ci: pin & trust

2025-06-03 08:21:50 +02:00 · 2025-06-03 08:21:50 +02:00 · 8dcceb5709
commit 8dcceb5709
parent 9542242475
2 changed files with 12 additions and 2 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -197,7 +197,7 @@ jobs:
          uv venv
          uv pip install . --group typing
          echo "$PWD/.venv/bin" >> $GITHUB_PATH
-      - uses: jakebailey/pyright-action@v2
+      - uses: jakebailey/pyright-action@b5d50e5cde6547546a5c4ac92e416a8c2c1a1dfe  # v2.3.2


  docs:
@ -253,6 +253,6 @@ jobs:

    steps:
      - name: Decide whether the needed jobs succeeded or failed
-        uses: re-actors/alls-green@release/v1
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
        with:
          jobs: ${{ toJSON(needs) }}
--- a/zizmor.yml
+++ b/zizmor.yml
@ -0,0 +1,10 @@
+---
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # We trust GitHub, the PyPA, and ourselves.
+        "actions/*": ref-pin
+        "github/*": ref-pin
+        "pypa/*": ref-pin
+        "hynek/*": ref-pin