Summary
Pin all actions/* action references across .github/workflows/ to full commit SHAs instead of floating version tags (e.g., @v6, @v8), add persist-credentials: false to every actions/checkout step, and add a Dependabot config (.github/dependabot.yml) so the pinned SHAs auto-update.
Motivation
Currently, all jobs in ci.yaml (and other workflows) use major-version tags for actions/checkout, actions/upload-artifact, actions/download-artifact, etc. zizmor flags these as unpinned-uses and artipacked violations. Fixing only a single job (e.g., the new wheel-test job added in #78) would create inconsistency, so the fix should be applied uniformly across the repo.
Work items
References
Summary
Pin all
actions/*action references across.github/workflows/to full commit SHAs instead of floating version tags (e.g.,@v6,@v8), addpersist-credentials: falseto everyactions/checkoutstep, and add a Dependabot config (.github/dependabot.yml) so the pinned SHAs auto-update.Motivation
Currently, all jobs in
ci.yaml(and other workflows) use major-version tags foractions/checkout,actions/upload-artifact,actions/download-artifact, etc. zizmor flags these asunpinned-usesandartipackedviolations. Fixing only a single job (e.g., the newwheel-testjob added in #78) would create inconsistency, so the fix should be applied uniformly across the repo.Work items
.github/workflows/*.yamland.github/actions/**/action.yamlforactions/*references using floating tagspersist-credentials: falseto everyactions/checkoutstep.github/dependabot.ymlwithpackage-ecosystem: github-actionsso Dependabot opens PRs to keep SHAs currentReferences
unpinned-uses,artipacked) during review of feat(build): Add CI test that builds+tests the wheels #78