Provide pinning for GitHub Actions and cooldown for npm updates

[lucperkins]

• Apply pinning to GitHub Actions
• Provide cooldown for npm updates

Summary by CodeRabbit

• Chores
  • Configured automated dependency management for GitHub Actions and npm with weekly update schedules and customized grouping and semver timing rules.
  • Updated CI/CD workflows to pin action references to specific commits and disabled credential persistence for improved security handling.
  • Added enforcement policy to pin certain dependency references.
  • Added a repository workflow to run a security/verification action on pushes and pull requests.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 85a00931-7ae5-4c26-aab2-f7ff4164a190

📥 Commits

Reviewing files that changed from the base of the PR and between 27849aa and 449ce08.

📒 Files selected for processing (2)

• .github/workflows/update.yml
• .github/workflows/zizmor.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/zizmor.yml

---

📝 Walkthrough

Walkthrough

Adds Dependabot config for github-actions and npm, enforces a ref-pin policy for DeterminateSystems/* via Zizmor, pins actions/checkout across CI workflows and update workflow, changes a DeterminateSystems action reference to @main, and adds a zizmor workflow.

Changes

CI/CD Infrastructure Security and Automation

Layer / File(s)	Summary
Dependabot automated updates configuration .github/dependabot.yml	Dependabot configuration defines weekly updates for github-actions and npm at the repo root, with grouping, labels, commit-message prefix for Actions, cooldown, and semver timing thresholds; it ignores DeterminateSystems/* for Actions.
Security policy for unpinned action detection .github/zizmor.yml	Zizmor policy adds rules.unpinned-uses to ref-pin DeterminateSystems/* references.
GitHub Actions pinning and checkout credentials in CI workflows .github/workflows/ci.yaml	Pins actions/checkout to a commit SHA in Lints, ProductionTest, and PushToIDS jobs and sets persist-credentials: false on those checkout steps.
Update workflow pins and action ref change .github/workflows/update.yml	Pins actions/checkout to a commit SHA and updates DeterminateSystems/determinate-nix-action from @v3 to @main while keeping checkout inputs.
Add zizmor CI workflow .github/workflows/zizmor.yml, .github/zizmor.yml	Adds a zizmor workflow that runs on push/pull_request with restricted permissions, pinned checkout, and a pinned zizmorcore/zizmor-action configured via .github/zizmor.yml.

🎯 3 (Moderate) | ⏱️ ~20 minutes

A rabbit peers at YAML with a twitch of a nose,
Pins and policies in tidy neat rows,
Dependabot hums while zizmor keeps watch,
CI stays steady — no floats to botch,
A hop, a patch, the workflows compose.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: GitHub Actions pinning and npm update cooldown configuration via Dependabot.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch actions-pinning

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

.github/workflows/ci.yaml (3)

143-143: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

DeterminateSystems action not pinned, violating zizmor policy.

DeterminateSystems/flakehub-cache-action@main should be pinned to a commit SHA per the ref-pin policy in .github/zizmor.yml.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yaml at line 143, The workflow uses
DeterminateSystems/flakehub-cache-action@main which must be pinned to a specific
commit SHA to satisfy the ref-pin policy; replace the `@main` ref with a full
commit SHA (e.g., DeterminateSystems/flakehub-cache-action@<commit-sha>) by
looking up the desired commit on the DeterminateSystems/flakehub-cache-action
repo and updating the workflow entry, then commit the change and re-run CI to
verify the pin.

---

156-156: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

DeterminateSystems action not pinned, violating zizmor policy.

DeterminateSystems/push-artifact-ids@main should be pinned to a commit SHA per the ref-pin policy in .github/zizmor.yml.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yaml at line 156, The workflow currently references the
external action DeterminateSystems/push-artifact-ids@main which violates the
ref-pin policy; update the action reference to a specific commit SHA (e.g.,
DeterminateSystems/push-artifact-ids@<commit-sha>) by replacing "@main" with the
pinned commit hash for the DeterminateSystems/push-artifact-ids action, commit
that change, and ensure the new ref matches the SHA from the action repository
release or tag so the workflow uses an immutable pinned ref.

---

80-80: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Reusable workflow not pinned, violating zizmor policy.

DeterminateSystems/ci/.github/workflows/workflow.yml@main should be pinned to a commit SHA per the ref-pin policy in .github/zizmor.yml.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yaml at line 80, The reusable workflow reference "uses:
DeterminateSystems/ci/.github/workflows/workflow.yml@main" is not pinned; update
that reference to a specific commit SHA (replace `@main` with @<commit-sha>) so
the workflow is pinned per the ref-pin policy, and ensure the chosen SHA
corresponds to the intended version in the DeterminateSystems/ci repo (obtain
the commit SHA from that repo and use it in the uses line).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yaml:
- Line 37: Replace the unpinned action reference
"DeterminateSystems/flakehub-cache-action@main" with a pinned commit SHA per the
ref-pin policy: look up the current commit SHA in the
DeterminateSystems/flakehub-cache-action repository and change the uses line to
"DeterminateSystems/flakehub-cache-action@<commit-sha>" (use the full
40-character SHA) so the workflow is pinned to a specific commit.
- Line 34: The workflow uses an unpinned GitHub Action reference
"DeterminateSystems/determinate-nix-action@main" which violates the ref-pin
policy; update that reference to a specific commit SHA (e.g., replace `@main` with
@<commit-sha>) so the action is pinned, ensuring it conforms to the
`.github/zizmor.yml` ref-pin rule and prevents floatable dependencies.
- Around line 110-111: Replace the unpinned action reference
"DeterminateSystems/flakehub-cache-action@main" with a pinned ref using a commit
SHA (e.g., DeterminateSystems/flakehub-cache-action@<commit-sha>) to comply with
the ref-pin policy; locate the workflow step that contains the string
"DeterminateSystems/flakehub-cache-action@main" and update the ref to a specific
commit SHA from that action's repository (obtain the SHA from the action repo's
commits or via git ls-remote) so the workflow no longer points to the mutable
"main" ref.
- Around line 141-142: The workflow currently references the action
"DeterminateSystems/determinate-nix-action@main" which must be pinned to a
commit SHA per the ref-pin policy; update that uses line to reference a specific
commit SHA (e.g., DeterminateSystems/determinate-nix-action@<commit-sha>)
instead of "@main" by finding the latest trusted commit SHA in the action
repository and replacing the ref, and ensure the new pinned ref is used wherever
"DeterminateSystems/determinate-nix-action@main" appears in the file.
- Around line 107-108: The workflow currently uses the unpinned GitHub Action
DeterminateSystems/determinate-nix-action@main; update that reference to a
specific commit SHA (e.g.,
DeterminateSystems/determinate-nix-action@<commit-sha>) so it complies with the
ref-pin rule in .github/zizmor.yml and prevents drifting; locate the usage of
DeterminateSystems/determinate-nix-action@main in the workflow and replace `@main`
with the exact commit SHA from the action's repo, commit and push the change.
- Around line 29-31: The workflow is using an unpinned action
"DeterminateSystems/flake-checker-action@main" which violates the ref-pin
policy; update the action reference to a specific commit SHA (e.g.,
DeterminateSystems/flake-checker-action@<commit-sha>) in the CI workflow so the
action is pinned, ensuring you replace the "@main" ref with the exact commit
hash for DeterminateSystems/flake-checker-action.

In @.github/workflows/update.yml:
- Line 21: The workflow currently uses the unpinned GitHub Action reference
DeterminateSystems/update-flake-lock@main which violates the ref-pin policy;
replace the `@main` ref with a specific commit SHA for
DeterminateSystems/update-flake-lock (e.g.,
DeterminateSystems/update-flake-lock@<commit-sha>) so the action is pinned, and
ensure the chosen SHA complies with the repository's ref-pin policy; update the
workflow entry where DeterminateSystems/update-flake-lock@main appears and
commit the pinned SHA.

In @.github/zizmor.yml:
- Around line 1-5: The Zizmor rule for DeterminateSystems/* is set to ref-pin
but multiple workflow uses still point to `@main`; update each referenced action
to a specific commit SHA or change the rule: replace instances of
DeterminateSystems/update-flake-lock@main,
DeterminateSystems/flake-checker-action@main,
DeterminateSystems/determinate-nix-action@main,
DeterminateSystems/flakehub-cache-action@main,
DeterminateSystems/ci/.github/workflows/workflow.yml@main, and
DeterminateSystems/push-artifact-ids@main in .github/workflows/update.yml and
.github/workflows/ci.yaml to use pinned commit SHAs (or alternatively modify the
.github/zizmor.yml policy for DeterminateSystems/* if you intend to allow
`@main`).

---

Outside diff comments:
In @.github/workflows/ci.yaml:
- Line 143: The workflow uses DeterminateSystems/flakehub-cache-action@main
which must be pinned to a specific commit SHA to satisfy the ref-pin policy;
replace the `@main` ref with a full commit SHA (e.g.,
DeterminateSystems/flakehub-cache-action@<commit-sha>) by looking up the desired
commit on the DeterminateSystems/flakehub-cache-action repo and updating the
workflow entry, then commit the change and re-run CI to verify the pin.
- Line 156: The workflow currently references the external action
DeterminateSystems/push-artifact-ids@main which violates the ref-pin policy;
update the action reference to a specific commit SHA (e.g.,
DeterminateSystems/push-artifact-ids@<commit-sha>) by replacing "@main" with the
pinned commit hash for the DeterminateSystems/push-artifact-ids action, commit
that change, and ensure the new ref matches the SHA from the action repository
release or tag so the workflow uses an immutable pinned ref.
- Line 80: The reusable workflow reference "uses:
DeterminateSystems/ci/.github/workflows/workflow.yml@main" is not pinned; update
that reference to a specific commit SHA (replace `@main` with @<commit-sha>) so
the workflow is pinned per the ref-pin policy, and ensure the chosen SHA
corresponds to the intended version in the DeterminateSystems/ci repo (obtain
the commit SHA from that repo and use it in the uses line).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6f1f77ac-fd1e-469b-84bd-d7427e8632dc

📥 Commits

Reviewing files that changed from the base of the PR and between bc463d2 and 27849aa.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/ci.yaml
• .github/workflows/update.yml
• .github/zizmor.yml

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.