From 361278d7284215b1f1f0d670fb9442aec2e2f4d0 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Tue, 23 Dec 2025 17:51:02 +0200
Subject: [PATCH] [3.14] Update pre-commit with zizmor and Ruff fixes
 (GH-143095) (cherry picked from commit
 f783cc37ebdc2fb9a2b5f967b99caaa886ff4ae4)

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
---
 .github/dependabot.yml          |  7 +++++++
 .github/workflows/tail-call.yml | 20 ++++++++++----------
 .pre-commit-config.yaml         | 12 ++++++------
 Doc/tools/check-warnings.py     |  7 +++++--
 4 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index c8a3165d690364..7f3376f8ddb1e2 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,6 +12,11 @@ updates:
         update-types:
           - "version-update:semver-minor"
           - "version-update:semver-patch"
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
+      default-days: 14
   - package-ecosystem: "pip"
     directory: "/Tools/"
     schedule:
@@ -19,3 +24,5 @@ updates:
     labels:
       - "skip issue"
       - "skip news"
+    cooldown:
+      default-days: 14
diff --git a/.github/workflows/tail-call.yml b/.github/workflows/tail-call.yml
index e99e317182eaa6..182aadda77832b 100644
--- a/.github/workflows/tail-call.yml
+++ b/.github/workflows/tail-call.yml
@@ -81,24 +81,24 @@ jobs:
 
       - name: Native Windows (debug)
         if: runner.os == 'Windows' && matrix.architecture != 'ARM64'
-        shell: cmd
+        shell: pwsh
         run: |
           choco install llvm --allow-downgrade --no-progress --version ${{ matrix.llvm }}.1.0
-          set PlatformToolset=clangcl
-          set LLVMToolsVersion=${{ matrix.llvm }}.1.0
-          set LLVMInstallDir=C:\Program Files\LLVM
-          call ./PCbuild/build.bat --tail-call-interp -d -p ${{ matrix.architecture }}
-          call ./PCbuild/rt.bat -d -p ${{ matrix.architecture }} -q --multiprocess 0 --timeout 4500 --verbose2 --verbose3
+          $env:PlatformToolset = "clangcl"
+          $env:LLVMToolsVersion = "${{ matrix.llvm }}.1.0"
+          $env:LLVMInstallDir = "C:\Program Files\LLVM"
+          ./PCbuild/build.bat --tail-call-interp -d -p ${{ matrix.architecture }}
+          ./PCbuild/rt.bat -d -p ${{ matrix.architecture }} -q --multiprocess 0 --timeout 4500 --verbose2 --verbose3
 
       # No tests (yet):
       - name: Emulated Windows (release)
         if: runner.os == 'Windows' && matrix.architecture == 'ARM64'
-        shell: cmd
+        shell: pwsh
         run: |
           choco install llvm --allow-downgrade --no-progress --version ${{ matrix.llvm }}.1.0
-          set PlatformToolset=clangcl
-          set LLVMToolsVersion=${{ matrix.llvm }}.1.0
-          set LLVMInstallDir=C:\Program Files\LLVM
+          $env:PlatformToolset = "clangcl"
+          $env:LLVMToolsVersion = "${{ matrix.llvm }}.1.0"
+          $env:LLVMInstallDir = "C:\Program Files\LLVM"
           ./PCbuild/build.bat --tail-call-interp -p ${{ matrix.architecture }}
 
       - name: Native macOS (release)
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index c5767ee841eb0d..74284b2aa036fd 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.13.2
+    rev: v0.14.10
     hooks:
       - id: ruff-check
         name: Run Ruff (lint) on Apple/
@@ -52,7 +52,7 @@ repos:
         files: ^Tools/wasm/
 
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 25.9.0
+    rev: 25.12.0
     hooks:
       - id: black
         name: Run Black on Tools/jit/
@@ -83,24 +83,24 @@ repos:
         files: '^\.github/CODEOWNERS|\.(gram)$'
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.34.0
+    rev: 0.36.0
     hooks:
       - id: check-dependabot
       - id: check-github-workflows
       - id: check-readthedocs
 
   - repo: https://github.com/rhysd/actionlint
-    rev: v1.7.7
+    rev: v1.7.9
     hooks:
       - id: actionlint
 
   - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: v1.14.1
+    rev: v1.19.0
     hooks:
       - id: zizmor
 
   - repo: https://github.com/sphinx-contrib/sphinx-lint
-    rev: v1.0.0
+    rev: v1.0.2
     hooks:
       - id: sphinx-lint
         args: [--enable=default-role]
diff --git a/Doc/tools/check-warnings.py b/Doc/tools/check-warnings.py
index f9b8c45a78af49..3168f3f01cd1e2 100644
--- a/Doc/tools/check-warnings.py
+++ b/Doc/tools/check-warnings.py
@@ -311,8 +311,11 @@ def main(argv: list[str] | None = None) -> int:
     if not Path("Doc").exists() or not Path("Doc").is_dir():
         raise RuntimeError(wrong_directory_msg)
 
-    with Path("Doc/sphinx-warnings.txt").open(encoding="UTF-8") as f:
-        warnings = f.read().splitlines()
+    warnings = (
+        Path("Doc/sphinx-warnings.txt")
+        .read_text(encoding="UTF-8")
+        .splitlines()
+    )
 
     cwd = str(Path.cwd()) + os.path.sep
     files_with_nits = {