From 25f9db7a056bafd7ae1be472ce889b9cf9048f56 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Wed, 28 Jan 2026 10:08:13 -0500 Subject: [PATCH 1/2] chore: GitHub Actions version updates Ran: pinact run -u --- .github/workflows/nightly.yaml | 8 ++++---- .github/workflows/powershell.yml | 4 ++-- .github/workflows/version-update.yaml | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index dce3d15..958d3c4 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # NB: the `fetch-depth: 0` setting is documented by goreleaser # as a requirement, for the changelog feature to work correctly. @@ -42,7 +42,7 @@ jobs: persist-credentials: false - name: Set up Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 # v5 over v4 updates the Node runtime from node16 to node20. with: # This should be quoted or use .x, but should not be unquoted. @@ -62,7 +62,7 @@ jobs: - name: Install GoReleaser id: goreleaser-install - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 + uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 with: distribution: goreleaser-pro version: "~> v2" @@ -70,7 +70,7 @@ jobs: - name: Install cosign id: cosign-install - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 # As of actions/setup-go@v4, go modules and build outputs are cached by default. # Prior to the update to use that, we used actions/cache@v3 here for a step: diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml index afc7825..270dccf 100644 --- a/.github/workflows/powershell.yml +++ b/.github/workflows/powershell.yml @@ -29,7 +29,7 @@ jobs: name: PSScriptAnalyzer runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # We don't need to work with the git remote after this, so: persist-credentials: false @@ -47,6 +47,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17 + uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 with: sarif_file: results.sarif diff --git a/.github/workflows/version-update.yaml b/.github/workflows/version-update.yaml index 8452627..b53b680 100644 --- a/.github/workflows/version-update.yaml +++ b/.github/workflows/version-update.yaml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Need credentials preserved, to push a branch with changes @@ -83,7 +83,7 @@ jobs: - name: Create Pull Request if: steps.update_versions.outputs.updated == 'true' - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.GITHUB_TOKEN }} From 7f5653ac6a874663b3d5d6e0c6cb72310b8852a7 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Wed, 28 Jan 2026 10:18:32 -0500 Subject: [PATCH 2/2] chore: zizmor cleanups Set `concurrency` controls appropriately. Line-item explanations for permissions in version-update.yaml. For zizmor v1.22.0 this leaves us clean under the pedantic persona; the auditor persona notes that the checkout enables credential persistence, but that's required for this workflow. --- .github/workflows/nightly.yaml | 5 +++++ .github/workflows/powershell.yml | 5 +++++ .github/workflows/version-update.yaml | 9 +++++++-- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 958d3c4..d818489 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -26,6 +26,11 @@ permissions: # contents: read +concurrency: + # Intent: scheduled jobs stomp on each other, but manual runs are mostly independent. + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.triggering_actor }} + cancel-in-progress: true + jobs: nightly_release: name: build diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml index 270dccf..e6d6221 100644 --- a/.github/workflows/powershell.yml +++ b/.github/workflows/powershell.yml @@ -20,6 +20,11 @@ on: permissions: contents: read +concurrency: + # Intent: scheduled jobs stomp on each other unless there's a push, but pushes only stomp if unchanged + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }} + cancel-in-progress: true + jobs: build: permissions: diff --git a/.github/workflows/version-update.yaml b/.github/workflows/version-update.yaml index b53b680..2356b92 100644 --- a/.github/workflows/version-update.yaml +++ b/.github/workflows/version-update.yaml @@ -9,14 +9,19 @@ on: permissions: {} +concurrency: + # Intent: scheduled jobs stomp on each other, but manual runs are mostly independent. + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.triggering_actor }} + cancel-in-progress: true + jobs: check_versions: name: Update runs-on: ubuntu-latest permissions: - contents: write - pull-requests: write + contents: write # we create a branch with updated code, for review + pull-requests: write # we create a PR steps: - name: Checkout code