PR Type

What kind of change does this PR introduce?

• Bug fix
• Feature
• Chore (refactoring, formatting, local variables, other cleanup)
• Documentation content changes

What is the new behavior?

See https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/

Looks like zizmor is the go-to tool.

Your composite actions (action.yml) files are not checked. It's on zizmor's backlog, though: zizmorcore/zizmor#173.

The most common issue found are template injection, and artipacked.

In the labeler workflow we use a dangerous trigger. Should we delete this workflow and set labels ourselves again?

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> /Users/arjan/Development/gaphor/.github/workflows/labeler.yml:2:1
  |
2 | / on:
3 | | - pull_request_target
  | |_____________________^ pull_request_target is almost always used insecurely
  |
  = note: audit confidence → Medium