputs.download-path }}/ruff
-          export PATH=${{ steps.ruff-target.outputs.download-path }}:$PATH
+          chmod +x "${DOWNLOAD_PATH}/ruff"
+          export PATH="${DOWNLOAD_PATH}:${PATH}"
           ruff version
 
           just test

.github/workflows/pr-comment.yaml

@@ -10,12 +10,11 @@ on:
         description: The ecosystem workflow that triggers the workflow run
         required: true
 
-permissions:
-  pull-requests: write
-
 jobs:
   comment:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: dawidd6/action-download-artifact@v7
         name: Download pull request number

.github/zizmor.yml

@@ -0,0 +1,6 @@
+# Configuration for the zizmor static analysis tool, run via pre-commit in CI
+# https://woodruffw.github.io/zizmor/configuration/
+rules:
+  dangerous-triggers:
+    ignore:
+      - pr-comment.yaml

.pre-commit-config.yaml

@@ -87,8 +87,10 @@ repos:
       - id: prettier
         types: [yaml]
 
+  # zizmor detects security vulnerabilities in GitHub Actions workflows.
+  # Additional configuration for the tool is found in `.github/zizmor.yml`
   - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: v0.8.0
+    rev: v0.9.2
     hooks:
       - id: zizmor
         # `release.yml` is autogenerated by `dist`; security issues need to be fixed there