Pin all actions to SHA hashes and remove blanket zizmor disables

dduugg · dduugg · commit 7207b68f49b4 · 2026-04-13T19:43:20.000-07:00
Replace tag references with SHA-pinned references for all actions.
Replace blanket unpinned-uses and secrets-outside-env disables with
targeted inline ignores where appropriate. Remove .zizmor.yml since
no global rule overrides are needed.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -3,16 +3,16 @@ name: CD
 on:
   workflow_call:
 jobs:
-  deploy:
+  deploy: # zizmor: ignore[secrets-outside-env] reusable workflow; environments are managed by callers
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
       - name: Tag and Push Gem
         id: tag-and-push-gem
-        uses: discourse/publish-rubygems-action@v3
+        uses: discourse/publish-rubygems-action@4bd305c65315cb691bad1e8de97a87aaf29a0a85 # v3
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
           GIT_EMAIL: ${{secrets.GUSTO_GIT_EMAIL}}
@@ -24,12 +24,12 @@ jobs:
         if: ${{ steps.tag-and-push-gem.outputs.new_version == 'true' }}
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  notify_on_failure:
+  notify_on_failure: # zizmor: ignore[secrets-outside-env] reusable workflow; environments are managed by callers
     runs-on: ubuntu-latest
     needs: [deploy]
     if: ${{ failure() && github.ref == 'refs/heads/main' }}
     steps:
-      - uses: slackapi/slack-github-action@v3
+      - uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
           webhook-type: incoming-webhook
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -27,13 +27,13 @@ jobs:
       BUNDLE_GEMFILE: Gemfile
     name: "Run tests: Ruby ${{ matrix.ruby }}"
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
       - name: Install ripgrep
         run: sudo apt-get install -y ripgrep
       - name: Set up Ruby ${{ matrix.ruby }}
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # v1
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby }}
@@ -44,11 +44,11 @@ jobs:
     name: "Type Check"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # v1
         with:
           bundler-cache: true
           ruby-version: 3.4
@@ -58,23 +58,23 @@ jobs:
     runs-on: ubuntu-latest
     name: "Linter"
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # v1
         with:
           bundler-cache: true
           ruby-version: 3.4
       - name: Run linter
         # zizmor: ignore[template-injection] workflow_call inputs are controlled by the caller
         run: ${{ inputs.linter-command }}
-  notify_on_failure:
+  notify_on_failure: # zizmor: ignore[secrets-outside-env] reusable workflow; environments are managed by callers
     runs-on: ubuntu-latest
     needs: [run_tests, static_type_check, run_linter]
     if: ${{ failure() && github.ref == 'refs/heads/main' }}
     steps:
-      - uses: slackapi/slack-github-action@v3
+      - uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
           webhook-type: incoming-webhook
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -6,7 +6,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
         with:
           stale-issue-message: 'This issue has been marked stale because it has been open for six months with no activity. To prevent this issue from automatically being closed in one week, update it or remove the stale label.'
           stale-pr-message: 'This PR has been marked stale because it has been open for six months with no activity. To prevent this PR from automatically being closed in one week, update it or remove the stale label.'
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -17,11 +17,9 @@ jobs:
       actions: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@v0.5.3
-        with:
-          config: .zizmor.yml
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
diff --git a/.zizmor.yml b/.zizmor.yml
