chore: pin all actions and enable zizmor in pre-commit

Author: mayeut

.github/dependabot.yml

@@ -10,24 +10,22 @@ updates:
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
-      interval: "weekly"
-    groups:
-      pip:
-        patterns:
-          - "*"
+      interval: "monthly"
+    cooldown:
+      default-days: 7
 
   # Maintain dependencies for git submodule (base64)
   - package-ecosystem: "gitsubmodule"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
+    cooldown:
+      default-days: 7
 
   # Maintain dependencies for GitHub Actions
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
-    groups:
-      actions:
-        patterns:
-          - "*"
+      interval: "monthly"
+    cooldown:
+      default-days: 7

.github/workflows/benchmark.yml

@@ -31,21 +31,21 @@ jobs:
           git config --global core.autocrlf false
           git config --global core.eol lf
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           submodules: recursive
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
 
       - name: Build wheel
-        uses: pypa/[email protected]
+        uses: pypa/cibuildwheel@63fd63b352a9a8bdcc24791c9dbee952ee9a8abc # v3.3.0
         env:
           CIBW_ARCHS: "${{ matrix.archs }}"
           CIBW_BUILD: "cp312-${{ matrix.build }}*"
 
-      - uses: wntrblm/[email protected]
+      - uses: wntrblm/nox@0eee2e45758dbd06d48ebb23476439f0f00e5cbd # 2025.11.12
         name: Install Nox
         with:
           python-versions: "3.12"
@@ -54,7 +54,7 @@ jobs:
         run: nox -s benchmark --install-only -- --wheel wheelhouse/*.whl
 
       - name: Run benchmark
-        uses: CodSpeedHQ/action@v4
+        uses: CodSpeedHQ/action@dbda7111f8ac363564b0c51b992d4ce76bb89f2f # v4.5.2
         with:
           mode: instrumentation
           run: nox -s benchmark --reuse-existing-virtualenvs --no-install -- -v

.github/workflows/build-upload.yml

@@ -22,13 +22,13 @@ jobs:
       contents: read
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: "3.10"
-      - uses: pre-commit/[email protected]
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
 
   build_wheels:
     name: ${{ matrix.build || matrix.platform }} ${{ matrix.archs }} wheels
@@ -93,16 +93,18 @@ jobs:
           git config --global core.autocrlf false
           git config --global core.eol lf
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           submodules: recursive
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+        with:
+          enable-cache: false
 
       - name: Set up QEMU
-        uses: docker/[email protected]
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
         if: runner.os == 'Linux' && runner.arch == 'X64'
 
       # https://github.blog/changelog/2024-04-02-github-actions-hardware-accelerated-android-virtualization-now-available/
@@ -124,21 +126,21 @@ jobs:
       # see https://cibuildwheel.pypa.io/en/stable/faq/#macos-building-cpython-38-wheels-on-arm64
       - name: "Install python 3.8 universal2 on macOS arm64"
         if: runner.os == 'macOS' && runner.arch == 'ARM64'
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         env:
           PIP_DISABLE_PIP_VERSION_CHECK: 1
         with:
           python-version: 3.8
 
       - name: Build wheels
-        uses: pypa/[email protected]
+        uses: pypa/cibuildwheel@63fd63b352a9a8bdcc24791c9dbee952ee9a8abc # v3.3.0
         env:
           CIBW_ARCHS: "${{ matrix.archs }}"
           CIBW_BUILD: "${{ matrix.build && '*-' || ''}}${{ matrix.build }}*"
           CIBW_ENABLE: "${{ startsWith(github.ref, 'refs/tags/v') && '' || 'cpython-prerelease'}}"
           CIBW_PLATFORM: "${{ matrix.platform }}"
 
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: "${{ (matrix.platform != 'pyodide') && 'pypi' || 'cibw' }}-wheels ${{ matrix.build || matrix.platform }} ${{ matrix.archs }}"
           path: ./wheelhouse/*.whl
@@ -152,18 +154,20 @@ jobs:
     env:
       CIBUILDWHEEL: 1  # make C extension mandatory
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           submodules: recursive
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+        with:
+          enable-cache: false
 
       - name: Build sdist
         run: uvx --from build pyproject-build --installer uv --sdist
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         name: Install Python
         with:
           python-version: "3.11"
@@ -177,19 +181,24 @@ jobs:
           python -m pip install --group test
           pytest
 
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: pypi-sdist
           path: dist/*.tar.gz
 
   check_dist:
+    if: always()
     name: Check dist
     needs: [build_wheels, build_sdist]
     permissions:
       contents: read
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/download-artifact@v7
+      - name: Decide whether the needed jobs succeeded or failed
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           # unpacks all PyPI artifacts into dist/
           pattern: pypi-*
@@ -201,7 +210,7 @@ jobs:
           EXPECTED_WHEEL_COUNT=${{ startsWith(github.ref, 'refs/tags/v') && '214' || '214' }}
           test ${WHEEL_COUNT} -eq ${EXPECTED_WHEEL_COUNT}
           pipx run twine check --strict dist/*
-      - uses: actions/download-artifact@v7
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           # unpacks all non PyPI artifacts into nodist/
           pattern: cibw-*
@@ -225,14 +234,14 @@ jobs:
     permissions:
       id-token: write # trusted publishing + attestations
     steps:
-      - uses: actions/download-artifact@v7
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           # unpacks all PyPI artifacts into dist/
           pattern: pypi-*
           path: dist
           merge-multiple: true
       - name: Upload to Test PyPI
-        uses: pypa/[email protected]
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           skip-existing: true
           repository-url: https://test.pypi.org/legacy/
@@ -248,13 +257,13 @@ jobs:
     permissions:
       id-token: write # trusted publishing + attestations
     steps:
-      - uses: actions/download-artifact@v7
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           # unpacks all PyPI artifacts into dist/
           pattern: pypi-*
           path: dist
           merge-multiple: true
       - name: Upload to PyPI
-        uses: pypa/[email protected]
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           skip-existing: true

.github/workflows/coverage.yml

@@ -19,15 +19,15 @@ jobs:
     name: Coverage
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           submodules: recursive
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
 
-      - uses: wntrblm/[email protected]
+      - uses: wntrblm/nox@0eee2e45758dbd06d48ebb23476439f0f00e5cbd # 2025.11.12
         with:
           python-versions: "3.14, 3.15, pypy3.10, pypy3.11"
 
@@ -45,7 +45,7 @@ jobs:
         run: nox -s coverage -- --with-sde
 
       - name: Upload coverage to codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           files: coverage-native.xml,coverage-python.xml
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/msys2.yml

@@ -26,12 +26,12 @@ jobs:
           - { sys: ucrt64, env: mingw-w64-ucrt-x86_64- }
           - { sys: clang64, env: mingw-w64-clang-x86_64- }
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         submodules: recursive
         persist-credentials: false
     - name: 'Setup MSYS2'
-      uses: msys2/setup-msys2@v2
+      uses: msys2/setup-msys2@4f806de0a5a7294ffabaff804b38a9b435a73bda # v2.30.0
       with:
         msystem: ${{matrix.sys}}
         update: true

.github/workflows/test.yml

@@ -19,13 +19,13 @@ jobs:
     name: Test
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         submodules: recursive
         persist-credentials: false
     - name: Install the latest version of uv
-      uses: astral-sh/setup-uv@v7
-    - uses: wntrblm/[email protected]
+      uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+    - uses: wntrblm/nox@0eee2e45758dbd06d48ebb23476439f0f00e5cbd # 2025.11.12
       with:
         python-versions: "3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.13t, 3.14, 3.14t, 3.15, 3.15t, pypy3.9, pypy3.10, pypy3.11"
     - name: "Run tests"

.github/workflows/valgrind.yml

@@ -19,7 +19,7 @@ jobs:
     name: Valgrind
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           submodules: recursive
           persist-credentials: false

.pre-commit-config.yaml

@@ -65,3 +65,8 @@ repos:
       - nox
       - pytest
       - types-setuptools
+
+- repo: https://github.com/zizmorcore/zizmor-pre-commit
+  rev: v1.19.0
+  hooks:
+  - id: zizmor