ci: Fix GHA security issues flagged by zizmor

peytondmurray · web-flow · commit a88a6eb0e9af · 2026-05-27T16:18:20.000-04:00
Fix security-related issues in our GitHub Actions workflows flagged by
the zizmor security linter, and enable zizmor in CI to prevent
regressions.

Signed-off-by: Peyton Murray &lt;peynmurray@gmail.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,3 +4,12 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml
@@ -1,5 +1,7 @@
 name: Wheels
 
+permissions: {}
+
 on:
   push:
   pull_request:
@@ -19,12 +21,14 @@ jobs:
     name: Build source distribution
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Build sdist
         run: pipx run build --sdist
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: sdist
           path: dist/*.tar.gz
@@ -59,19 +63,19 @@ jobs:
       - name: Disable ptrace security restrictions
         run: |
           echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: sdist
       - name: Extract sdist
         run: |
           tar zxvf *.tar.gz --strip-components=1
       - name: Build wheels
-        uses: pypa/cibuildwheel@v3.4.1
+        uses: pypa/cibuildwheel@8d2b08b68458a16aeb24b64e68a09ab1c8e82084 # v3.4.1
         env:
           CIBW_BUILD: "cp3{9..14}{t,}-${{ matrix.wheel_type }}"
           CIBW_ARCHS_LINUX: auto
           CIBW_ENABLE: cpython-prerelease cpython-freethreading
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: ${{ matrix.wheel_type }}-wheels
           path: ./wheelhouse/*.whl
@@ -84,13 +88,15 @@ jobs:
       matrix:
         python_version: ["2.7", "3.7"]
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/download-artifact@v8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: "manylinux_x86_64-wheels"
           path: dist
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '>=3.13'
       - name: Set up dependencies
@@ -124,17 +130,20 @@ jobs:
       matrix:
         python_version: ["3.13"]
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/download-artifact@v8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: "manylinux_x86_64-wheels"
           path: dist
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           version: latest
           python-version: ${{ matrix.python_version }}
           activate-environment: true
+          enable-cache: false
       - name: Set up dependencies
         run: |
           sudo apt-get update
@@ -159,12 +168,14 @@ jobs:
       matrix:
         python_version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.13t", "3.14", "3.14t"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "${{matrix.python_version}}-dev"
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: "manylinux_x86_64-wheels"
           path: dist
@@ -194,12 +205,14 @@ jobs:
       matrix:
         python_version: ["3.9", "3.13", "3.14"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "${{matrix.python_version}}-dev"
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: "manylinux_aarch64-wheels"
           path: dist
@@ -232,12 +245,14 @@ jobs:
       matrix:
         python_version: ["3.13", "3.14"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "${{matrix.python_version}}-dev"
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: "manylinux_x86_64-wheels"
           path: dist
@@ -278,11 +293,13 @@ jobs:
       options: --cap-add=SYS_PTRACE
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up dependencies
         run: |
           apk add --update alpine-sdk bash alpine-sdk python3 python3-dev gdb musl-dbg python3-dbg
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: "musllinux_x86_64-wheels"
           path: dist
@@ -308,7 +325,9 @@ jobs:
       options: --cap-add=SYS_PTRACE
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up dependencies
         run: |
           dnf install -y \
@@ -319,7 +338,7 @@ jobs:
             python3-devel
           dnf debuginfo-install -y \
             python3
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: "manylinux_x86_64-wheels"
           path: dist
@@ -343,7 +362,9 @@ jobs:
       image: archlinux
       options: --cap-add=SYS_PTRACE --security-opt seccomp=unconfined
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up dependencies
         run: |
           pacman -Syu --noconfirm \
@@ -356,7 +377,7 @@ jobs:
             python-wheel \
             elfutils \
             debuginfod
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: "manylinux_x86_64-wheels"
           path: dist
@@ -383,7 +404,9 @@ jobs:
       options: --cap-add=SYS_PTRACE
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up dependencies
         run: |
           apt-get update
@@ -394,7 +417,7 @@ jobs:
             python3-pip \
             python3-venv \
             python3-dbg
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: "manylinux_x86_64-wheels"
           path: dist
@@ -416,7 +439,7 @@ jobs:
     permissions:
       id-token: write # Required to retrieve a Trusted Publishing token
     steps:
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           # with no name set, it downloads all of the artifacts
           path: dist
@@ -425,6 +448,6 @@ jobs:
           mv dist/*-wheels/*.whl dist/
           rmdir dist/{sdist,*-wheels}
           ls -R dist
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
         with:
           skip_existing: true
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -27,9 +27,11 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.10"
       - name: Set up dependencies
@@ -67,13 +69,13 @@ jobs:
           lcov --capture --directory build --output-file cppcoverage.lcov
           lcov --extract cppcoverage.lcov '*/src/pystack/_pystack/*' --output-file cppcoverage.lcov
       - name: Upload Python report to Codecov
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: pycoverage.lcov
           flags: python
       - name: Upload C++ report to Codecov
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: cppcoverage.lcov
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,5 +1,7 @@
 name: Publish docs
 
+permissions: {}
+
 on:
   push:
     branches:
@@ -13,9 +15,11 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.10"
       - name: Set up dependencies
@@ -32,7 +36,7 @@ jobs:
         run: |
           make docs
       - name: Publish docs to GitHub Pages
-        uses: JamesIves/github-pages-deploy-action@v4
+        uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4
         with:
           folder: docs/_build/html
           single-commit: true
diff --git a/.github/workflows/lint_and_docs.yml b/.github/workflows/lint_and_docs.yml
@@ -1,13 +1,17 @@
 name: Lint and docs
 
+permissions: {}
+
 on: [push, pull_request]
 
 jobs:
   lint_and_docs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.10"
       - name: Set up dependencies
@@ -23,7 +27,8 @@ jobs:
       - name: Lint sources
         run: |
           make lint PYTHON=python3
-          python3 -m prek run --all-files --hook-stage pre-push
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
       - name: Build docs
         run: |
           towncrier build --version 99.99 --name pystack --keep
diff --git a/.github/workflows/news-check.yml b/.github/workflows/news-check.yml
@@ -1,4 +1,7 @@
 name: News entry check
+
+permissions: {}
+
 on:
   pull_request:
     paths:
@@ -16,7 +19,7 @@ jobs:
     name: Check for news entry
     steps:
       - name: "Check for news entry"
-        uses: brettcannon/check-for-changed-files@v1
+        uses: brettcannon/check-for-changed-files@871d7b8b5917a4f6f06662e2262e8ffc51dff6d1 # v1
         with:
           file-pattern: |
             news/*.rst
diff --git a/.github/workflows/sanity-check.yml b/.github/workflows/sanity-check.yml
@@ -1,4 +1,7 @@
 name: Sanity check
+
+permissions: {}
+
 on:
   pull_request:
     types:
@@ -15,10 +18,10 @@ jobs:
     steps:
       - name: Get PR Commits
         id: "get-pr-commits"
-        uses: tim-actions/get-pr-commits@master
+        uses: tim-actions/get-pr-commits@198af03565609bb4ed924d1260247b4881f09e7d # master
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: DCO Check
-        uses: tim-actions/dco@master
+        uses: tim-actions/dco@f2279e6e62d5a7d9115b0cb8e837b777b1b02e21 # master
         with:
           commits: ${{ steps.get-pr-commits.outputs.commits }}
diff --git a/Dockerfile b/Dockerfile
@@ -37,6 +37,7 @@ RUN apt-get update \
 # Stage 2: Final stage
 FROM ubuntu:24.04
 ARG DEBIAN_FRONTEND=noninteractive
+LABEL org.opencontainers.image.source="https://github.com/bloomberg/pystack"
 
 # Install runtime dependencies
 RUN apt-get update \
diff --git a/zizmor.yml b/zizmor.yml
