From 28495078470697ca119b3694bf58caec8249b825 Mon Sep 17 00:00:00 2001
From: Henry Schreiner <henryfs@princeton.edu>
Date: Wed, 20 May 2026 14:25:14 -0400
Subject: [PATCH] ci: secure GitHub Actions with pinning, zizmor, and
 dependabot

- Pin all GitHub Actions to SHA hashes in cd.yml
- Add zizmor pre-commit hook for ongoing action auditing
- Add ci: autoupdate_schedule: monthly to pre-commit config
- Freeze all pre-commit hook revs to SHA and update to latest
- Fix deploy job needs (was referencing nonexistent jobs)
- Add name: labels to build and deploy jobs
- Add explanatory comments on deploy permissions
- Update dependabot.yml: monthly schedule, 7-day cooldown, pre-commit ecosystem

Assisted-by: OpenCode:glm-5
---
 .github/dependabot.yml   | 17 ++++++++++++++---
 .github/workflows/cd.yml | 22 ++++++++++++----------
 .pre-commit-config.yaml  | 24 +++++++++++++++++-------
 3 files changed, 43 insertions(+), 20 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6c4b369..51c096a 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,11 +1,22 @@
 version: 2
 updates:
-  # Maintain dependencies for GitHub Actions
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
     groups:
-      actions:
+      github-actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
+  - package-ecosystem: "pre-commit"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      pre-commit:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index ccbe323..51c8038 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -15,14 +15,15 @@ concurrency:
 
 jobs:
   build:
+    name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Setup bun
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
         with:
           bun-version: latest
 
@@ -34,35 +35,36 @@ jobs:
         env:
           BASE_URL: /SIMPLE-Py
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: site
           path: _build/html/*
 
   deploy:
+    name: Deploy
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
-    needs: [build-book, build-slides]
+    needs: [build]
     if: github.event_name == 'push'
     permissions:
-      pages: write
-      id-token: write
+      pages: write # deploy to GitHub Pages
+      id-token: write # OIDC token for deploy
     steps:
       - name: Setup Pages
-        uses: actions/configure-pages@v6
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: site
           path: public
 
       - name: Upload artifact for Pages
-        uses: actions/upload-pages-artifact@v5
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
         with:
           path: public
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v5
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index f0501f7..c60a31a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,9 @@
+ci:
+  autoupdate_schedule: monthly
+
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: "v6.0.0"
+    rev: "3e8a8703264a2f4a69428a0aa4dcb512790b2c8c" # frozen: v6.0.0
     hooks:
       - id: check-added-large-files
       - id: check-case-conflict
@@ -14,29 +17,29 @@ repos:
       - id: trailing-whitespace
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.13.2
+    rev: 6fec9b7edb08fd9989088709d864a7826dc74e80 # frozen: v0.15.12
     hooks:
       - id: ruff-format
         exclude: ^content/week01/cleanup_bessel\.ipynb$
 
   - repo: https://github.com/adamchainz/blacken-docs
-    rev: 1.20.0
+    rev: fda77690955e9b63c6687d8806bafd56a526e45f # frozen: 1.20.0
     hooks:
       - id: blacken-docs
         additional_dependencies: [black==24.*]
 
   - repo: https://github.com/kynan/nbstripout
-    rev: 0.8.1
+    rev: 34071b78c181af3bf5af955c1426466e096fc3db # frozen: 0.9.1
     hooks:
       - id: nbstripout
 
   - repo: https://github.com/rbubley/mirrors-prettier
-    rev: "v3.6.2"
+    rev: "515f543f5718ebfd6ce22e16708bb32c68ff96e1" # frozen: v3.8.3
     hooks:
       - id: prettier
 
   - repo: https://github.com/codespell-project/codespell
-    rev: "v2.4.1"
+    rev: "2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a" # frozen: v2.4.2
     hooks:
       - id: codespell
         args: ["-L", "hist,whet,classe,nd", "-w"]
@@ -51,6 +54,13 @@ repos:
         exclude: ^(.pre-commit-config.yaml|content/week04_package/precommit.md)$
 
   - repo: https://github.com/PrincetonUniversity/blocklint
-    rev: v0.2.5
+    rev: e615ce15d9b6e78c0c776a01884fe35637346ad0 # frozen: v0.3.0
     hooks:
       - id: blocklint
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: a4727cbbcd26d7098e96b9cb738169b59711ae51 # frozen: v1.24.1
+    hooks:
+      - id: zizmor
+        files: "^\\.github"
+        args: [--persona=auditor]