ci(prek): add zizmor hook

Author: deadnews

.github/workflows/main.yml

@@ -83,13 +83,15 @@ jobs:
       - name: Filter out `shared` group; If no changes detected, return `hello_world` scenario
         id: filter-edited
         run: |
-          JSON=$(echo '${{ steps.filter.outputs.changes }}' | jq -c 'map(select(. != "shared"))')
+          JSON=$(echo '${CHANGES}' | jq -c 'map(select(. != "shared"))')
 
           if [[ $JSON == '[]' ]]; then
               JSON='["plugins/tests/molecule/hello_world"]'
           fi
 
           echo "changes=$JSON" >> $GITHUB_OUTPUT
+        env:
+          CHANGES: ${{ steps.filter.outputs.changes }}
 
   test:
     name: Tests
@@ -123,9 +125,10 @@ jobs:
         run: uv run ansible-galaxy install -r requirements.yml
 
       - name: Run tests
-        run: make test DRIVER=docker DISCOVER=${{ matrix.molecule-discover }}
+        run: make test DRIVER=docker DISCOVER=${MOLECULE_DISCOVER}
         env:
           MOLECULE_DISTRO: ${{ matrix.molecule-distro }}
+          MOLECULE_DISCOVER: ${{ matrix.molecule-discover }}
 
   galaxy-deploy:
     name: Release to Ansible Galaxy

.pre-commit-config.yaml

@@ -40,6 +40,12 @@ repos:
     hooks:
       - id: actionlint
 
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.18.0
+    hooks:
+      - id: zizmor
+        args: [--fix=safe]
+
   - repo: https://github.com/compwa/taplo-pre-commit
     rev: v0.9.3
     hooks:
@@ -51,7 +57,7 @@ repos:
       - id: gitleaks
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.14.8
+    rev: v0.14.9
     hooks:
       - id: ruff-format
       - id: ruff-check
@@ -63,7 +69,7 @@ repos:
       - id: j2lint
 
   - repo: https://github.com/ansible/ansible-lint
-    rev: v25.12.0
+    rev: v25.12.1
     hooks:
       - id: ansible-lint
         args: [--fix]