From b1c90f9ee50c114bbc38fb91058579b8d283a3a9 Mon Sep 17 00:00:00 2001
From: kingbuzzman <buzzi.javier@gmail.com>
Date: Wed, 4 Jun 2025 09:35:45 -0400
Subject: [PATCH 01/10] Adds zizmor serif

---
 .github/workflows/main.yml | 11 +++++++++--
 .gitignore                 |  1 +
 tox.ini                    |  3 ++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 74c5f63ea..3bbcc8ecc 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -54,8 +54,15 @@ jobs:
 
       - name: Run tox
         run: tox -e "${MATRIX_NAME}"
-        env:
-          MATRIX_NAME: ${{ matrix.name }}
+        # run: tox -e "${MATRIX_NAME}"
+        # env:
+        #   MATRIX_NAME: ${{ matrix.name }}
+
+      - name: Upload SARIF report into the GitHub repo code scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: zizmor.sarif
+          category: zizmor
 
       - name: Report coverage
         if: contains(matrix.name, 'coverage')
diff --git a/.gitignore b/.gitignore
index 35f1856e7..27011bfa9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,4 @@ _build
 *.egg
 # autogenerated by setuptools-scm
 /pytest_django/_version.py
+zizmor.sarif
diff --git a/tox.ini b/tox.ini
index ccd5e381e..e213f5100 100644
--- a/tox.ini
+++ b/tox.ini
@@ -44,11 +44,12 @@ commands =
 
 [testenv:linting]
 dependency_groups = linting
+allowlist_externals = sh
 commands =
     ruff check --diff {posargs:pytest_django pytest_django_test tests}
     ruff format --quiet --diff {posargs:pytest_django pytest_django_test tests}
     mypy {posargs:pytest_django pytest_django_test tests}
-    zizmor --persona=pedantic .github/workflows/deploy.yml .github/workflows/main.yml
+    sh -c "zizmor --persona=pedantic --format sarif .github/workflows/deploy.yml .github/workflows/main.yml > zizmor.sarif"
 
 [testenv:doc8]
 basepython = python3

From 3f6d4f0f1daa0d52a2ced8b8bdb5c7dbbd832fc0 Mon Sep 17 00:00:00 2001
From: kingbuzzman <buzzi.javier@gmail.com>
Date: Wed, 4 Jun 2025 09:37:28 -0400
Subject: [PATCH 02/10] .

---
 .github/workflows/main.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 3bbcc8ecc..b5ba65a67 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -53,12 +53,13 @@ jobs:
           pip install tox==4.26.0
 
       - name: Run tox
-        run: tox -e "${MATRIX_NAME}"
+        run: tox -e "${{ matrix.name }}"
         # run: tox -e "${MATRIX_NAME}"
         # env:
         #   MATRIX_NAME: ${{ matrix.name }}
 
       - name: Upload SARIF report into the GitHub repo code scanning
+        if: contains(matrix.name, 'linting')
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: zizmor.sarif

From e6e611a0783707f7963307eeecf63c032672bc95 Mon Sep 17 00:00:00 2001
From: kingbuzzman <buzzi.javier@gmail.com>
Date: Wed, 4 Jun 2025 09:40:10 -0400
Subject: [PATCH 03/10] .

---
 .github/zizmor.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index 2ed61128c..fef5bd5da 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -4,3 +4,4 @@ rules:
       policies:
         actions/*: ref-pin
         codecov/codecov-action: ref-pin
+        codeql-action/upload-sarif: ref-pin

From 82ef787c7b6a677d80aaed004f01d2f9a49699eb Mon Sep 17 00:00:00 2001
From: kingbuzzman <buzzi.javier@gmail.com>
Date: Wed, 4 Jun 2025 09:44:36 -0400
Subject: [PATCH 04/10] .

---
 .github/workflows/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index b5ba65a67..4b9885649 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -60,7 +60,7 @@ jobs:
 
       - name: Upload SARIF report into the GitHub repo code scanning
         if: contains(matrix.name, 'linting')
-        uses: github/codeql-action/upload-sarif@v3
+        uses: codeql-action/upload-sarif@v3
         with:
           sarif_file: zizmor.sarif
           category: zizmor

From 9c13b79c9c38befa37bb6876f96bac33553b0054 Mon Sep 17 00:00:00 2001
From: kingbuzzman <buzzi.javier@gmail.com>
Date: Wed, 4 Jun 2025 09:46:25 -0400
Subject: [PATCH 05/10] .

---
 .github/workflows/main.yml | 2 +-
 .github/zizmor.yml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 4b9885649..b5ba65a67 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -60,7 +60,7 @@ jobs:
 
       - name: Upload SARIF report into the GitHub repo code scanning
         if: contains(matrix.name, 'linting')
-        uses: codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: zizmor.sarif
           category: zizmor
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index fef5bd5da..a935769ac 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -4,4 +4,4 @@ rules:
       policies:
         actions/*: ref-pin
         codecov/codecov-action: ref-pin
-        codeql-action/upload-sarif: ref-pin
+        github/*: ref-pin

From 57baee58739a5b3ae99cf0be06fb4021eaf9491e Mon Sep 17 00:00:00 2001
From: kingbuzzman <buzzi.javier@gmail.com>
Date: Wed, 4 Jun 2025 09:48:23 -0400
Subject: [PATCH 06/10] .

---
 .github/workflows/main.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index b5ba65a67..932a9be3c 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -53,10 +53,9 @@ jobs:
           pip install tox==4.26.0
 
       - name: Run tox
-        run: tox -e "${{ matrix.name }}"
-        # run: tox -e "${MATRIX_NAME}"
-        # env:
-        #   MATRIX_NAME: ${{ matrix.name }}
+        run: tox -e "${MATRIX_NAME}"
+        env:
+          MATRIX_NAME: ${{ matrix.name }}
 
       - name: Upload SARIF report into the GitHub repo code scanning
         if: contains(matrix.name, 'linting')

From 0792a60ef0c424b8c89e63c88d4ccebbc8990aa4 Mon Sep 17 00:00:00 2001
From: Javier Buzzi <buzzi.javier@gmail.com>
Date: Wed, 4 Jun 2025 16:00:50 -0400
Subject: [PATCH 07/10] Testing permissions

---
 .github/workflows/main.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 932a9be3c..0fd70d788 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -25,6 +25,7 @@ jobs:
     timeout-minutes: 15
     permissions:
       contents: read
+      security-events: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -53,9 +54,10 @@ jobs:
           pip install tox==4.26.0
 
       - name: Run tox
-        run: tox -e "${MATRIX_NAME}"
-        env:
-          MATRIX_NAME: ${{ matrix.name }}
+        run: tox -e ${{ matrix.name }}
+        # run: tox -e "${MATRIX_NAME}"
+        # env:
+        #   MATRIX_NAME: ${{ matrix.name }}
 
       - name: Upload SARIF report into the GitHub repo code scanning
         if: contains(matrix.name, 'linting')

From 5fd71d22a4bbf2eecd82df7b34a0b572d106672d Mon Sep 17 00:00:00 2001
From: Javier Buzzi <buzzi.javier@gmail.com>
Date: Wed, 4 Jun 2025 16:06:11 -0400
Subject: [PATCH 08/10] Putting it back to normal..

---
 .github/workflows/main.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 0fd70d788..6412b3cf4 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -54,10 +54,9 @@ jobs:
           pip install tox==4.26.0
 
       - name: Run tox
-        run: tox -e ${{ matrix.name }}
-        # run: tox -e "${MATRIX_NAME}"
-        # env:
-        #   MATRIX_NAME: ${{ matrix.name }}
+        run: tox -e "${MATRIX_NAME}"
+        env:
+          MATRIX_NAME: ${{ matrix.name }}
 
       - name: Upload SARIF report into the GitHub repo code scanning
         if: contains(matrix.name, 'linting')

From 31bce231969443cb99cd36932dc1d22fb0b682d3 Mon Sep 17 00:00:00 2001
From: Javier Buzzi <buzzi.javier@gmail.com>
Date: Thu, 5 Jun 2025 15:57:00 -0400
Subject: [PATCH 09/10] Update .github/workflows/main.yml

Co-authored-by: Ran Benita <ran@unusedvar.com>
---
 .github/workflows/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 6412b3cf4..9b17a4820 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -58,7 +58,7 @@ jobs:
         env:
           MATRIX_NAME: ${{ matrix.name }}
 
-      - name: Upload SARIF report into the GitHub repo code scanning
+      - name: Upload zizmor SARIF report into the GitHub repo code scanning
         if: contains(matrix.name, 'linting')
         uses: github/codeql-action/upload-sarif@v3
         with:

From 724660bd2cc2374de160afe4bd6c0154db4482da Mon Sep 17 00:00:00 2001
From: Javier Buzzi <buzzi.javier@gmail.com>
Date: Thu, 5 Jun 2025 15:58:37 -0400
Subject: [PATCH 10/10] Update tox.ini

---
 tox.ini | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tox.ini b/tox.ini
index e213f5100..59d4cb57e 100644
--- a/tox.ini
+++ b/tox.ini
@@ -44,12 +44,11 @@ commands =
 
 [testenv:linting]
 dependency_groups = linting
-allowlist_externals = sh
 commands =
     ruff check --diff {posargs:pytest_django pytest_django_test tests}
     ruff format --quiet --diff {posargs:pytest_django pytest_django_test tests}
     mypy {posargs:pytest_django pytest_django_test tests}
-    sh -c "zizmor --persona=pedantic --format sarif .github/workflows/deploy.yml .github/workflows/main.yml > zizmor.sarif"
+    python -c "import subprocess, sys; sys.exit(subprocess.call('zizmor --persona=pedantic --format sarif .github/workflows/deploy.yml .github/workflows/main.yml > zizmor.sarif', shell=True))"
 
 [testenv:doc8]
 basepython = python3