chore: adopt zizmor for GitHub Actions security scanning

.github/workflows/docs.yml

@@ -14,8 +14,6 @@ on:
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 concurrency:
   group: "pages"
@@ -27,6 +25,8 @@ jobs:
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
@@ -55,6 +55,9 @@ jobs:
   deploy:
     needs: build
     if: github.ref == 'refs/heads/main'
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

.github/workflows/validate.yml

@@ -13,6 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
@@ -29,3 +31,8 @@ jobs:
 
       - name: Structural checks (manifests + frontmatter + guards)
         run: make test
+
+      - name: GHA security (zizmor)
+        run: make zizmor
+        env:
+          GH_TOKEN: ${{ github.token }}

Makefile

@@ -4,7 +4,7 @@
 ## that techne itself documents at docs/conventions.md.
 ##
 
-.PHONY: help check-env setup manifests frontmatter fix lint shellcheck guards test validate build ci clean docs
+.PHONY: help check-env setup manifests frontmatter fix lint shellcheck guards zizmor test validate build ci clean docs
 .DEFAULT_GOAL := help
 
 check-env:              ## Verify required tools are on PATH
@@ -41,9 +41,12 @@ guards:                 ## Stale-path + legacy-name + action-pin guards
 	fi
 	@bash scripts/check_action_pins.sh
 
+zizmor:                 ## zizmor GHA security scan (.github/workflows/)
+	@uv run zizmor .github/workflows/
+
 test: manifests frontmatter guards  ## Structural checks (manifests + frontmatter + guards)
 
-validate: lint shellcheck test  ## Fast pre-push gate
+validate: lint shellcheck zizmor test  ## Fast pre-push gate
 
 build:                  ## Build docs site (strict; mirrors docs.yml deploy)
 	@uv run zensical build --clean --strict

ROADMAP.md

@@ -117,6 +117,23 @@ wild.
 
 Detail lives in git history (`git log`) and the live skill code. This log is pruned once work is durably shipped.
 
+- 2026-05-26 — **zizmor GHA static analysis (techne dogfood).** Adopted
+  [zizmor](https://github.com/zizmorcore/zizmor) as a dev dep + `make zizmor`
+  target, wired into `make validate` and the validate.yml gate — extending the
+  GHA-security layer beyond `check_action_pins.sh` (pinning-only) to zizmor's
+  security audits (template injection, excessive-permissions, artipacked,
+  unpinned-uses, …). Fixed what it surfaced in techne's own workflows:
+  least-privilege per-job permissions on docs.yml (`pages: write` + `id-token:
+  write` moved off the workflow level onto the deploy job only — build needs
+  just `contents: read`, since `configure-pages` defaults to `enablement: false`
+  and Pages is already enabled), plus `persist-credentials: false` on every
+  checkout (artipacked). research(2026-05): Trail of Bits "We hardened zizmor"
+  (2026-05-22); zizmor audit docs; zizmor + actionlint are complementary
+  (security vs correctness). Remaining: propagate to the sisters — every FL/docs
+  sister carries the same docs.yml workflow-level permission over-grant +
+  artipacked, each needing its findings triaged (separate PRs). actionlint and
+  zizmor SARIF→code-scanning upload are later enhancements.
+
 - 2026-05-25 — **GitHub Actions SHA-pinning (fleet hardening).** Reversed the prior
   deferral after re-checking May-2026 best practice. Every workflow `uses:` ref is
   pinned to a full commit SHA (`# vX.Y.Z` comment preserved), enforced by `make

pyproject.toml

@@ -10,6 +10,7 @@ dev = [
     "ruff>=0.15.14",
     "zensical>=0.0.43",
     "shellcheck-py>=0.11",
+    "zizmor>=1.25",
 ]
 
 [tool.uv]