CI: add zizmor

Author: lucascolley

.github/workflows/cd.yml

@@ -3,6 +3,10 @@ name: CD
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 on:
   workflow_dispatch:
   pull_request:
@@ -15,20 +19,23 @@ on:
 
 jobs:
   dist:
+    name: Create dist
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0
 
   publish:
+    name: Publish
     needs: [dist]
     environment: pypi
     permissions:
-      id-token: write
-      attestations: write
+      id-token: write # for trusted publishing
+      attestations: write # for trusted publishing
       contents: read
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'

.github/workflows/ci.yml

@@ -27,6 +27,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: prefix-dev/setup-pixi@1b2de7f3351f171c8b4dfeb558c639cb58ed4ec0 # v0.9.5
         with:
@@ -52,10 +53,13 @@ jobs:
           - tests-nogil
         runs-on: [ubuntu-latest]
 
+    environment: ci-checks
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: prefix-dev/setup-pixi@1b2de7f3351f171c8b4dfeb558c639cb58ed4ec0 # v0.9.5
         with:
@@ -66,7 +70,9 @@ jobs:
       - name: Test package
         # Save some time; also at the moment of writing coverage crashes on python 3.13t
         if: ${{ matrix.environment != 'tests-nogil' }}
-        run: pixi run -e ${{ matrix.environment }} tests-ci
+        run: pixi run -e "${TASK_ENV}" tests-ci
+        env:
+          TASK_ENV: ${{ matrix.environment }}
 
       - name: Test free-threading
         if: ${{ matrix.environment == 'tests-nogil' }}

.github/workflows/docs-build.yml

@@ -0,0 +1,66 @@
+name: Docs
+
+on: [push, pull_request]
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  docs-build:
+    name: Build
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: prefix-dev/setup-pixi@1b2de7f3351f171c8b4dfeb558c639cb58ed4ec0 # v0.9.5
+        with:
+          pixi-version: v0.62.0
+          cache: true
+          environments: docs
+
+      - name: Build Docs
+        run: pixi run -e docs docs
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: docs-build
+          path: docs/build/
+
+  docs-deploy:
+    name: Deploy
+    if: ${{ github.event.workflow_run.event == 'push' }}
+    needs: docs-build
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # needed for the deploy step
+
+    environment:
+      name: docs-deploy
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Download Artifact
+        uses: actions/download-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: docs-build
+          path: docs/build/
+
+      - name: Deploy
+        uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
+        with:
+          folder: docs/build/
+          ssh-key: ${{ secrets.DEPLOY_KEY }}

.github/workflows/docs-deploy.yml

@@ -47,6 +47,8 @@ pre-commit:
       run: pixi {run} typos
     - name: actionlint
       run: pixi {run} actionlint
+    - name: zizmor
+      run: pixi {run} zizmor
     - name: blacken-docs
       glob: "*.md"
       stage_fixed: true

.github/workflows/docs.yml

@@ -109,6 +109,7 @@ blacken-docs = ">=1.20.0,<2"
 pytest = ">=9.0.2,<10"
 validate-pyproject = ">=0.25,<0.26"
 pyrefly = ">=0.61.1,<0.62"
+zizmor = ">=1.24.1,<1.25"
 # NOTE: don't add cupy, jax, pytorch, or sparse here,
 # as they slow down mypy and are not portable across target OSs
 
@@ -125,6 +126,7 @@ ruff-format = { cmd = "ruff format", description = "Format with ruff" }
 dprint = { cmd = "dprint fmt", description = "Format with dprint" }
 typos = { cmd = "typos --write-changes --force-exclude", description = "Fix typos" }
 actionlint = { cmd = "actionlint", description = "Lint actions with actionlint" }
+zizmor = { cmd = "zizmor .github -p", description = "GHA static analysis with zizmor" }
 blacken-docs = { cmd = "blacken-docs", description = "Format Python markdown blocks with Black" }
 validate-pyproject = { cmd = "validate-pyproject pyproject.toml", description = "Validate pyproject.toml" }
 numpydoc = { cmd = "numpydoc lint", description = "Validate docstrings with numpydoc" }