lablabs
diff --git a/‎.github/workflows/pre-commit.yaml
+4 b/‎.github/workflows/pre-commit.yaml
+4
diff --git a/‎.github/workflows/template-sync.yaml
+1-1 b/‎.github/workflows/template-sync.yaml
+1-1
diff --git a/‎.github/workflows/validate.yaml
+4 b/‎.github/workflows/validate.yaml
+4
diff --git a/‎.pre-commit-config.yaml
+13-4 b/‎.pre-commit-config.yaml
+13-4
diff --git a/‎.tool-versions
+3-3 b/‎.tool-versions
+3-3
diff --git a/‎addon-oidc.tf
+1-1 b/‎addon-oidc.tf
+1-1
@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Setup ASDF
         uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2
@@ -63,3 +65,5 @@ jobs:
 
       - name: Run pre-commit
         run: pre-commit run --show-diff-on-failure --color=always --all-files
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for zizmor
@@ -32,8 +32,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          fetch-depth: 0
           token: ${{ steps.template-sync-app-token.outputs.token }} # needed for private repositories
+          persist-credentials: false
 
       - name: Sync universal-addon template
         uses: AndreasAugustin/actions-template-sync@bcb94410a4f1dffdfe5eaabc8234c3b8e76ebc5b # v2.5.1
 
@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Extract Terraform min/max versions
         id: terraform-min-max
@@ -39,6 +41,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
 
@@ -1,6 +1,7 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    # renovate: datasource=github-tags depName=pre-commit/pre-commit-hooks
+    rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # v5.0.0 # pragma: allowlist secret
     hooks:
       - id: trailing-whitespace
         args: ["--markdown-linebreak-ext=md"]
@@ -11,7 +12,8 @@ repos:
       - id: end-of-file-fixer
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.3
+    # renovate: datasource=github-releases depName=antonbabenko/pre-commit-terraform
+    rev: 55d0143972eec4905fdaea2f444f1e88218f9dce # v1.96.3 # pragma: allowlist secret
     hooks:
       - id: terraform_validate
       - id: terraform_fmt
@@ -26,18 +28,25 @@ repos:
           - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
       - id: terraform_checkov
         args:
-          - "--args=--quiet --skip-check CKV_TF_1" #CKV_TF_1: "Ensure Terraform module sources use a commit hash"
+          - "--args=--quiet --skip-check CKV_TF_1" # CKV_TF_1: "Ensure Terraform module sources use a commit hash"
       - id: terraform_docs
         args:
           - "--args=--config=.terraform-docs.yml"
 
   - repo: https://github.com/Yelp/detect-secrets
-    rev: v1.5.0
+    # renovate: datasource=github-releases depName=Yelp/detect-secrets
+    rev: 01886c8a910c64595c47f186ca1ffc0b77fa5458 # v1.5.0 # pragma: allowlist secret
     hooks:
       - id: detect-secrets
         args: ["--baseline", ".secrets.baseline"]
         exclude: terraform.tfstate
 
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    # renovate: datasource=github-releases depName=woodruffw/zizmor-pre-commit
+    rev: 07a06156e31897fbb5ba0e22a961e8e3c2a0677b # v1.16.0 # pragma: allowlist secret
+    hooks:
+      - id: zizmor
+
   - repo: local
     hooks:
       - id: sync-variables
 
@@ -1,7 +1,7 @@
 terraform 1.5.7
-terraform-docs 0.19.0
+terraform-docs 0.20.0
 tflint 0.50.3
 checkov 3.2.352
-awscli 2.25.10
+awscli 2.27.4
 pre-commit 4.2.0
-python 3.13.2
+python 3.13.3
@@ -16,7 +16,7 @@ module "addon-oidc" {
   oidc_assume_role_enabled                   = var.oidc_assume_role_enabled != null ? var.oidc_assume_role_enabled : try(each.value.oidc_assume_role_enabled, false)
   oidc_assume_role_arns                      = var.oidc_assume_role_arns != null ? var.oidc_assume_role_arns : try(each.value.oidc_assume_role_arns, [])
   oidc_permissions_boundary                  = var.oidc_permissions_boundary != null ? var.oidc_permissions_boundary : try(each.value.oidc_permissions_boundary, null)
-  oidc_additional_policies                   = var.oidc_additional_policies != null ? var.oidc_additional_policies : try(each.value.oidc_additional_policies, tomap({}))
+  oidc_additional_policies                   = var.oidc_additional_policies != null ? var.oidc_additional_policies : lookup(each.value, "oidc_additional_policies", tomap({}))
   oidc_openid_client_ids                     = var.oidc_openid_client_ids != null ? var.oidc_openid_client_ids : try(each.value.oidc_openid_client_ids, [])
   oidc_openid_provider_url                   = var.oidc_openid_provider_url != null ? var.oidc_openid_provider_url : try(each.value.oidc_openid_provider_url, "")
   oidc_openid_thumbprints                    = var.oidc_openid_thumbprints != null ? var.oidc_openid_thumbprints : try(each.value.oidc_openid_thumbprints, [])