From 8dcceb570941d5ea13d12d716335459d78461ec5 Mon Sep 17 00:00:00 2001
From: Hynek Schlawack <hs@ox.cx>
Date: Tue, 3 Jun 2025 08:21:50 +0200
Subject: [PATCH] ci: pin & trust

---
 .github/workflows/ci.yml |  4 ++--
 zizmor.yml               | 10 ++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 zizmor.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fbe91b8..4d35ef8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -197,7 +197,7 @@ jobs:
           uv venv
           uv pip install . --group typing
           echo "$PWD/.venv/bin" >> $GITHUB_PATH
-      - uses: jakebailey/pyright-action@v2
+      - uses: jakebailey/pyright-action@b5d50e5cde6547546a5c4ac92e416a8c2c1a1dfe  # v2.3.2
 
 
   docs:
@@ -253,6 +253,6 @@ jobs:
 
     steps:
       - name: Decide whether the needed jobs succeeded or failed
-        uses: re-actors/alls-green@release/v1
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
         with:
           jobs: ${{ toJSON(needs) }}
diff --git a/zizmor.yml b/zizmor.yml
new file mode 100644
index 0000000..1bab80b
--- /dev/null
+++ b/zizmor.yml
@@ -0,0 +1,10 @@
+---
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # We trust GitHub, the PyPA, and ourselves.
+        "actions/*": ref-pin
+        "github/*": ref-pin
+        "pypa/*": ref-pin
+        "hynek/*": ref-pin