ci: secure GitHub Actions workflows

.github/dependabot.yml

@@ -9,6 +9,8 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
   # Maintain dependencies for pip constraints-ci.txt
   - package-ecosystem: "pip"
     directory: "/"
@@ -17,3 +19,5 @@ updates:
     allow:
       - dependency-name: "cmake"
       - dependency-name: "ninja"
+    cooldown:
+      default-days: 7

.github/workflows/build.yml

@@ -17,16 +17,20 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v7
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.x"
-      - uses: pre-commit/action@v3.0.1
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
 
 
   build_wheels:
@@ -93,25 +97,26 @@ jobs:
             build: ""
 
     steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0  # required for versioneer to find tags
+          persist-credentials: false
 
-      - uses: astral-sh/setup-uv@v8.2.0
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: false
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4.1.0
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
         if: matrix.arch == 'ppc64le' || matrix.arch == 'riscv64' || matrix.arch == 's390x'
 
       - name: Build wheels
-        uses: pypa/cibuildwheel@v4.1
+        uses: pypa/cibuildwheel@294735312765b09d24a2fbec22660ce817587d55 # v4.1.0
         env:
           CIBW_ARCHS: "${{ matrix.arch }}"
           CIBW_BUILD: "cp310-${{ matrix.build }}*"
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: cibw-${{ runner.os }}-${{ matrix.build }}${{ matrix.arch }}
           path: ./wheelhouse/*.whl
@@ -121,14 +126,15 @@ jobs:
     needs: [lint]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0  # required for versioneer to find tags
+          persist-credentials: false
 
       - name: Build SDist
         run: pipx run build --sdist
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: cibw-sdist
           path: dist/*.tar.gz
@@ -143,8 +149,10 @@ jobs:
         python: ["3.8", "3.13"]
 
     steps:
-      - uses: actions/checkout@v7
-      - uses: astral-sh/setup-uv@v8.2.0
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           enable-cache: false
 
@@ -158,7 +166,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y --no-install-recommends libssl-dev
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: cibw-sdist
           path: dist
@@ -183,8 +191,10 @@ jobs:
         os: ["ubuntu-latest", "windows-latest", "macos-latest"]
 
     steps:
-      - uses: actions/checkout@v7
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         id: python
         with:
           python-version: "3.x"
@@ -207,7 +217,9 @@ jobs:
           done
 
       - name: Build SDist
-        run: pipx run --python '${{ steps.python.outputs.python-path }}' build --sdist
+        run: pipx run --python "${PYTHON}" build --sdist
+        env:
+          PYTHON: "${{ steps.python.outputs.python-path }}"
 
       - name: Install dependencies
         if: runner.os == 'Linux'
@@ -234,7 +246,7 @@ jobs:
     needs: [build_wheels, build_sdist, test_sdist, bootstrap_build]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: cibw-*
           merge-multiple: true
@@ -254,7 +266,7 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: cibw-*
           merge-multiple: true
@@ -265,6 +277,6 @@ jobs:
         with:
           subject-path: "dist/cmake-*"
 
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
           attestations: true

.github/workflows/update-dependencies.yml

@@ -11,6 +11,8 @@ on:
   schedule:
     - cron: '0 6 * * *'  # "At 06:00 every day."
 
+permissions: {}
+
 jobs:
   update-dep:
     name: Update ${{ matrix.dependency_nice }}
@@ -24,28 +26,37 @@ jobs:
           dependency_nice: "CMake"
         - dependency: "openssl"
           dependency_nice: "OpenSSL"
+    permissions:
+      contents: write
     steps:
-    - uses: actions/checkout@v7
-    - uses: wntrblm/nox@2026.04.10
+    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      with:
+        persist-credentials: false
+    - uses: wntrblm/nox@97e345e6a26bb2c5aacff9cc4327bd4ac1b00ce6 # 2026.04.10
     - name: "Run update: bump ${{ matrix.dependency_nice }}"
       id: bump
       run: |
         nox --force-color -s bump${{ matrix.dependency != 'cmake' && format('-{0}', matrix.dependency) || '' }}
         echo "version=$(nox -s ${{ matrix.dependency }}_version 2>/dev/null)" >> $GITHUB_OUTPUT
-    - run: echo "${{ matrix.dependency_nice }} version is ${{ steps.bump.outputs.version }}"
+    - run: echo "${{ matrix.dependency_nice }} version is ${STEPS_BUMP_OUTPUTS_VERSION}"
+      env:
+        STEPS_BUMP_OUTPUTS_VERSION: ${{ steps.bump.outputs.version }}
 
     # we use this step to grab a Github App auth token, so that PRs generated by this workflow
     # run the GHA tests.
-    - uses: actions/create-github-app-token@v3
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
       id: app-token
       if: github.ref == 'refs/heads/main' && github.repository == 'scikit-build/cmake-python-distributions'
       with:
-        app-id: ${{ secrets.SCIKIT_BUILD_BOT_APP_ID }}
+        client-id: ${{ secrets.SCIKIT_BUILD_BOT_APP_ID }}
         private-key: ${{ secrets.SCIKIT_BUILD_BOT_APP_PRIVATE_KEY }}
+        permission-contents: write
+        permission-pull-requests: write
+
 
     - name: Create Pull Request
       if: github.ref == 'refs/heads/main' && github.repository == 'scikit-build/cmake-python-distributions'
-      uses: peter-evans/create-pull-request@v8
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
       with:
         commit-message: '[Bot] Update to ${{ matrix.dependency_nice }} ${{ steps.bump.outputs.version }}'
         title: '[Bot] Update to ${{ matrix.dependency_nice }} ${{ steps.bump.outputs.version }}'

.pre-commit-config.yaml

@@ -5,7 +5,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v6.0.0
+  rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c  # frozen: v6.0.0
   hooks:
   - id: check-added-large-files
   - id: check-case-conflict
@@ -18,15 +18,21 @@ repos:
   - id: trailing-whitespace
 
 - repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: "v0.15.15"
+  rev: 77039ccbba72c8aede339c5f8ae29b42aced0a2e  # frozen: v0.15.18
   hooks:
   - id: ruff-check
     args: [--fix, --show-fixes]
 
 - repo: https://github.com/pre-commit/mirrors-mypy
-  rev: "v2.1.0"
+  rev: d2823d321df3af8f878f7ee3414dc94d037145b9  # frozen: v2.1.0
   hooks:
   - id: mypy
     files: ^(src|scripts)
     additional_dependencies: [types-requests]
     args: []
+
+- repo: https://github.com/zizmorcore/zizmor-pre-commit
+  rev: 9257c6050c0261b8c57e712f632dc4a8010109a9 # frozen: v1.25.2
+  hooks:
+  - id: zizmor
+    files: "^\\.github"