From a1261e34b789b0a0ce55f7272021b663232ce7ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= <cr52@protonmail.com>
Date: Wed, 29 Oct 2025 08:20:37 +0100
Subject: [PATCH 1/2] SEC: enable security scan for github actions using zizmor

---
 .github/workflows/ci_workflows.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/ci_workflows.yml b/.github/workflows/ci_workflows.yml
index a2b7fe0..37bcbf7 100644
--- a/.github/workflows/ci_workflows.yml
+++ b/.github/workflows/ci_workflows.yml
@@ -8,7 +8,22 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+
   tests:
     name: ${{ matrix.name }} [ ${{ matrix.os }} ]
     runs-on: ${{ matrix.os }}

From 49bca720dd9e86e8351a5afecdfe92990c8155b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= <cr52@protonmail.com>
Date: Thu, 30 Oct 2025 13:31:12 +0100
Subject: [PATCH 2/2] SEC: pin GHA workflows to exact hashes and apply
 auto-fixes from zizmor

---
 .github/dependabot.yml             |  2 ++
 .github/workflows/ci_workflows.yml | 19 +++++++++++--------
 .github/workflows/publish.yml      |  2 +-
 liberfa/erfa                       |  2 +-
 4 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ec8a646..0e9be25 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,3 +8,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/ci_workflows.yml b/.github/workflows/ci_workflows.yml
index 37bcbf7..74d147c 100644
--- a/.github/workflows/ci_workflows.yml
+++ b/.github/workflows/ci_workflows.yml
@@ -17,12 +17,12 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Run zizmor 🌈
-        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
 
   tests:
     name: ${{ matrix.name }} [ ${{ matrix.os }} ]
@@ -64,12 +64,13 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
         submodules: true
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python }}
         allow-prereleases: true
@@ -107,12 +108,13 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
         submodules: true
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python }}
     - name: Install APT packages
@@ -132,12 +134,13 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
         submodules: true
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         # this is mainly meant to be useful on old or exotic archs
         # so we use our oldest-supported Python
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 97d98fe..9514b3e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,7 +15,7 @@ jobs:
 
   build_and_publish:
 
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish.yml@99401c364fa51c9c507d3cd6d272049278ac0b2c  # v2.4.0
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish.yml@99401c364fa51c9c507d3cd6d272049278ac0b2c # v2.4.0
     if: (github.repository == 'liberfa/pyerfa')
     with:
 
diff --git a/liberfa/erfa b/liberfa/erfa
index 9915ba3..1d9738b 160000
--- a/liberfa/erfa
+++ b/liberfa/erfa
@@ -1 +1 @@
-Subproject commit 9915ba38c9365f8b0738269b8c2ac1fdd5f8dee3
+Subproject commit 1d9738bed9954188722f976774d0903e5dae1857