From 7280229e17b98351e1bdd9e0a39288ebc0d0ba99 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 24 Apr 2026 11:47:56 +0300
Subject: [PATCH 1/2] Add zizmor security linter

---
 .github/workflows/build.yml   | 13 +++++++++---
 .github/workflows/lint.yml    | 23 ++++++++++++++++++++
 .github/workflows/publish.yml |  9 ++++++--
 .pre-commit-config.yaml       | 40 +++++++++++++++++++++++++++++++++++
 doc/developer_guide.rst       |  1 -
 doc/examples.rst              |  1 -
 doc/user_guide.rst            |  2 --
 7 files changed, 80 insertions(+), 9 deletions(-)
 create mode 100644 .github/workflows/lint.yml
 create mode 100644 .pre-commit-config.yaml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c9d9da59..ee1cb5df 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,8 +1,11 @@
 name: Build
 
-on:
-  push:
-  pull_request:
+on: [push, pull_request, workflow_dispatch]
+
+permissions: {}
+
+env:
+  FORCE_COLOR: 1
 
 jobs:
   tox-jobs:
@@ -13,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: 3.x
@@ -45,6 +50,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Setup Python
         uses: actions/setup-python@v6
         if: ${{ matrix.build != 'free-threading' }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 00000000..0e67b571
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,23 @@
+name: Lint
+
+on: [push, pull_request, workflow_dispatch]
+
+permissions: {}
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.x"
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+      - uses: j178/prek-action@cbc2f23eb5539cf20d82d1aabd0d0ecbcc56f4e3 # v2.0.2
+      - run: uvx safety check
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 40463126..a825e9d7 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,11 @@ on:
   release:
     types: [published]
 
+permissions: {}
+
+env:
+  FORCE_COLOR: 1
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -14,12 +19,12 @@ jobs:
 
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
         python-version: '3.x'
-        cache: pip
-        cache-dependency-path: pyproject.toml
     - name: Install dependencies
       run: |
         python -m pip install --user --upgrade build
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 00000000..b85540dc
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,40 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-merge-conflict
+      - id: check-json
+      - id: check-toml
+      - id: check-yaml
+      - id: debug-statements
+      - id: end-of-file-fixer
+      - id: forbid-submodules
+      - id: trailing-whitespace
+
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.37.1
+    hooks:
+      - id: check-dependabot
+      - id: check-github-workflows
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.12
+    hooks:
+      - id: actionlint
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.24.1
+    hooks:
+      - id: zizmor
+
+  - repo: https://github.com/abravalheri/validate-pyproject
+    rev: v0.25
+    hooks:
+      - id: validate-pyproject
+
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes
diff --git a/doc/developer_guide.rst b/doc/developer_guide.rst
index cb2e79f2..a393754f 100644
--- a/doc/developer_guide.rst
+++ b/doc/developer_guide.rst
@@ -8,4 +8,3 @@ Perf Developer Guide
    examples
    api
    changelog
-
diff --git a/doc/examples.rst b/doc/examples.rst
index 9897d9ee..ab211d47 100644
--- a/doc/examples.rst
+++ b/doc/examples.rst
@@ -122,4 +122,3 @@ Usage::
 
     $ python3 plot.py telco.json telco.csv
     $ python3 plot.py result.json -b telco telco.csv
-
diff --git a/doc/user_guide.rst b/doc/user_guide.rst
index 771579f7..a4c36913 100644
--- a/doc/user_guide.rst
+++ b/doc/user_guide.rst
@@ -11,5 +11,3 @@ Table of Contents:
    cli
    runner
    system
-
-

From 5780a74817682bc9e42d6df3a16bc6b98af9f368 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 24 Apr 2026 22:57:30 +0300
Subject: [PATCH 2/2] Pin 'build' to version and hash, update with Dependabot

---
 .github/dependabot.yml        | 11 +++++++++++
 .github/workflows/publish.in  |  1 +
 .github/workflows/publish.txt | 18 ++++++++++++++++++
 .github/workflows/publish.yml |  2 +-
 4 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/publish.in
 create mode 100644 .github/workflows/publish.txt

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5c563144..f2dc2904 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,3 +8,14 @@ updates:
       actions:
         patterns:
           - "*"
+
+  - package-ecosystem: pip
+    directory: "/.github/workflows"
+    schedule:
+      interval: monthly
+    groups:
+      pip:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/publish.in b/.github/workflows/publish.in
new file mode 100644
index 00000000..378eac25
--- /dev/null
+++ b/.github/workflows/publish.in
@@ -0,0 +1 @@
+build
diff --git a/.github/workflows/publish.txt b/.github/workflows/publish.txt
new file mode 100644
index 00000000..34c81346
--- /dev/null
+++ b/.github/workflows/publish.txt
@@ -0,0 +1,18 @@
+#
+# This file is autogenerated by pip-compile with Python 3.14
+# by the following command:
+#
+#    pip-compile --generate-hashes --output-file=/private/tmp/pyperf/.github/workflows/publish.txt /private/tmp/pyperf/.github/workflows/publish.in
+#
+build==1.4.4 \
+    --hash=sha256:8c3f48a6090b39edec1a273d2d57949aaf13723b01e02f9d518396887519f64d \
+    --hash=sha256:f832ae053061f3fb524af812dc94b8b84bac6880cd587630e3b5d91a6a9c1703
+    # via -r /private/tmp/pyperf/.github/workflows/publish.in
+packaging==26.1 \
+    --hash=sha256:5d9c0669c6285e491e0ced2eee587eaf67b670d94a19e94e3984a481aba6802f \
+    --hash=sha256:f042152b681c4bfac5cae2742a55e103d27ab2ec0f3d88037136b6bfe7c9c5de
+    # via build
+pyproject-hooks==1.2.0 \
+    --hash=sha256:1e859bd5c40fae9448642dd871adf459e5e2084186e8d2c2a79a824c970da1f8 \
+    --hash=sha256:9e5c6bfa8dcc30091c74b0cf803c81fdd29d94f01992a7707bc97babb1141913
+    # via build
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a825e9d7..6ddb0aa7 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -27,7 +27,7 @@ jobs:
         python-version: '3.x'
     - name: Install dependencies
       run: |
-        python -m pip install --user --upgrade build
+        python -m pip install --no-deps -r .github/workflows/publish.txt
     - name: Build
       run: |
         python -m build