ci: make workflows pass Zizmor in pedantic mode (#798)

* ci: make workflows pass Zizmor in pedantic mode

* Allow running CodeQL on demand

* Add permission comment

* Actually run in pedantic mode

Author: hynek

.github/workflows/build-docset.yml

@@ -18,6 +18,7 @@ permissions: {}
 
 jobs:
   docset:
+    name: Build docset
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/codeql-analysis.yml

@@ -4,22 +4,20 @@ name: CodeQL
 on:
   schedule:
     - cron: "41 3 * * 6"
+  workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
-      security-events: write
+      security-events: write  # necessary according to docs
 
     strategy:
       fail-fast: false

.github/workflows/pypi-package.yml

@@ -14,14 +14,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   # Always build & lint package.
   build-package:
     name: Build & verify package
     runs-on: ubuntu-latest
     permissions:
-      attestations: write
-      id-token: write
+      attestations: write  # necessary for GitHub attestations
+      id-token: write  # necessary for GitHub attestations
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -42,7 +44,7 @@ jobs:
     needs: build-package
 
     permissions:
-      id-token: write
+      id-token: write  # necessary for trusted publishing
 
     steps:
       - name: Download packages built by build-and-inspect-python-package
@@ -65,7 +67,7 @@ jobs:
     needs: build-package
 
     permissions:
-      id-token: write
+      id-token: write  # necessary for trusted publishing
 
     steps:
       - name: Download packages built by build-and-inspect-python-package

.github/workflows/zizmor.yml

@@ -28,4 +28,6 @@ jobs:
 
       - name: Run zizmor 🌈
         uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          persona: pedantic
 ...