Manage dependencies with cooldown, more pinning, more scanning

EliahKagan · EliahKagan · commit f7d2c7152a6f · 2026-01-11T16:57:27.000-05:00
Various adjustments related to supply chain security and CI:

- Don't persist credentials in `actions/checkout`.
- Pin actions to full SHA-1 OIDs with tool-readable tag comments.
- Change cadence from weekly to monthly (due to more updates now).
- Enable Dependabot for Cargo (Rust) dependencies, not just GHA.
- Set best-effort 7-day cooldown period in Dependabot updates.
- Set up Zizmor with customized workflow and pedantic persona.
- Turn off two unwanted pedantic Zizmor checks.
- Allow both workflows to run from Actions tab (and other events).
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,9 +1,27 @@
 version: 2
 updates:
+- package-ecosystem: cargo
+  directory: '/'
+  schedule:
+    interval: monthly
+  commit-message:
+    prefix: ''
+  allow:
+  - dependency-type: all
+  groups:
+    cargo:
+      patterns: ['*']
+  cooldown:
+    default-days: 7
+
 - package-ecosystem: github-actions
   directory: '/'
   schedule:
-    interval: weekly
+    interval: monthly
+  commit-message:
+    prefix: ''
   groups:
     github-actions:
       patterns: ['*']
+  cooldown:
+    default-days: 7
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
     - main
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -17,15 +18,17 @@ jobs:
   build-and-test-linux:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
     - name: fmt
       run: cargo fmt --all -- --check
     - name: clippy
       run: cargo clippy
     - name: tests
       run: make tests
     - name: "Check (crossterm)"
-      uses: actions-rs/cargo@v1
+      uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
       with:
         command: test
         args: --features=render-tui,render-tui-crossterm,render-line,render-line-crossterm,signal-hook,render-line-autoconfigure,progress-tree --all --bins --tests --examples
@@ -35,19 +38,21 @@ jobs:
   build-and-test-on-windows:
     runs-on: windows-latest
     steps:
-    - uses: actions/checkout@v6
-    - uses: actions-rs/toolchain@v1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
+    - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
       with:
         profile: default
         toolchain: stable
         override: true
     - name: "Check (crossterm)"
-      uses: actions-rs/cargo@v1
+      uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
       with:
         command: check
         args: --features=render-tui,render-tui-crossterm,render-line,render-line-crossterm,signal-hook,render-line-autoconfigure,progress-tree --all --bins --tests --examples
     - name: "Test (crossterm)"
-      uses: actions-rs/cargo@v1
+      uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
       with:
         command: test
         args: --features=render-tui,render-tui-crossterm,render-line,render-line-crossterm,signal-hook,render-line-autoconfigure,progress-tree progress-tree" --all
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,31 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches:
+    - main
+    - "run-ci/**"
+    - "**/run-ci/**"
+  pull_request:
+    branches:
+    - main
+  workflow_dispatch:
+
+permissions: {}  # Expanded in the `zizmor` job.
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for uploading SARIF to view in the Security tab.
+      contents: read  # Not needed in public repos. (Kept for private forks/reuploads.)
+      actions: read  # Not needed in public repos. (Kept for private forks/reuploads.)
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
+    - name: Run zizmor 🌈
+      uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+      with:
+        persona: pedantic
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  anonymous-definition:
+    disable: true
+  concurrency-limits:
+    disable: true
