Apply pinning to GitHub Actions

[lucperkins]

• Apply pinning to GitHub Actions
• Update zizmor action again

Summary by CodeRabbit

• Chores
  • Enabled automated weekly dependency updates for GitHub Actions with intelligent grouping and cooldown periods
  • Added security scanning workflow to detect and report potential vulnerabilities in the codebase
  • Enhanced CI/CD pipeline stability through pinned action versions and refined job-level permissions

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR hardens GitHub Actions security by introducing automated dependency pinning, explicit job-level permissions, and security validation. It adds Dependabot configuration, pins action commit SHAs in the CI workflow, and deploys Zizmor for continuous validation of secure action usage.

Changes

CI Security Hardening

Layer / File(s)	Summary
Dependabot configuration for action updates .github/dependabot.yml	New Dependabot v2 configuration enables weekly updates for GitHub Actions with 7-day cooldown, groups updates, ignores DeterminateSystems/*, and prefixes commits with ci.
CI workflow action pinning and permissions .github/workflows/ci.yaml	CI workflow pins actions/checkout (v6.0.2), actions/cache (v5.0.5), updates determinate-nix-action to main, and adds explicit permissions: {contents: read} to all jobs with persist-credentials: false.
Zizmor security scanning workflow .github/workflows/zizmor.yml, .github/zizmor.yml	New Zizmor workflow runs security checks on push to main and PRs, enforcing security-events: write permission and validating action pinning via unpinned-uses ref-pin policy for DeterminateSystems/*.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through actions clean,
With SHA pins, a fortress scene,
Zizmor watches, eyes so keen,
Security's the best we've seen! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Apply pinning to GitHub Actions' directly and clearly summarizes the main change across the pull request, which adds action pinning to multiple workflow files and configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch actions-pinning

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 19-20: Change the two mutable action refs to immutable commit
SHAs: replace uses: DeterminateSystems/determinate-nix-action@main and uses:
DeterminateSystems/flakehub-cache-action@main with pinned refs that include the
commit SHA (e.g., DeterminateSystems/determinate-nix-action@<commit-sha> and
DeterminateSystems/flakehub-cache-action@<commit-sha>); update the workflow to
reference the specific commit SHAs for these actions so the CI uses fixed
immutable versions and cannot be mutated via branch updates.

In @.github/zizmor.yml:
- Line 5: The namespace policy for DeterminateSystems/* currently uses the
non-hash pinning value "ref-pin", causing symbolic refs like `@main` to be
allowed; change the policy value to "ref-pin: hash" for DeterminateSystems/* so
zizmor requires commit-SHA-only pins (update the DeterminateSystems/* entry to
use ref-pin: hash).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d157dd8d-ba77-4206-9234-938f61b986d4

📥 Commits

Reviewing files that changed from the base of the PR and between ba1df9a and a3ada29.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/ci.yaml
• .github/workflows/zizmor.yml
• .github/zizmor.yml