From 809888303f0a41073fe71b1f9d1ed4b58f5ba5df Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 24 Apr 2026 12:09:02 +0300
Subject: [PATCH 1/7] Update pre-commit

---
 .pre-commit-config.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 1782fa1..f58f6b9 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,12 +1,12 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 25.9.0
+    rev: 26.3.1
     hooks:
       - id: black
         language_version: "python3.12"
 
   - repo: https://github.com/pycqa/isort
-    rev: 7.0.0
+    rev: 9.0.0a3
     hooks:
       - id: isort
         additional_dependencies: [ toml ]
@@ -19,6 +19,6 @@ repos:
       - id: debug-statements
 
   - repo: https://github.com/asottile/setup-cfg-fmt
-    rev: v3.1.0
+    rev: v3.2.0
     hooks:
     -   id: setup-cfg-fmt

From ace24b9b2482a7c31a65fe200b3154da09efc75c Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 24 Apr 2026 12:20:43 +0300
Subject: [PATCH 2/7] Add zizmor security linter

---
 .github/workflows/auto-tag.yml          | 18 ++++++++++++------
 .github/workflows/check-for-updates.yml | 21 +++++++++++++--------
 .github/workflows/publish.yml           |  2 ++
 .github/workflows/tests.yml             |  8 +++++++-
 .pre-commit-config.yaml                 | 21 +++++++++++++++++++++
 5 files changed, 55 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index 475583e..09ab9dd 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -15,26 +15,32 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Get current version
         id: version
         run: |
           VERSION=$(cat VERSION)
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Check if tag already exists
         id: checktag
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
-          if git rev-parse "v${{ steps.version.outputs.version }}" >/dev/null 2>&1; then
-            echo "skip=true" >> $GITHUB_OUTPUT
+          if git rev-parse "v${VERSION}" >/dev/null 2>&1; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
           else
-            echo "skip=false" >> $GITHUB_OUTPUT
+            echo "skip=false" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Push tag
         if: steps.checktag.outputs.skip == 'false'
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git tag "${{ steps.version.outputs.version }}"
-          git push origin "${{ steps.version.outputs.version }}"
+          git tag "${VERSION}"
+          git push origin "${VERSION}"
diff --git a/.github/workflows/check-for-updates.yml b/.github/workflows/check-for-updates.yml
index 119d1d0..d8368f9 100644
--- a/.github/workflows/check-for-updates.yml
+++ b/.github/workflows/check-for-updates.yml
@@ -5,9 +5,13 @@ on:
     - cron: '0 9 * * *'  # Runs daily at 9AM UTC
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check-pr-exists:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     outputs:
       pr_exists: ${{ steps.check_pr_exists.outputs.pr_exists }}
     steps:
@@ -16,15 +20,15 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          PR_EXISTS=$(gh pr --repo $GITHUB_REPOSITORY \
+          PR_EXISTS=$(gh pr --repo "$GITHUB_REPOSITORY" \
                       list --search "Update tzdata to version" \
                       --json number --jq '.[] | .number')
           if [ -n "$PR_EXISTS" ]; then
             echo "A PR updating the tzdata version already exists: https://github.com/python/tzdata/pulls/${PR_EXISTS}"
-            echo "pr_exists=true" >> $GITHUB_OUTPUT
+            echo "pr_exists=true" >> "$GITHUB_OUTPUT"
             exit 0
           else
-            echo "pr_exists=false" >> $GITHUB_OUTPUT
+            echo "pr_exists=false" >> "$GITHUB_OUTPUT"
           fi
 
   check-for-updates:
@@ -39,6 +43,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 1  # Shallow clone to save time
+          persist-credentials: false
 
       - name: Set up Python 3.12
         uses: actions/setup-python@v6
@@ -62,7 +67,7 @@ jobs:
           # Check for changes
           if git diff --quiet; then
             echo "No changes detected."
-            echo "CHANGES_DETECTED=false" >> $GITHUB_ENV
+            echo "CHANGES_DETECTED=false" >> "$GITHUB_ENV"
             exit 0
           fi
 
@@ -75,11 +80,11 @@ jobs:
             exit 1
           fi
 
-          if [ $(echo "$news_files" | wc -l) -ne 1 ]; then
+          if [ "$(echo "$news_files" | wc -l)" -ne 1 ]; then
             echo "More than one new file added in news.d, failing the job."
             exit 1
           fi
-          echo "CHANGES_DETECTED=true" >> $GITHUB_ENV
+          echo "CHANGES_DETECTED=true" >> "$GITHUB_ENV"
 
           # Extract TZDATA_VERSION from filename
           TZDATA_VERSION=$(basename "$news_files" .md)
@@ -87,7 +92,7 @@ jobs:
           # Extract TZDATA_NEWS from file content
           TZDATA_NEWS=$(cat "$news_files")
 
-          echo "TZDATA_VERSION=$TZDATA_VERSION" >> $GITHUB_ENV
+          echo "TZDATA_VERSION=$TZDATA_VERSION" >> "$GITHUB_ENV"
           {
             echo "TZDATA_NEWS<<EOF"
             echo "$TZDATA_NEWS"
@@ -111,5 +116,5 @@ jobs:
           gh pr create --title "Update tzdata to version $TZDATA_VERSION" \
             --body "$TZDATA_NEWS" \
             --base master \
-            --head $(git rev-parse --abbrev-ref HEAD) \
+            --head "$(git rev-parse --abbrev-ref HEAD)" \
             --label "automatic-updates"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 3181eae..1812cd6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -25,6 +25,8 @@ jobs:
       id-token: write
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index af8e595..95ab379 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -7,6 +7,8 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   tests:
 
@@ -25,9 +27,11 @@ jobs:
     env:
       TOXENV: py
     container:
-      image: ${{ matrix.use-container && format('python:{0}', matrix.python-version) || '' }}
+      image: ${{ matrix.use-container && format('python:{0}', matrix.python-version) || '' }}  # zizmor: ignore[unpinned-images]
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - if: ${{ !matrix.use-container }}
       name: Set up Python ${{ matrix.python-version }} on ${{ matrix.os }} (non-containers)
       uses: actions/setup-python@v6
@@ -52,6 +56,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: ${{ matrix.toxenv }}
         uses: actions/setup-python@v6
         with:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index f58f6b9..7580652 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -18,7 +18,28 @@ repos:
       - id: trailing-whitespace
       - id: debug-statements
 
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.37.1
+    hooks:
+      - id: check-dependabot
+      - id: check-github-workflows
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.12
+    hooks:
+      - id: actionlint
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.24.1
+    hooks:
+      - id: zizmor
+
   - repo: https://github.com/asottile/setup-cfg-fmt
     rev: v3.2.0
     hooks:
     -   id: setup-cfg-fmt
+
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes

From fd87f77918fd4c23536aad478f708f002b80ecd2 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 24 Apr 2026 18:53:55 +0300
Subject: [PATCH 3/7] persist-credentials: true  # Needed to push the tag

---
 .github/workflows/auto-tag.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index d43880f..2aa7ad8 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -16,7 +16,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          persist-credentials: false
+          persist-credentials: true  # Needed to push the tag
 
       - name: Get current version
         id: version

From 3cffcb781b7c2941ad561680f9524d170e79bfdb Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 24 Apr 2026 18:58:31 +0300
Subject: [PATCH 4/7] isort 8.0.1

---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 7580652..b7994f7 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -6,7 +6,7 @@ repos:
         language_version: "python3.12"
 
   - repo: https://github.com/pycqa/isort
-    rev: 9.0.0a3
+    rev: 8.0.1
     hooks:
       - id: isort
         additional_dependencies: [ toml ]

From acbc1b0b91cd214afc55cadad860583bd3746842 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Fri, 24 Apr 2026 17:28:43 +0100
Subject: [PATCH 5/7] Fix a little pre-existing typo

---
 .github/workflows/auto-tag.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index 2aa7ad8..6787e71 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -29,7 +29,7 @@ jobs:
         env:
           VERSION: ${{ steps.version.outputs.version }}
         run: |
-          if git rev-parse "v${VERSION}" >/dev/null 2>&1; then
+          if git rev-parse "${VERSION}" >/dev/null 2>&1; then
             echo "skip=true" >> "$GITHUB_OUTPUT"
           else
             echo "skip=false" >> "$GITHUB_OUTPUT"

From 7f43f16f7d85ba83de2f5f0ea65e456a4a705b49 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 24 Apr 2026 20:11:17 +0300
Subject: [PATCH 6/7] persist-credentials: true  # Needed to push the tag

---
 .github/workflows/check-for-updates.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/check-for-updates.yml b/.github/workflows/check-for-updates.yml
index 1261894..358f502 100644
--- a/.github/workflows/check-for-updates.yml
+++ b/.github/workflows/check-for-updates.yml
@@ -43,7 +43,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1  # Shallow clone to save time
-          persist-credentials: false
+          persist-credentials: true  # Needed to push the tag
 
       - name: Set up Python 3.12
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

From b4fc2a7666addace5557940ce15e3513ffb24b40 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 24 Apr 2026 20:15:17 +0300
Subject: [PATCH 7/7] Fix comment

Co-authored-by: Stan Ulbrych <stan@python.org>
---
 .github/workflows/check-for-updates.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/check-for-updates.yml b/.github/workflows/check-for-updates.yml
index 358f502..7569945 100644
--- a/.github/workflows/check-for-updates.yml
+++ b/.github/workflows/check-for-updates.yml
@@ -43,7 +43,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1  # Shallow clone to save time
-          persist-credentials: true  # Needed to push the tag
+          persist-credentials: true  # Needed to push the update
 
       - name: Set up Python 3.12
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0