ci: adjust zizmor config, bump dist (#20999)

## Summary

Also bumps `cargo dist` to 0.30, and moves us
back to the upstream copy of `dist` now that
the latest version has integrated our fork's
patches.

## Test Plan

See what happens in CI 🙂

---------

Signed-off-by: William Woodruff <william@astral.sh>

.github/workflows/publish-playground.yml

@@ -18,6 +18,8 @@ env:
   CARGO_TERM_COLOR: always
   RUSTUP_MAX_RETRIES: 10
 
+permissions: {}
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -32,7 +34,7 @@ jobs:
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 22
-          cache: "npm"
+          cache: "npm" # zizmor: ignore[cache-poisoning] acceptable risk for CloudFlare pages artifact
           cache-dependency-path: playground/package-lock.json
       - uses: jetli/wasm-bindgen-action@20b33e20595891ab1a0ed73145d8a21fc96e7c29 # v0.2.0
       - name: "Install Node dependencies"

.github/workflows/publish-ty-playground.yml

@@ -38,6 +38,7 @@ jobs:
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 22
+          cache: "npm" # zizmor: ignore[cache-poisoning] acceptable risk for CloudFlare pages artifact
       - uses: jetli/wasm-bindgen-action@20b33e20595891ab1a0ed73145d8a21fc96e7c29 # v0.2.0
       - name: "Install Node dependencies"
         run: npm ci

.github/workflows/release.yml

@@ -1,7 +1,6 @@
-# This file was autogenerated by dist: https://github.com/astral-sh/cargo-dist
+# This file was autogenerated by dist: https://axodotdev.github.io/cargo-dist
 #
 # Copyright 2022-2024, axodotdev
-# Copyright 2025 Astral Software Inc.
 # SPDX-License-Identifier: MIT or Apache-2.0
 #
 # CI that:
@@ -69,7 +68,7 @@ jobs:
         # we specify bash to get pipefail; it guards against the `curl` command
         # failing. otherwise `sh` won't catch that `curl` returned non-0
         shell: bash
-        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/cargo-dist/releases/download/v0.28.5-prerelease.1/cargo-dist-installer.sh | sh"
+        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.30.0/cargo-dist-installer.sh | sh"
       - name: Cache dist
         uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
         with:

.github/workflows/ty-ecosystem-analyzer.yaml

@@ -34,10 +34,13 @@ jobs:
 
       - name: Install the latest version of uv
         uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        with:
+          enable-cache: true # zizmor: ignore[cache-poisoning] acceptable risk for CloudFlare pages artifact
 
       - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
         with:
           workspaces: "ruff"
+          lookup-only: false # zizmor: ignore[cache-poisoning] acceptable risk for CloudFlare pages artifact
 
       - name: Install Rust toolchain
         run: rustup show

.github/workflows/ty-ecosystem-report.yaml

@@ -30,10 +30,13 @@ jobs:
 
       - name: Install the latest version of uv
         uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        with:
+          enable-cache: true # zizmor: ignore[cache-poisoning] acceptable risk for CloudFlare pages artifact
 
       - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
         with:
           workspaces: "ruff"
+          lookup-only: false # zizmor: ignore[cache-poisoning] acceptable risk for CloudFlare pages artifact
 
       - name: Install Rust toolchain
         run: rustup show

.github/zizmor.yml

@@ -9,13 +9,18 @@ rules:
   cache-poisoning:
     ignore:
       - build-docker.yml
-      - publish-playground.yml
-      - ty-ecosystem-analyzer.yaml
-      - ty-ecosystem-report.yaml
   excessive-permissions:
     # it's hard to test what the impact of removing these ignores would be
     # without actually running the release workflow...
     ignore:
       - build-docker.yml
-      - publish-playground.yml
       - publish-docs.yml
+  secrets-inherit:
+    # `cargo dist` makes extensive use of `secrets: inherit`,
+    # and we can't easily fix that until an upstream release changes that.
+    disable: true
+  template-injection:
+    ignore:
+      # like with `secrets-inherit`, `cargo dist` introduces some
+      # template injections. We've manually audited these usages for safety.
+      - release.yml

.pre-commit-config.yaml

@@ -101,8 +101,8 @@ repos:
 
   # zizmor detects security vulnerabilities in GitHub Actions workflows.
   # Additional configuration for the tool is found in `.github/zizmor.yml`
-  - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: v1.11.0
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.15.2
     hooks:
       - id: zizmor
 

dist-workspace.toml

@@ -5,7 +5,7 @@ packages = ["ruff"]
 # Config for 'dist'
 [dist]
 # The preferred dist version to use in CI (Cargo.toml SemVer syntax)
-cargo-dist-version = "0.28.5-prerelease.1"
+cargo-dist-version = "0.30.0"
 # Whether to consider the binaries in a package for distribution (defaults true)
 dist = false
 # CI backends to support
@@ -54,11 +54,7 @@ local-artifacts-jobs = ["./build-binaries", "./build-docker"]
 # Publish jobs to run in CI
 publish-jobs = ["./publish-pypi", "./publish-wasm"]
 # Post-announce jobs to run in CI
-post-announce-jobs = [
-    "./notify-dependents",
-    "./publish-docs",
-    "./publish-playground"
-]
+post-announce-jobs = ["./notify-dependents", "./publish-docs", "./publish-playground"]
 # Custom permissions for GitHub Jobs
 github-custom-job-permissions = { "build-docker" = { packages = "write", contents = "read" }, "publish-wasm" = { contents = "read", id-token = "write", packages = "write" } }
 # Whether to install an updater program