From 56c08e8c6e9b37a73876a83f34cf32633be0efae Mon Sep 17 00:00:00 2001
From: Ameer Ghani <inahga@letsencrypt.org>
Date: Wed, 27 May 2026 19:45:26 +0000
Subject: [PATCH 1/4] ci: run zizmor

---
 .github/workflows/zizmor.yml | 46 ++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 00000000000..8c81a360fa3
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,46 @@
+name:  Lint GitHub Actions
+
+on:
+  push:
+    branches:
+      - main
+      - release-branch-*
+  pull_request:
+    branches:
+      - '**'
+  workflow_dispatch:
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-24.04
+
+    permissions:
+      contents: read
+      # Used by zizmor's online audits to query workflow run metadata.
+      # See https://docs.zizmor.sh/audits/
+      actions: read
+
+    env:
+      ZIZMOR_VERSION: 1.25.2
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Download and verify zizmor
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          url="https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-x86_64-unknown-linux-gnu.tar.gz"
+          curl --fail --location --show-error --silent --output zizmor.tar.gz "${url}"
+          gh attestation verify zizmor.tar.gz --repo zizmorcore/zizmor
+          tar -xzf zizmor.tar.gz zizmor
+          ./zizmor --version | grep -Fq "zizmor ${ZIZMOR_VERSION}"
+
+      - name: Run zizmor
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./zizmor .

From d3d983aad2b3db1f91ad28ee72f69a566a38e279 Mon Sep 17 00:00:00 2001
From: Ameer Ghani <inahga@letsencrypt.org>
Date: Wed, 27 May 2026 20:18:50 +0000
Subject: [PATCH 2/4] apply auto fixes

---
 .github/dependabot.yml                               |  2 ++
 .github/workflows/boulder-ci.yml                     | 12 +++++++-----
 .github/workflows/check-iana-registries.yml          |  4 ++--
 .github/workflows/codeql.yml                         |  8 ++++----
 .github/workflows/cps-review.yml                     |  8 ++++----
 .github/workflows/issue-for-sre-handoff.yml          |  2 +-
 .../workflows/merged-to-main-or-release-branch.yml   |  2 +-
 .github/workflows/release.yml                        |  6 +++---
 .github/workflows/try-release.yml                    |  2 +-
 .github/workflows/zizmor.yml                         |  2 +-
 10 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 41be4668d81..9ef3e047da4 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -21,3 +21,5 @@ updates:
     schedule: 
       interval: monthly
     open-pull-requests-limit: 1
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/boulder-ci.yml b/.github/workflows/boulder-ci.yml
index 9be2865bd1d..2c0cee542fc 100644
--- a/.github/workflows/boulder-ci.yml
+++ b/.github/workflows/boulder-ci.yml
@@ -71,7 +71,7 @@ jobs:
     # Sequence of tasks that will be executed as part of the job.
     steps:
       # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
@@ -104,17 +104,18 @@ jobs:
 
     steps:
       # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
       - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           # When Go produces a security release, we want govulncheck to run
           # against the most recently released Go version.
           check-latest: true
           go-version: "stable"
+          cache: false
 
       - name: Run govulncheck
         run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...
@@ -129,14 +130,15 @@ jobs:
 
     steps:
       # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
       - name: Setup Go ${{ matrix.go-version }}
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: ${{ matrix.go-version }}
+          cache: false
 
       - name: Verify vendor
         shell: bash
diff --git a/.github/workflows/check-iana-registries.yml b/.github/workflows/check-iana-registries.yml
index be11e28d75f..817c8e7ac01 100644
--- a/.github/workflows/check-iana-registries.yml
+++ b/.github/workflows/check-iana-registries.yml
@@ -15,8 +15,8 @@ jobs:
 
     steps:
       - name: Checkout iana/data from main branch
-        uses: actions/checkout@v6
-        with:
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with: # zizmor: ignore[artipacked] gh credentials must be persisted so we can open a PR
           sparse-checkout: iana/data
 
       # If the branch already exists, this will fail, which will remind us about
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 216650cdafd..61049ae1310 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -18,12 +18,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
diff --git a/.github/workflows/cps-review.yml b/.github/workflows/cps-review.yml
index 63a688fc9e7..81f84290ea5 100644
--- a/.github/workflows/cps-review.yml
+++ b/.github/workflows/cps-review.yml
@@ -13,12 +13,12 @@ jobs:
       pull-requests: write
     steps:
       - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: "stable"
 
       - name: Checkout Upstream
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
           ref: ${{ github.event.pull_request.base.ref }}
@@ -26,7 +26,7 @@ jobs:
         run: go run ./test/list-features/list-features.go | sort >| /tmp/currflags.txt
 
       - name: Checkout PR
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
       - name: Get PR Flags
@@ -38,7 +38,7 @@ jobs:
 
       - name: Comment PR
         if: ${{ steps.newflags.outputs.flagnames != '' }}
-        uses: actions/github-script@v9
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const { owner, repo, number: issue_number } = context.issue;
diff --git a/.github/workflows/issue-for-sre-handoff.yml b/.github/workflows/issue-for-sre-handoff.yml
index 37f286d931b..40231b615ca 100644
--- a/.github/workflows/issue-for-sre-handoff.yml
+++ b/.github/workflows/issue-for-sre-handoff.yml
@@ -18,7 +18,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Comment PR
-        uses: actions/github-script@v9
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const commentMarker = '<!-- deployment_ticket_check -->';
diff --git a/.github/workflows/merged-to-main-or-release-branch.yml b/.github/workflows/merged-to-main-or-release-branch.yml
index aacf553d701..599dc51ca1b 100644
--- a/.github/workflows/merged-to-main-or-release-branch.yml
+++ b/.github/workflows/merged-to-main-or-release-branch.yml
@@ -14,6 +14,6 @@ jobs:
     name: Merged to main (or hotfix)
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 661c5d0bfa9..98b38b32a9a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,7 +15,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
           fetch-depth: '0' # Needed for verify-release-ancestry.sh to see origin/main
@@ -41,7 +41,7 @@ jobs:
       contents: write
       packages: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
           fetch-depth: '0' # Needed for verify-release-ancestry.sh to see origin/main
@@ -87,7 +87,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/try-release.yml b/.github/workflows/try-release.yml
index 0c433a3babf..61a17518db8 100644
--- a/.github/workflows/try-release.yml
+++ b/.github/workflows/try-release.yml
@@ -23,7 +23,7 @@ jobs:
           - "1.26.3"
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 8c81a360fa3..a7f5c17d340 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 

From 88a1a40d5b59d91a2ed3efc53594254192ee8c25 Mon Sep 17 00:00:00 2001
From: Ameer Ghani <inahga@letsencrypt.org>
Date: Thu, 28 May 2026 18:11:17 +0000
Subject: [PATCH 3/4] Token requirements don't apply for public repositories

---
 .github/workflows/zizmor.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index a7f5c17d340..409c074b07d 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -14,12 +14,6 @@ jobs:
   zizmor:
     runs-on: ubuntu-24.04
 
-    permissions:
-      contents: read
-      # Used by zizmor's online audits to query workflow run metadata.
-      # See https://docs.zizmor.sh/audits/
-      actions: read
-
     env:
       ZIZMOR_VERSION: 1.25.2
 

From 2114443e90c7f9b9b2b3b62aa04ec39b33b38772 Mon Sep 17 00:00:00 2001
From: Ameer Ghani <inahga@letsencrypt.org>
Date: Thu, 28 May 2026 18:12:52 +0000
Subject: [PATCH 4/4] remediate new finding -.-

---
 .github/workflows/zizmor.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 409c074b07d..159cc3fa990 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -10,6 +10,8 @@ on:
       - '**'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   zizmor:
     runs-on: ubuntu-24.04