ci: bump zizmor-action to v0.5.6 and disable uv cache in release build

Kludex · Kludex · commit 9c596da47923 · 2026-05-20T15:43:06.000+02:00
The newer zizmor (1.25.x, shipped by zizmor-action v0.5.6) adds a
cache-poisoning audit that flags astral-sh/setup-uv with
enable-cache: true in a release: published-triggered job. Disable the
cache for the release-build job - release builds are infrequent and a
cold cache is fine - so the new security workflow lands clean.
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
         with:
-          enable-cache: true
+          enable-cache: false
           version: 0.9.5
 
       - name: Set up Python 3.12
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -22,4 +22,4 @@ jobs:
           persist-credentials: false
 
       - name: Run zizmor 🌈
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
