From 0e16137e36e9dc8175ab730c4e3c9ddfafb9690f Mon Sep 17 00:00:00 2001
From: ilan-gold <ilanbassgold@gmail.com>
Date: Tue, 28 Apr 2026 10:27:18 +0200
Subject: [PATCH 01/10] chore: add zizmor

---
 .pre-commit-config.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index b5bcf663e..a26849e99 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -39,3 +39,7 @@ repos:
       - id: codespell
         additional_dependencies:
           - tomli
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.24.1
+    hooks:
+      - id: zizmor

From 08ce7485543f405c2fbe5416a5fc7cc944b05ae5 Mon Sep 17 00:00:00 2001
From: ilan-gold <ilanbassgold@gmail.com>
Date: Tue, 28 Apr 2026 10:35:14 +0200
Subject: [PATCH 02/10] fix: zizmor dependabot

---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f1bae9502..3f3562ec5 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,3 +7,5 @@ updates:
     labels:
       - no milestone
       - skip-gpu-ci
+    cooldown:
+      default-days: 7

From 06f807453e36ddc41dfb9686fcfb207ea7883e8d Mon Sep 17 00:00:00 2001
From: ilan-gold <ilanbassgold@gmail.com>
Date: Tue, 28 Apr 2026 10:36:51 +0200
Subject: [PATCH 03/10] fix: try not persisting credentials

---
 .github/workflows/benchmark.yml | 1 +
 .github/workflows/check-pr.yml  | 2 +-
 .github/workflows/codespell.yml | 1 +
 .github/workflows/publish.yml   | 1 +
 .github/workflows/test-cpu.yml  | 3 +++
 .github/workflows/test-gpu.yml  | 1 +
 6 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 66c4ada30..705359f9c 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -35,6 +35,7 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
           # no blob filter so asv can checkout other commits
 
       - run: git fetch origin main:main
diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml
index 17f79942c..066c3376f 100644
--- a/.github/workflows/check-pr.yml
+++ b/.github/workflows/check-pr.yml
@@ -57,7 +57,7 @@ jobs:
     if: github.event.pull_request.user.login != 'pre-commit-ci[bot]' && needs.check-milestone.outputs.no-relnotes-reason == '' && !contains(fromJSON('["style","refactor","test","build","ci"]'), needs.check-milestone.outputs.type)
     steps:
       - uses: actions/checkout@v6
-        with: { filter: 'blob:none', fetch-depth: 0 }
+        with: { filter: "blob:none", fetch-depth: 0, persist-credentials: false }
       - name: Find out if a relevant release fragment is added
         uses: dorny/paths-filter@v3
         id: changes
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index c13950b2f..5cc8cfbee 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -20,4 +20,5 @@ jobs:
         with:
           fetch-depth: 0
           filter: blob:none
+          persist-credentials: false
       - uses: codespell-project/actions-codespell@v2
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index fde7261a5..9cc04536c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,6 +15,7 @@ jobs:
         with:
           fetch-depth: 0
           filter: blob:none
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: "3.x"
diff --git a/.github/workflows/test-cpu.yml b/.github/workflows/test-cpu.yml
index c4885801e..16f5cc3e6 100644
--- a/.github/workflows/test-cpu.yml
+++ b/.github/workflows/test-cpu.yml
@@ -25,6 +25,7 @@ jobs:
         with:
           filter: blob:none
           fetch-depth: 0
+          persist-credentials: false
       - uses: astral-sh/setup-uv@v7
         with:
           enable-cache: false
@@ -57,6 +58,7 @@ jobs:
         with:
           fetch-depth: 0
           filter: blob:none
+          persist-credentials: false
 
       - name: Install system dependencies
         run: sudo apt install -y hdf5-tools
@@ -104,6 +106,7 @@ jobs:
         with:
           fetch-depth: 0
           filter: blob:none
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@v6
diff --git a/.github/workflows/test-gpu.yml b/.github/workflows/test-gpu.yml
index c475b1098..cb147a288 100644
--- a/.github/workflows/test-gpu.yml
+++ b/.github/workflows/test-gpu.yml
@@ -48,6 +48,7 @@ jobs:
         with:
           fetch-depth: 0
           filter: blob:none
+          persist-credentials: false
 
       - name: Nvidia SMI sanity check
         run: nvidia-smi

From 664186114f66c0601ffb88d8c04df33cb25ff9f9 Mon Sep 17 00:00:00 2001
From: ilan-gold <ilanbassgold@gmail.com>
Date: Tue, 28 Apr 2026 11:01:46 +0200
Subject: [PATCH 04/10] fix: try permissions

---
 .github/workflows/benchmark.yml | 1 +
 .github/workflows/check-pr.yml  | 4 ++++
 .github/workflows/stale.yml     | 2 ++
 .github/workflows/test-cpu.yml  | 5 +++++
 .github/workflows/test-gpu.yml  | 6 ++++++
 5 files changed, 18 insertions(+)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 705359f9c..d1a8adf0d 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -18,6 +18,7 @@ defaults:
 
 jobs:
   benchmark:
+    permissions: {}
     runs-on: ${{ matrix.os }}
 
     strategy:
diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml
index 066c3376f..1e45b35ef 100644
--- a/.github/workflows/check-pr.yml
+++ b/.github/workflows/check-pr.yml
@@ -27,6 +27,8 @@ jobs:
   # This job verifies that the milestone is present or not necessary
   # and determines if “check-relnotes” needs to be run.
   check-milestone:
+    permissions:
+      pull-requests: read
     name: "Triage: Check PR title, milestone, and labels"
     runs-on: ubuntu-latest
     steps:
@@ -51,6 +53,8 @@ jobs:
       type: ${{ steps.check-title.outputs.type }}
   # This job verifies that the relevant release notes file has been modified.
   check-relnotes:
+    permissions:
+      pull-requests: read
     name: Check for release notes
     runs-on: ubuntu-latest
     needs: check-milestone
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index d3ac044ed..da0300933 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Label stale issues
         uses: actions/stale@v10
diff --git a/.github/workflows/test-cpu.yml b/.github/workflows/test-cpu.yml
index 16f5cc3e6..775baa2f7 100644
--- a/.github/workflows/test-cpu.yml
+++ b/.github/workflows/test-cpu.yml
@@ -18,6 +18,7 @@ concurrency:
 jobs:
   get-environments:
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       envs: ${{ steps.get-envs.outputs.envs }}
     steps:
@@ -101,6 +102,8 @@ jobs:
 
   build:
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v6
         with:
@@ -133,6 +136,8 @@ jobs:
       - get-environments
       - test
       - build
+    permissions:
+      actions: read
     runs-on: ubuntu-latest
     steps:
       - uses: re-actors/alls-green@release/v1
diff --git a/.github/workflows/test-gpu.yml b/.github/workflows/test-gpu.yml
index cb147a288..16864c17a 100644
--- a/.github/workflows/test-gpu.yml
+++ b/.github/workflows/test-gpu.yml
@@ -13,6 +13,8 @@ env:
   PYTEST_ADDOPTS: "-v --color=yes"
   FORCE_COLOR: "1"
 
+permissions: {}
+
 # Cancel the job if new commits are pushed
 # https://stackoverflow.com/questions/66335225/how-to-cancel-previous-runs-in-the-pr-when-you-push-new-commitsupdate-the-curre
 concurrency:
@@ -30,6 +32,8 @@ jobs:
     name: "Triage: Check if GPU tests are allowed to run"
     if: ${{ !(github.event.pull_request.user.login == 'pre-commit-ci[bot]' || contains(github.event.pull_request.labels.*.name, 'skip-gpu-ci')) }}
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - uses: flying-sheep/check@v1
         with:
@@ -42,6 +46,8 @@ jobs:
     # Setting a timeout of 30 minutes, as the AWS costs money
     # At time of writing, a typical run takes about 5 minutes
     timeout-minutes: 30
+    permissions:
+      pull-requests: write
 
     steps:
       - uses: actions/checkout@v4 # TODO: upgrade once cirun image supports node 24

From 117f48c85122cfdde61d3209e17138a4296395f3 Mon Sep 17 00:00:00 2001
From: ilan-gold <ilanbassgold@gmail.com>
Date: Tue, 28 Apr 2026 11:06:55 +0200
Subject: [PATCH 05/10] fix: no cache

---
 .github/workflows/publish.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 9cc04536c..18eea99df 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -19,7 +19,6 @@ jobs:
       - uses: actions/setup-python@v6
         with:
           python-version: "3.x"
-          cache: "pip"
       - run: pip install build
       - run: python -m build
       - uses: pypa/gh-action-pypi-publish@release/v1

From 92cb6b9cc29957ac3d8e469221862e626c11b4e1 Mon Sep 17 00:00:00 2001
From: ilan-gold <ilanbassgold@gmail.com>
Date: Thu, 30 Apr 2026 12:03:47 +0200
Subject: [PATCH 06/10] chore: pin all

---
 .github/workflows/benchmark.yml |  6 +++---
 .github/workflows/check-pr.yml  | 12 ++++++------
 .github/workflows/codespell.yml |  4 ++--
 .github/workflows/publish.yml   |  6 +++---
 .github/workflows/stale.yml     |  4 ++--
 .github/workflows/test-cpu.yml  | 18 +++++++++---------
 .github/workflows/test-gpu.yml  | 10 +++++-----
 7 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index d1a8adf0d..80bcf5f68 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -33,7 +33,7 @@ jobs:
       ASV_DIR: "./benchmarks"
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -43,7 +43,7 @@ jobs:
         if: ${{ github.ref_name != 'main' }}
         # Errors on main branch
 
-      - uses: mamba-org/setup-micromamba@v2
+      - uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7
         with:
           environment-name: asv
           cache-environment: true
@@ -56,7 +56,7 @@ jobs:
             conda-build
 
       - name: Cache datasets
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.cache
diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml
index 1e45b35ef..42644c51d 100644
--- a/.github/workflows/check-pr.yml
+++ b/.github/workflows/check-pr.yml
@@ -33,11 +33,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check if a milestone is necessary and exists
-        uses: flying-sheep/check@v1
+        uses: flying-sheep/check@6162e3da6b50abdfe00c3233e6f0ce2d1bdcf69c # v1.0.4
         with:
           success: ${{ github.event.pull_request.user.login == 'pre-commit-ci[bot]' || github.event.pull_request.milestone != null || contains(env.LABELS, 'no milestone') }}
       - name: Check if release notes are necessary
-        uses: kaisugi/action-regex-match@v1.0.2
+        uses: kaisugi/action-regex-match@d67cd689755dc47c5362609e0a6e2e1c93fa721b # v1.0.2
         id: checked-relnotes
         with:
           text: ${{ github.event.pull_request.body }}
@@ -45,7 +45,7 @@ jobs:
           flags: m
       - name: Check if PR title is valid
         id: check-title
-        uses: amannn/action-semantic-pull-request@v6
+        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env: # Needs repo options: “Squash and merge” with commit message set to “PR title”
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     outputs:
@@ -60,15 +60,15 @@ jobs:
     needs: check-milestone
     if: github.event.pull_request.user.login != 'pre-commit-ci[bot]' && needs.check-milestone.outputs.no-relnotes-reason == '' && !contains(fromJSON('["style","refactor","test","build","ci"]'), needs.check-milestone.outputs.type)
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { filter: "blob:none", fetch-depth: 0, persist-credentials: false }
       - name: Find out if a relevant release fragment is added
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3.0.3
         id: changes
         with:
           filters: | # this is intentionally a string
             relnotes: 'docs/release-notes/${{ github.event.pull_request.number }}.${{ (contains(github.event.pull_request.title, '!') && 'breaking') || needs.check-milestone.outputs.type }}.md'
       - name: Check if a relevant release fragment is added
-        uses: flying-sheep/check@v1
+        uses: flying-sheep/check@6162e3da6b50abdfe00c3233e6f0ce2d1bdcf69c # v1.0.4
         with:
           success: ${{ steps.changes.outputs.relnotes }}
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 5cc8cfbee..e27d9ed63 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -16,9 +16,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
           filter: blob:none
           persist-credentials: false
-      - uses: codespell-project/actions-codespell@v2
+      - uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2.1
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 18eea99df..0a39dd5e4 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -11,14 +11,14 @@ jobs:
     permissions:
       id-token: write # to authenticate as Trusted Publisher to pypi.org
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           filter: blob:none
           persist-credentials: false
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.x"
       - run: pip install build
       - run: python -m build
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index da0300933..1302a4121 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -11,7 +11,7 @@ jobs:
       issues: write
     steps:
       - name: Label stale issues
-        uses: actions/stale@v10
+        uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
         with:
           days-before-issue-stale: 60
           days-before-pr-stale: -1 # We don't want to mark PRs as stale
@@ -24,7 +24,7 @@ jobs:
             Please add a comment if you want to keep the issue open. Thank you for your contributions!
           debug-only: false # set to `true` to enable dry-run
       - name: Close stale issues
-        uses: actions/stale@v10
+        uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
         with:
           days-before-issue-stale: -1 # We don't want to mark issues as stale in this action
           days-before-issue-close: 14
diff --git a/.github/workflows/test-cpu.yml b/.github/workflows/test-cpu.yml
index 775baa2f7..9422b2149 100644
--- a/.github/workflows/test-cpu.yml
+++ b/.github/workflows/test-cpu.yml
@@ -22,12 +22,12 @@ jobs:
     outputs:
       envs: ${{ steps.get-envs.outputs.envs }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           filter: blob:none
           fetch-depth: 0
           persist-credentials: false
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
         with:
           enable-cache: false
       - id: get-envs
@@ -55,7 +55,7 @@ jobs:
       ENV_NAME: ${{ matrix.env.name }}
       IO_MARK: ${{ matrix.io_mark }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           filter: blob:none
@@ -65,7 +65,7 @@ jobs:
         run: sudo apt install -y hdf5-tools
 
       - name: Install UV
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
         with:
           enable-cache: true
           python-version: ${{ matrix.env.python }}
@@ -84,7 +84,7 @@ jobs:
 
       - name: Upload test results
         if: ${{ !cancelled() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
         with:
           report_type: test_results
           env_vars: ENV_NAME,IO_MARK
@@ -93,7 +93,7 @@ jobs:
           fail_ci_if_error: true
 
       - name: Upload coverage data
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
         with:
           env_vars: ENV_NAME,IO_MARK
           files: test-data/coverage.xml
@@ -105,14 +105,14 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           filter: blob:none
           persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.x'
           cache: pip
@@ -140,6 +140,6 @@ jobs:
       actions: read
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
         with:
           jobs: ${{ toJSON(needs) }}
diff --git a/.github/workflows/test-gpu.yml b/.github/workflows/test-gpu.yml
index 16864c17a..4ea64a942 100644
--- a/.github/workflows/test-gpu.yml
+++ b/.github/workflows/test-gpu.yml
@@ -35,7 +35,7 @@ jobs:
     permissions:
       pull-requests: read
     steps:
-      - uses: flying-sheep/check@v1
+      - uses: flying-sheep/check@6162e3da6b50abdfe00c3233e6f0ce2d1bdcf69c # v1.0.4
         with:
           success: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run-gpu-ci') }}
   # If `check` wasn’t skipped or failed, start an AWS runner and run the GPU tests on it.
@@ -50,7 +50,7 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/checkout@v4 # TODO: upgrade once cirun image supports node 24
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
           filter: blob:none
@@ -60,7 +60,7 @@ jobs:
         run: nvidia-smi
 
       - name: Install UV
-        uses: astral-sh/setup-uv@v6 # TODO: upgrade once cirun image supports node 24
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
         with:
           enable-cache: true
 
@@ -87,7 +87,7 @@ jobs:
           uv run coverage combine
           uv run coverage xml
 
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: true
@@ -95,7 +95,7 @@ jobs:
 
       - name: Remove 'run-gpu-ci' Label
         if: always()
-        uses: actions-ecosystem/action-remove-labels@v1
+        uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
         with:
           labels: "run-gpu-ci"
           github_token: ${{ secrets.GITHUB_TOKEN }}

From 62a474090f8765010e6847550a16c52237340865 Mon Sep 17 00:00:00 2001
From: Ilan Gold <ilanbassgold@gmail.com>
Date: Fri, 8 May 2026 13:33:45 +0200
Subject: [PATCH 07/10] fix: comment

---
 .github/workflows/test-gpu.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test-gpu.yml b/.github/workflows/test-gpu.yml
index 4ea64a942..981918fd1 100644
--- a/.github/workflows/test-gpu.yml
+++ b/.github/workflows/test-gpu.yml
@@ -35,6 +35,7 @@ jobs:
     permissions:
       pull-requests: read
     steps:
+      # TODO: upgrade once cirun image supports node 24
       - uses: flying-sheep/check@6162e3da6b50abdfe00c3233e6f0ce2d1bdcf69c # v1.0.4
         with:
           success: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run-gpu-ci') }}

From cc7f17e2d143b91fa5a9b988f3509195cd293045 Mon Sep 17 00:00:00 2001
From: ilan-gold <ilanbassgold@gmail.com>
Date: Fri, 15 May 2026 16:59:05 +0200
Subject: [PATCH 08/10] fix: try different permissions

---
 .github/workflows/check-pr.yml  | 3 +--
 .github/workflows/codespell.yml | 3 +--
 .github/workflows/test-cpu.yml  | 3 +--
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml
index 42644c51d..d778dd4ea 100644
--- a/.github/workflows/check-pr.yml
+++ b/.github/workflows/check-pr.yml
@@ -53,8 +53,7 @@ jobs:
       type: ${{ steps.check-title.outputs.type }}
   # This job verifies that the relevant release notes file has been modified.
   check-relnotes:
-    permissions:
-      pull-requests: read
+    permissions: {}
     name: Check for release notes
     runs-on: ubuntu-latest
     needs: check-milestone
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index e27d9ed63..971db9790 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -7,8 +7,7 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   codespell:
diff --git a/.github/workflows/test-cpu.yml b/.github/workflows/test-cpu.yml
index a05943529..d8ce01f6c 100644
--- a/.github/workflows/test-cpu.yml
+++ b/.github/workflows/test-cpu.yml
@@ -103,8 +103,7 @@ jobs:
 
   build:
     runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
+    permissions: {}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

From 96c34c9c2582e5e9ee0d68e22696c902f93598b7 Mon Sep 17 00:00:00 2001
From: Ilan Gold <ilanbassgold@gmail.com>
Date: Sat, 16 May 2026 13:32:55 +0200
Subject: [PATCH 09/10] fix: coment/perm

---
 .github/workflows/test-gpu.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/test-gpu.yml b/.github/workflows/test-gpu.yml
index 981918fd1..e5b1507f0 100644
--- a/.github/workflows/test-gpu.yml
+++ b/.github/workflows/test-gpu.yml
@@ -32,10 +32,8 @@ jobs:
     name: "Triage: Check if GPU tests are allowed to run"
     if: ${{ !(github.event.pull_request.user.login == 'pre-commit-ci[bot]' || contains(github.event.pull_request.labels.*.name, 'skip-gpu-ci')) }}
     runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read
+    permissions: {}
     steps:
-      # TODO: upgrade once cirun image supports node 24
       - uses: flying-sheep/check@6162e3da6b50abdfe00c3233e6f0ce2d1bdcf69c # v1.0.4
         with:
           success: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run-gpu-ci') }}
@@ -51,6 +49,7 @@ jobs:
       pull-requests: write
 
     steps:
+      # TODO: upgrade once cirun image supports node 24
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0

From eaae3a3556e49919cbb9efe6c4f49b788c8bcfa4 Mon Sep 17 00:00:00 2001
From: Ilan Gold <ilanbassgold@gmail.com>
Date: Sat, 16 May 2026 13:33:29 +0200
Subject: [PATCH 10/10] Apply suggestion from @ilan-gold

---
 .github/workflows/test-gpu.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test-gpu.yml b/.github/workflows/test-gpu.yml
index e5b1507f0..a8f83318b 100644
--- a/.github/workflows/test-gpu.yml
+++ b/.github/workflows/test-gpu.yml
@@ -60,6 +60,7 @@ jobs:
         run: nvidia-smi
 
       - name: Install UV
+        # TODO: upgrade once cirun image supports node 24
         uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
         with:
           enable-cache: true