zizmor: Allow unpinned actions for trusted orgs

Author: manics

.github/workflows/watch-dependencies.yaml

@@ -68,7 +68,7 @@ jobs:
 
       # ref: https://github.com/peter-evans/create-pull-request
       - name: Create a PR
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           token: "${{ secrets.jupyterhub_bot_pat }}"
           author: JupyterHub Bot Account <[email protected]>

.github/zizmor.yml

@@ -0,0 +1,11 @@
+# Zizmor configuration file
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # Zizmor defaults to requiring pinning by immutable hashes.
+        # Allow pinning by refs for trusted organisations.
+        # https://woodruffw.github.io/zizmor/audits/#rulesunpinned-usesconfigpolicies
+        actions/*: ref-pin
+        docker/*: ref-pin
+        jupyterhub/*: ref-pin

.pre-commit-config.yaml

@@ -29,6 +29,7 @@ repos:
       - id: ruff-format
 
   # Static security analysis of GitHub actions https://github.com/woodruffw/zizmor
+  # Additional config is in .github/zizmor.yml
   - repo: https://github.com/woodruffw/zizmor-pre-commit
     rev: v1.6.0
     hooks: