Apply pinning to GitHub Actions

[lucperkins]

Summary by CodeRabbit

• Chores
  • Improved GitHub Actions security by pinning all third-party action references to specific commit SHAs to prevent unexpected changes.
  • Added automated dependency management with weekly update checks and organized grouping of related updates.
  • Established security policies to verify and enforce proper pinning of dependencies across workflows.

[coderabbitai]

Warning

Review limit reached

@lucperkins, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 8 minutes and 47 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5555f6aa-767e-4111-af89-ef7479867b0c

📥 Commits

Reviewing files that changed from the base of the PR and between 1e38197 and d49faa9.

📒 Files selected for processing (1)

• .github/workflows/zizmor.yml

📝 Walkthrough

Walkthrough

This PR hardens GitHub Actions workflows by pinning third-party actions to specific commit SHAs, adds Dependabot configuration for automated weekly dependency updates, and introduces Zizmor linting rules to enforce pinning policies across the repository.

Changes

GitHub Actions Security Hardening

Layer / File(s)	Summary
Security tooling configuration .github/zizmor.yml, .github/dependabot.yml	Zizmor linting enforces unpinned-action checks for DeterminateSystems/* dependencies. Dependabot configuration enables weekly automated GitHub Actions updates with a 7-day cooldown, groups all actions updates, and excludes DeterminateSystems/* from auto-updates.
CI workflow action pinning .github/workflows/ci.yml	actions/checkout pinned to specific commit SHAs across build, test-no-nix, run-x86_64-linux-untrusted, and run-systems jobs while retaining persist-credentials: false. actions/cache pinned from v5 tag to a specific SHA. success job gains permissions: contents: read.
FlaKeHub cache workflow pinning .github/workflows/flakehub-cache.yml	actions/checkout pinned from v6 to a specific v6.0.2 commit SHA with persist-credentials: false added.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 Our workflows are now pinned,
No floating tags to twist and bend,
Dependabot will keep them tight,
Zizmor guards both day and night,
Security locked in, pure delight! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and directly summarizes the main change: pinning GitHub Actions to specific commit SHAs across multiple workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch actions-pinning

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

182-183: 💤 Low value

Clarify the need for contents: read permission.

The success job only runs shell commands (true and conditional exit) and doesn't check out code or invoke any actions that require repository access. The contents: read permission appears unnecessary here.

If following a least-privilege policy template, note that GitHub Actions jobs have contents: read by default when permissions are not specified. Explicitly setting it provides no additional security benefit for this job.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 182 - 183, The permissions entry
granting contents: read in the success job is unnecessary; update the CI
workflow by removing the explicit permissions: contents: read from the success
job (or set permissions: contents: none if you want explicit least-privilege) so
the job relies on the default GitHub Actions permissions or the tighter none
scope; locate the job named "success" in the .github/workflows/ci.yml and remove
or adjust the permissions block accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Around line 13-14: The Dependabot config currently ignores
"DeterminateSystems/*" actions (ignore: - dependency-name:
"DeterminateSystems/*"), which conflicts with the Zizmor policy that requires
ref-pin for those actions (referenced in .github/zizmor.yml line 5); reconcile
by either removing the ignore entry in the Dependabot config so Dependabot can
pin DeterminateSystems/* actions, or if you intend to keep using `@main`, update
the Zizmor policy to allow the `@main` usage instead of requiring ref-pin—choose
one approach and make the corresponding change to ensure both configs are
consistent.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 182-183: The permissions entry granting contents: read in the
success job is unnecessary; update the CI workflow by removing the explicit
permissions: contents: read from the success job (or set permissions: contents:
none if you want explicit least-privilege) so the job relies on the default
GitHub Actions permissions or the tighter none scope; locate the job named
"success" in the .github/workflows/ci.yml and remove or adjust the permissions
block accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c6d6d655-9ed1-4ce2-a237-0e9faf0a82b0

📥 Commits

Reviewing files that changed from the base of the PR and between 908b263 and 1e38197.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/flakehub-cache.yml
• .github/zizmor.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Reconcile Dependabot ignore with Zizmor pinning policy.

This configuration ignores DeterminateSystems/* actions from automated updates, keeping them at @main. However, the Zizmor policy in .github/zizmor.yml:5 requires these same actions to use ref-pin. This creates a conflict where Dependabot won't help maintain pinned versions, requiring manual updates.

If the intent is to keep DeterminateSystems/* actions at @main (as currently used in workflows), then the Zizmor policy should be adjusted. If the intent is to pin them, remove this ignore rule so Dependabot can maintain the pins.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 13 - 14, The Dependabot config currently
ignores "DeterminateSystems/*" actions (ignore: - dependency-name:
"DeterminateSystems/*"), which conflicts with the Zizmor policy that requires
ref-pin for those actions (referenced in .github/zizmor.yml line 5); reconcile
by either removing the ignore entry in the Dependabot config so Dependabot can
pin DeterminateSystems/* actions, or if you intend to keep using `@main`, update
the Zizmor policy to allow the `@main` usage instead of requiring ref-pin—choose
one approach and make the corresponding change to ensure both configs are
consistent.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.