diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..c92be54
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,28 @@
+name: zizmor GitHub Actions Analysis
+
+on:
+ push:
+ branches: [main]
+ pull_request:
+ branches: [main]
+ schedule:
+ - cron: "15 6 * * 1" # weekly Monday 06:15 UTC
+
+permissions:
+ contents: read
+
+jobs:
+ zizmor:
+ runs-on: ubuntu-latest
+ permissions:
+ security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+ contents: read # Only needed for private repos. Needed to clone the repo.
+ actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info.
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+
+ - name: Run zizmor 🌈
+ uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 03b9ace..b1e1bc4 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -15,13 +15,13 @@ or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any addi
## :space_invader: Codespaces
-We provide a configured devcontainer for you to use in your new project and/or msr-cookie-doh itself.
+We provide a configured devcontainer for you to use in your new project and/or cookie-doh itself.
You can create a container image with all the necessary dependencies,
and use it for remote development in a remote node with [GitHub Codespaces](https://docs.github.com/en/codespaces).
:point_right: Click below to clone or fork this repository automatically and start developing:
-[](https://codespaces.new/msr-cambridge-uk/msr-cookie-doh)
+[](https://codespaces.new/microsoft/cookie-doh)
## :gear: Devcontainer
diff --git a/bin/check-all b/bin/check-all
index b77143b..128c93b 100755
--- a/bin/check-all
+++ b/bin/check-all
@@ -19,6 +19,10 @@ echo
echo "RUNNING CODESPELL"
uv run codespell
+echo
+echo "RUNNING ZIZMOR"
+uv run zizmor .
+
echo
echo "RUNNING PYTEST AND COVERAGE"
uv run coverage run -m pytest
diff --git a/bin/check-all.jinja b/bin/check-all.jinja
index 6c1be4c..95a7371 100755
--- a/bin/check-all.jinja
+++ b/bin/check-all.jinja
@@ -19,6 +19,10 @@ echo
echo "RUNNING CODESPELL"
uv run codespell
+echo
+echo "RUNNING ZIZMOR"
+uv run zizmor .
+
echo
echo "RUNNING PYTEST AND COVERAGE"
uv run coverage run -m pytest
diff --git a/mkdocs.yml b/mkdocs.yml
index 9c4d053..9588e7e 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -112,6 +112,6 @@ markdown_extensions:
# generic: true
copyright: |
-
+
extra:
generator: false
diff --git a/mkdocs.yml.jinja b/mkdocs.yml.jinja
index 1a0980b..5a3f0c6 100644
--- a/mkdocs.yml.jinja
+++ b/mkdocs.yml.jinja
@@ -106,7 +106,7 @@ markdown_extensions:
{% if microsoft_internal -%}
copyright: |
-
+
extra:
generator: false
{%- endif %}
diff --git a/pyproject.toml b/pyproject.toml
index c97a424..89e5372 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -9,7 +9,17 @@ readme = "README.md"
dependencies = []
[dependency-groups]
-dev = ["codespell", "coverage", "ipykernel", "jinja2", "ruff", "pyright", "pytest", "pytest-cov"]
+dev = [
+ "codespell",
+ "coverage",
+ "ipykernel",
+ "jinja2",
+ "ruff",
+ "pyright",
+ "pytest",
+ "pytest-cov",
+ "zizmor",
+]
docs = [
"mkdocs",
"mkdocs-awesome-pages-plugin",
diff --git a/pyproject.toml.jinja b/pyproject.toml.jinja
index 7ff7a80..682494b 100644
--- a/pyproject.toml.jinja
+++ b/pyproject.toml.jinja
@@ -9,7 +9,7 @@ readme = "README.md"
dependencies = [] # write here dependencies of your project
[dependency-groups]
-dev = ["codespell", "coverage", "ipykernel", "ruff", "pyright", "pytest", "pytest-cov"]
+dev = ["codespell", "coverage", "ipykernel", "ruff", "pyright", "pytest", "pytest-cov", "zizmor"]
{%- if documentation %}
docs = [
"mkdocs",
diff --git a/uv.lock b/uv.lock
index ee20117..132b245 100644
--- a/uv.lock
+++ b/uv.lock
@@ -244,6 +244,7 @@ dev = [
{ name = "pytest" },
{ name = "pytest-cov" },
{ name = "ruff" },
+ { name = "zizmor" },
]
docs = [
{ name = "mkdocs" },
@@ -268,6 +269,7 @@ dev = [
{ name = "pytest" },
{ name = "pytest-cov" },
{ name = "ruff" },
+ { name = "zizmor" },
]
docs = [
{ name = "mkdocs" },
@@ -1414,3 +1416,21 @@ sdist = { url = "https://files.pythonhosted.org/packages/49/b4/51fe890511f0f242d
wheels = [
{ url = "https://files.pythonhosted.org/packages/bd/6e/95b0e537de1f4d4301f76f944642c6da50d1511cc7b3d64dc418a66c7509/wcwidth-0.8.1-py3-none-any.whl", hash = "sha256:f453740b1e4a4f3291faa37944c555d71056c4da08d59809b307ef4feba695c8", size = 323092, upload-time = "2026-06-08T05:57:21.413Z" },
]
+
+[[package]]
+name = "zizmor"
+version = "1.25.2"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/b3/41/8987d546e3101cc76748b2f1b0ccda58e244773ef5124d39e7e749e3d6e4/zizmor-1.25.2.tar.gz", hash = "sha256:f26ffeb16659c8922c7b08203ca5a4f8bf5e1a7e8d190734961c40877cf778ea", size = 517794, upload-time = "2026-05-16T06:28:43.816Z" }
+wheels = [
+ { url = "https://files.pythonhosted.org/packages/dc/bd/84108a92ccbfda0d28efc11f382997c7a767b58863bf4a550634b8cf0211/zizmor-1.25.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:17cc8cfd9d472e8b11945a869c198d25cfdf4a33f36fa7a1f9674099f5fb509d", size = 9115548, upload-time = "2026-05-16T06:28:33.591Z" },
+ { url = "https://files.pythonhosted.org/packages/c2/c0/66453a2553a66286a96ca32d75e3e6bcc94ce7f907cd5f8c2c3fce55315e/zizmor-1.25.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:d3e301eb4465e2da77857cf01ab4ef0184cf3818e826800b270ab01ae7338977", size = 8665071, upload-time = "2026-05-16T06:28:30.861Z" },
+ { url = "https://files.pythonhosted.org/packages/52/3e/d60939d1cc4907c0d021a7c46362aab5e8045550bb09157d56c070e43568/zizmor-1.25.2-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:cf64374149b567c9373228b76c8e77a389b4071899f84b82c36ee50fab894e79", size = 8842884, upload-time = "2026-05-16T06:28:26.041Z" },
+ { url = "https://files.pythonhosted.org/packages/46/82/f3e8d9b6d941194f2558591b449c106d46a16ea566b95eccff3a83bf6acc/zizmor-1.25.2-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:0beba1601be08bd00c9277e6ed4b026e125b26b379d86d6d98eb708409b3050d", size = 8449741, upload-time = "2026-05-16T06:28:45.424Z" },
+ { url = "https://files.pythonhosted.org/packages/4b/13/445bc98acc2c976d6b8f8ca59b9c09f055adb5ffb3445d99af8ff7efcb4f/zizmor-1.25.2-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:c4246f1344d8dbeffc044d7bb11b131773a7db7eb57d9073c45942dfd3543a1f", size = 9285184, upload-time = "2026-05-16T06:28:39.21Z" },
+ { url = "https://files.pythonhosted.org/packages/cf/78/fc7717c706bde7531b2fde12003994fbc04c47ab4f91aa6ca9b3b24b30fd/zizmor-1.25.2-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:dbb1b5c85b8de8eaa0227c6620f06c8e4fbd0a4da2086e218bc225c0bef0923d", size = 8886579, upload-time = "2026-05-16T06:28:51.384Z" },
+ { url = "https://files.pythonhosted.org/packages/ca/bc/a46f11377cdc145c625d62d88c30fead56f9d29bc31652069a1a0eaed6c2/zizmor-1.25.2-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d670a1e2f00b3cd56febd145bc1a0b2c4caf1cbe5dad8128721843fa877e2d2e", size = 8413576, upload-time = "2026-05-16T06:28:36.376Z" },
+ { url = "https://files.pythonhosted.org/packages/2b/3b/0fd93b77171c8f229e8e1304eecc9931bf3009f722c57967d545d9f151b6/zizmor-1.25.2-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b75c84d7387389f95edadbe859fb2aaf0a360c5b080932cc53e92ae1db6f09ef", size = 9378162, upload-time = "2026-05-16T06:28:41.999Z" },
+ { url = "https://files.pythonhosted.org/packages/b5/3f/dcb85fb9a0d87794847f9043f9db9bb4d274cf4b8077604bc13850c8fdb4/zizmor-1.25.2-py3-none-win32.whl", hash = "sha256:aa9f4c43b499c55339c3ef2e885133c5017cd9a18d76d9335541203cfa5ae1e7", size = 7548509, upload-time = "2026-05-16T06:28:28.828Z" },
+ { url = "https://files.pythonhosted.org/packages/d2/81/1cb088098bd53f9b910098b0c19d06dc587acf328a170ef8afd1cd93b482/zizmor-1.25.2-py3-none-win_amd64.whl", hash = "sha256:af55bd9bd119ea8cbce2a7addc3922503019de32c1fe31106d70b3dc77d77908", size = 8609822, upload-time = "2026-05-16T06:28:48.078Z" },
+]