From 908fbae9f982a8d4d267c2430317d7800a1c9b70 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Tue, 25 Feb 2025 22:52:07 +0100
Subject: [PATCH 1/3] feat(run-pre-commit): Add option to install Rust-based
 tools

---
 run-pre-commit/action.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/run-pre-commit/action.yml b/run-pre-commit/action.yml
index 18184fd..caa85c4 100644
--- a/run-pre-commit/action.yml
+++ b/run-pre-commit/action.yml
@@ -15,6 +15,11 @@ inputs:
       Override which Rust components are installed. Only takes effect when Rust
       is installed.
     default: rustfmt,clippy
+  rust-tools:
+    description: |
+      Install Rust-based tools using `cargo install --locked`. Tools can be
+      specified using the following format: `CRATE[@<VER>]`. Individual tools
+      are separated by space
   hadolint:
     description: Whether to install hadolint (and which version to use)
   nix:
@@ -38,6 +43,18 @@ runs:
         toolchain: ${{ inputs.rust }}
         components: ${{ inputs.rust-components }}
 
+    - name: Install Rust Tools
+      if: ${{ inputs.rust-tools }}
+      env:
+        RUST_TOOLS: ${{ inputs.rust-tools }}
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Make a list out of the space separated list off tools/crates
+        RUST_TOOLS=($RUST_TOOLS)
+        cargo install --locked "${RUST_TOOLS[@]}"
+
     - name: Setup Hadolint
       if: ${{ inputs.hadolint }}
       shell: bash

From 362a925aea68a87f0f4094226ec96636fb0ae7fc Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Tue, 25 Feb 2025 22:58:42 +0100
Subject: [PATCH 2/3] chore: Add zizmor hook to pre-commit config

---
 .pre-commit-config.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4ef31fd..3db3a1b 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -31,3 +31,13 @@ repos:
     rev: 5db9d9cde2f3deb5035dea3e45f0a9fff2f29448 # 1.7.4
     hooks:
       - id: actionlint
+
+  - repo: local
+    hooks:
+      - id: zizmor
+        name: zizmor
+        language: system
+        files: ^\.github/workflows/
+        entry: zizmor
+        stages: [pre-commit]
+        pass_filenames: true

From 0efba2351c3543c859b9310e0afc0c8a82dd227f Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Tue, 25 Feb 2025 22:59:13 +0100
Subject: [PATCH 3/3] ci: Install zizmor in pre-commit workflow

---
 .github/workflows/pr_pre-commit.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pr_pre-commit.yml b/.github/workflows/pr_pre-commit.yml
index 0877ecd..a63b29d 100644
--- a/.github/workflows/pr_pre-commit.yml
+++ b/.github/workflows/pr_pre-commit.yml
@@ -4,6 +4,7 @@ name: pre-commit
 on:
   pull_request:
 
+permissions: {}
 
 jobs:
   pre-commit:
@@ -15,3 +16,5 @@ jobs:
           submodules: recursive
           fetch-depth: 0
       - uses: ./run-pre-commit
+        with:
+          rust-tools: zizmor@1.4.1