pypa · henryiii · Jan 8, 2026 · Jan 7, 2026 · henryiii · Jan 7, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -8,3 +8,5 @@ updates:
       github-actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -32,6 +32,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -6,6 +6,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
@@ -16,6 +18,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         name: Install Python

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -16,6 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
@@ -26,11 +28,13 @@ jobs:
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         name: Install Python
         with:
-          python-version: "3.9"
+          python-version: "3.10"
           cache: "pip"
 
       - name: Run `nox -s lint`
@@ -47,6 +51,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Build
         run: pipx run build

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -12,28 +12,35 @@ on:
 env:
   FORCE_COLOR: 1
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
       - name: Log inputs
-        run: echo "${{ inputs }}"
+        run: echo "${INPUTS}"
+        env:
+          INPUTS: ${{ inputs }}
 
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ inputs.ref }}
+          persist-credentials: false
 
       - name: Log Git tag
         run: git describe --always --tags
 
       - name: Check ref is the commit SHA
         # require SHA as tags and branches are mutable
-        run: test "${{ inputs.ref }}"
+        run: test "${INPUTS_REF}"
           = "$(git log --max-count=1 --format=format:%h)"
-          || test "${{ inputs.ref }}"
+          || test "${INPUTS_REF}"
           = "$(git log --max-count=1 --format=format:%H)"
+        env:
+          INPUTS_REF: ${{ inputs.ref }}
 
       - name: Provision nox environment
         run: pipx run nox --install-only
@@ -57,6 +64,7 @@ jobs:
       url: https://pypi.org/project/packaging/${{ github.ref_name }}
     permissions:
       id-token: write
+    if: '!github.event.repository.fork'
 
     runs-on: ubuntu-latest
 

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -17,6 +17,8 @@ concurrency:
 env:
   FORCE_COLOR: 1
 
+permissions: {}
+
 jobs:
   test:
     name: ${{ matrix.os }} / ${{ matrix.python_version }}
@@ -30,6 +32,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         name: Install Python ${{ matrix.python_version }}
@@ -52,6 +56,6 @@ jobs:
 
     steps:
       - name: Decide whether the needed jobs succeeded or failed
-        uses: re-actors/alls-green@release/v1
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
         with:
           jobs: ${{ toJSON(needs) }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -35,3 +35,10 @@ repos:
     hooks:
       - id: typos
         args: []
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.20.0
+    hooks:
+      - id: zizmor
+        files: "^\\.github"
+        exclude: "\\.github/release.yml"
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -85,6 +85,8 @@ Internal:
 * Simpler else instead of assert in a check (:pull:`1027`, :pull:`1031`)
 * Synchronize documentation and code for markers (:pull:`1008`)
 * Use the GitHub Actions slim runner for the all pass check (:pull:`1021`)
+* Use Trusted Publishing (:pull:`893`)
+* Use zizmor to check CI (:pull:`1035`)
 
 
 25.0 - 2025-04-19

diff --git a/noxfile.py b/noxfile.py
@@ -72,7 +72,7 @@ def tests(session: nox.Session) -> None:
         )
 
 
-@nox.session(python="3.9")
+@nox.session(python="3.10")
 def lint(session: nox.Session) -> None:
     """
     Run the linters.