From b0cad101d981e61eedffdc25e39c368ee7a1c13c Mon Sep 17 00:00:00 2001
From: Luc Perkins <lucperkins@gmail.com>
Date: Mon, 11 May 2026 16:52:53 -0500
Subject: [PATCH 1/3] Apply pinning to GitHub Actions

---
 .github/dependabot.yml         | 16 +++++++++++++---
 .github/workflows/ci.yml       |  7 ++++---
 .github/workflows/update.yml   |  6 ++++--
 .github/workflows/validate.yml |  7 +++++--
 .github/zizmor.yml             |  5 +++++
 action.yml                     |  2 +-
 6 files changed, 32 insertions(+), 11 deletions(-)
 create mode 100644 .github/zizmor.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 1230149..d89d38d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,6 +1,16 @@
 version: 2
+
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "daily"
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      actions:
+        patterns: ["*"]
+    ignore:
+      - dependency-name: DeterminateSystems/*
+    commit-message:
+      prefix: ci
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2ffcc4b..c5cf97f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,16 +12,17 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Check Nixpkgs
         uses: DeterminateSystems/flake-checker-action@main
         with:
           fail-mode: true
 
       - name: Install Determinate Nix
-        uses: DeterminateSystems/determinate-nix-action@v3
+        uses: DeterminateSystems/determinate-nix-action@bafaa638b9d5ec0e7e3ac1a7fc80453ef1fd265f # v3.20.0
 
       - name: Enable FlakeHub Cache
         uses: DeterminateSystems/flakehub-cache-action@main
@@ -32,7 +33,7 @@ jobs:
           echo "directory=$(nix develop --command npm config get cache | tr -d '\n')" >> $GITHUB_OUTPUT
 
       - name: Set up npm cache
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ steps.npm-cache-directory.outputs.directory }}
           key: update-flake-lock-npm-cache-${{ hashFiles('**/package-lock.json') }}
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index e692a2d..298e6b8 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -14,8 +14,10 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: DeterminateSystems/determinate-nix-action@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: DeterminateSystems/determinate-nix-action@bafaa638b9d5ec0e7e3ac1a7fc80453ef1fd265f # v3.20.0
       - uses: DeterminateSystems/update-flake-lock@main
         with:
           pr-title: "Update Nix flake inputs" # Title of PR to be created
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 195c9da..9795024 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -8,12 +8,15 @@ on:
 jobs:
   validate:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Validate YAML
-        uses: nwisbeta/validate-yaml-schema@v2.0.0
+        uses: nwisbeta/validate-yaml-schema@c3734e647d2a3beb98b9132330067e900fdbd1a2 # v2.0.0
         with:
           yamlSchemasJson: |
             {
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..abdc40b
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        DeterminateSystems/*: ref-pin
diff --git a/action.yml b/action.yml
index 14adeb9..80c8751 100644
--- a/action.yml
+++ b/action.yml
@@ -208,7 +208,7 @@ runs:
       run: rm -f pr_body.txt pr_body.template
     - name: Create PR
       id: create-pr
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
       with:
         base: ${{ inputs.base }}
         branch: ${{ inputs.branch }}

From 13b64102aed9b646b9778b403b1f0f086b6f11d4 Mon Sep 17 00:00:00 2001
From: Luc Perkins <lucperkins@gmail.com>
Date: Thu, 28 May 2026 16:27:29 -0700
Subject: [PATCH 2/3] Update action hashes

---
 .github/workflows/ci.yml     | 2 +-
 .github/workflows/update.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c5cf97f..8c07dec 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,7 +22,7 @@ jobs:
           fail-mode: true
 
       - name: Install Determinate Nix
-        uses: DeterminateSystems/determinate-nix-action@bafaa638b9d5ec0e7e3ac1a7fc80453ef1fd265f # v3.20.0
+        uses: DeterminateSystems/determinate-nix-action@4eea0b33e3d1f02ecfe37cf16e7204c424009606 # v3.21.0
 
       - name: Enable FlakeHub Cache
         uses: DeterminateSystems/flakehub-cache-action@main
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index 298e6b8..783fef7 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: DeterminateSystems/determinate-nix-action@bafaa638b9d5ec0e7e3ac1a7fc80453ef1fd265f # v3.20.0
+      - uses: DeterminateSystems/determinate-nix-action@4eea0b33e3d1f02ecfe37cf16e7204c424009606 # v3.21.0
       - uses: DeterminateSystems/update-flake-lock@main
         with:
           pr-title: "Update Nix flake inputs" # Title of PR to be created

From 63fa407b8d5491a93b7b6ed2862e76e3d434a77e Mon Sep 17 00:00:00 2001
From: Luc Perkins <lucperkins@gmail.com>
Date: Thu, 28 May 2026 16:53:17 -0700
Subject: [PATCH 3/3] Add zizmor checking workflow

---
 .github/workflows/zizmor.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..e6a3c98
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,25 @@
+name: zizmor
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          config: .github/zizmor.yml