fix(ci): resolve all zizmor findings and add zizmor pre-commit checks (#680)

gforsyth · web-flow · commit d347ecaf6d90 · 2026-05-18T09:09:44.000-04:00
* feat(ci): add zizmor config and pre-commit

* fix(ci): hash-pin all third-party actions

* fix(ci): use explicit permissions per-job

* fix(ci): fix artipacked

* fix(ci): disable cache on uv install action
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -22,19 +22,22 @@ jobs:
     name: Build (and deploy)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
+        with:
+          enable-cache: false
 
       - name: Build
         env:
           DEPLOYMENT_DOCS_BUILD_STABLE: ${{ startsWith(github.event.ref, 'refs/tags/') && 'true' || 'false' }}
         run: uv run make dirhtml SPHINXOPTS="-W --keep-going -n"
 
-      - uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
         if: ${{ github.repository == 'rapidsai/deployment' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') }}
         with:
           role-to-assume: ${{ vars.AWS_ROLE_ARN }}
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -4,13 +4,17 @@ on:
   push:
   pull_request:
 
+permissions: {}
 jobs:
   checks:
     name: "pre-commit hooks"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.12"
-      - uses: pre-commit/action@v3.0.1
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,9 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # We require SHA-pinning for all workflows and actions _except_ for those from
+        # rapidsai/shared-workflows and rapidsai/shared-actions
+        "rapidsai/shared-workflows/*": any
+        "rapidsai/shared-actions/*": any
+        "*": hash-pin
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -44,6 +44,10 @@ repos:
         additional_dependencies: [tomli]
         exclude: "^.*.jsonlines$"
         args: ["--toml", "pyproject.toml", "--ignore-words-list=classfication"]
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.24.1
+    hooks:
+      - id: zizmor
 
 default_language_version:
   python: python3
