Add zizmor security linter

.github/dependabot.yml

@@ -13,3 +13,14 @@ updates:
       # Cooldowns protect against supply chain attacks by avoiding the
       # highest-risk window immediately after new releases.
       default-days: 14
+
+  - package-ecosystem: pip
+    directory: "/.github/workflows"
+    schedule:
+      interval: monthly
+    groups:
+      pip:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 7

.github/workflows/build.yml

@@ -1,8 +1,11 @@
 name: Build
 
-on:
-  push:
-  pull_request:
+on: [push, pull_request, workflow_dispatch]
+
+permissions: {}
+
+env:
+  FORCE_COLOR: 1
 
 jobs:
   tox-jobs:
@@ -13,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: 3.x
@@ -45,6 +50,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         if: ${{ matrix.build != 'free-threading' }}

.github/workflows/lint.yml

@@ -0,0 +1,22 @@
+name: Lint
+
+on: [push, pull_request, workflow_dispatch]
+
+permissions: {}
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.x"
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+      - uses: j178/prek-action@cbc2f23eb5539cf20d82d1aabd0d0ecbcc56f4e3 # v2.0.2

.github/workflows/publish.in

@@ -0,0 +1 @@
+build

.github/workflows/publish.txt

@@ -0,0 +1,18 @@
+#
+# This file is autogenerated by pip-compile with Python 3.14
+# by the following command:
+#
+#    pip-compile --generate-hashes --output-file=/private/tmp/pyperf/.github/workflows/publish.txt /private/tmp/pyperf/.github/workflows/publish.in
+#
+build==1.4.4 \
+    --hash=sha256:8c3f48a6090b39edec1a273d2d57949aaf13723b01e02f9d518396887519f64d \
+    --hash=sha256:f832ae053061f3fb524af812dc94b8b84bac6880cd587630e3b5d91a6a9c1703
+    # via -r /private/tmp/pyperf/.github/workflows/publish.in
+packaging==26.1 \
+    --hash=sha256:5d9c0669c6285e491e0ced2eee587eaf67b670d94a19e94e3984a481aba6802f \
+    --hash=sha256:f042152b681c4bfac5cae2742a55e103d27ab2ec0f3d88037136b6bfe7c9c5de
+    # via build
+pyproject-hooks==1.2.0 \
+    --hash=sha256:1e859bd5c40fae9448642dd871adf459e5e2084186e8d2c2a79a824c970da1f8 \
+    --hash=sha256:9e5c6bfa8dcc30091c74b0cf803c81fdd29d94f01992a7707bc97babb1141913
+    # via build

.github/workflows/publish.yml

@@ -4,6 +4,11 @@ on:
   release:
     types: [published]
 
+permissions: {}
+
+env:
+  FORCE_COLOR: 1
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -14,15 +19,15 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.x'
-        cache: pip
-        cache-dependency-path: pyproject.toml
     - name: Install dependencies
       run: |
-        python -m pip install --user --upgrade build
+        python -m pip install --no-deps -r .github/workflows/publish.txt
     - name: Build
       run: |
         python -m build

.pre-commit-config.yaml

@@ -0,0 +1,40 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-merge-conflict
+      - id: check-json
+      - id: check-toml
+      - id: check-yaml
+      - id: debug-statements
+      - id: end-of-file-fixer
+      - id: forbid-submodules
+      - id: trailing-whitespace
+
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.37.1
+    hooks:
+      - id: check-dependabot
+      - id: check-github-workflows
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.12
+    hooks:
+      - id: actionlint
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.24.1
+    hooks:
+      - id: zizmor
+
+  - repo: https://github.com/abravalheri/validate-pyproject
+    rev: v0.25
+    hooks:
+      - id: validate-pyproject
+
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes

doc/developer_guide.rst

@@ -8,4 +8,3 @@ Perf Developer Guide
    examples
    api
    changelog
-

doc/examples.rst

@@ -122,4 +122,3 @@ Usage::
 
     $ python3 plot.py telco.json telco.csv
     $ python3 plot.py result.json -b telco telco.csv
-

doc/user_guide.rst

@@ -11,5 +11,3 @@ Table of Contents:
    cli
    runner
    system
-
-

pyproject.toml

@@ -21,6 +21,13 @@
 #  - set version to n+1
 #  - git commit -a -m "post-release"
 #  - git push or send the PR to the repository
+#
+# Updating .github/workflows/publish.txt:
+#
+#  - this is usually updated by Dependabot once per month as needed
+#  - Dependabot creates security updates without waiting for the schedule
+#  - if you need to update publish.txt manually, install pip-tools and
+#    run the command at the top of the file.
 
 [build-system]
 requires = ["setuptools >= 61"]