GitHub Actions pinning

[lucperkins]

• Apply pinning to GitHub Actions
• Update action hashes

Summary by CodeRabbit

• Chores
  • Updated CI/dependency management configuration for improved stability and security
  • Pinned workflow action dependencies to specific versions to ensure consistent build behavior
  • Adjusted automated dependency update schedule from daily to weekly
  • Enhanced workflow permission controls and added dependency validation policies

[coderabbitai]

Warning

Review limit reached

@lucperkins, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 6 minutes and 59 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ad11ada9-d842-40d5-bbe2-5653cfe231c5

📥 Commits

Reviewing files that changed from the base of the PR and between b263ecc and 63fa407.

📒 Files selected for processing (1)

• .github/workflows/zizmor.yml

📝 Walkthrough

Walkthrough

This PR hardens the repository's GitHub Actions security posture by pinning all action dependencies to specific commit SHAs across workflows and the composite action definition, while configuring Dependabot and Zizmor to manage and enforce those pinned versions automatically.

Changes

GitHub Actions pinning and configuration

Layer / File(s)	Summary
Pin GitHub Actions in workflows .github/workflows/ci.yml, .github/workflows/update.yml, .github/workflows/validate.yml, action.yml	actions/checkout, DeterminateSystems/determinate-nix-action, actions/cache, and peter-evans/create-pull-request are pinned to specific commit SHAs across all CI and update workflows. The validate workflow adds explicit read-only permissions for the contents scope.
Dependabot and Zizmor configuration .github/dependabot.yml, .github/zizmor.yml	Dependabot is upgraded to version 2 with weekly GitHub Actions updates, a 7-day default cooldown, action grouping, and an ignore rule for DeterminateSystems/*. Zizmor configuration enforces reference pinning policies for DeterminateSystems/* actions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A pinned and secure workflow we've built,
No floating tags left to cast doubt;
With Dependabot and Zizmor at guard,
Our Actions stand firm, no worries about! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'GitHub Actions pinning' accurately summarizes the main change: pinning GitHub Actions dependencies to specific commit SHAs across multiple workflow files and configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch actions-pinning

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 20: Replace mutable refs for the two GitHub Actions so they use immutable
commit SHAs: locate the uses entries for
DeterminateSystems/flake-checker-action@main and
DeterminateSystems/flakehub-cache-action@main and change each `@main` to the
corresponding pinned SHA (the full 40-char commit hash for the exact release you
want to depend on), ensuring you update both occurrences (the
flake-checker-action line and the flakehub-cache-action line) so both actions
are pinned to immutable SHAs.

In @.github/workflows/update.yml:
- Line 21: The workflow step currently references the action as
DeterminateSystems/update-flake-lock@main; replace the unpinned ref with a
specific commit SHA (e.g., DeterminateSystems/update-flake-lock@<commit-sha>) so
the `update-flake-lock` step is immutable—locate the line containing "uses:
DeterminateSystems/update-flake-lock@main" and swap `@main` for the chosen
commit SHA, committing the updated workflow file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6ca8f761-64cd-4434-8482-977125c122de

📥 Commits

Reviewing files that changed from the base of the PR and between 5ba4a20 and b263ecc.

📒 Files selected for processing (6)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/update.yml
• .github/workflows/validate.yml
• .github/zizmor.yml
• action.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin remaining @main actions to immutable SHAs.

DeterminateSystems/flake-checker-action@main and DeterminateSystems/flakehub-cache-action@main are still mutable refs. This leaves a supply-chain gap in an otherwise pinned workflow.

Suggested change

-      - name: Check Nixpkgs
-        uses: DeterminateSystems/flake-checker-action@main
+      - name: Check Nixpkgs
+        uses: DeterminateSystems/flake-checker-action@<commit-sha> # <version>

...

-      - name: Enable FlakeHub Cache
-        uses: DeterminateSystems/flakehub-cache-action@main
+      - name: Enable FlakeHub Cache
+        uses: DeterminateSystems/flakehub-cache-action@<commit-sha> # <version>

Also applies to: 28-28

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 20, Replace mutable refs for the two GitHub
Actions so they use immutable commit SHAs: locate the uses entries for
DeterminateSystems/flake-checker-action@main and
DeterminateSystems/flakehub-cache-action@main and change each `@main` to the
corresponding pinned SHA (the full 40-char commit hash for the exact release you
want to depend on), ensuring you update both occurrences (the
flake-checker-action line and the flakehub-cache-action line) so both actions
are pinned to immutable SHAs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

update-flake-lock step is still unpinned (@main).

This step should also use a commit SHA to keep the workflow fully immutable and consistent with the pinning objective.

Suggested change

-      - uses: DeterminateSystems/update-flake-lock@main
+      - uses: DeterminateSystems/update-flake-lock@<commit-sha> # <version>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update.yml at line 21, The workflow step currently
references the action as DeterminateSystems/update-flake-lock@main; replace the
unpinned ref with a specific commit SHA (e.g.,
DeterminateSystems/update-flake-lock@<commit-sha>) so the `update-flake-lock`
step is immutable—locate the line containing "uses:
DeterminateSystems/update-flake-lock@main" and swap `@main` for the chosen
commit SHA, committing the updated workflow file.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.