Also clean up zizmor warnings

ncoghlan · ncoghlan · commit 8161b6cc182f · 2025-05-27T21:55:34.000+10:00
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -24,7 +24,8 @@ jobs:
     steps:
       - name: "CLA Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' 
-        uses: contributor-assistant/github-action@v2.6.1
+        # https://github.com/contributor-assistant/github-action/releases/tag/v2.6.1
+        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_PAT }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -19,7 +19,8 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: pdm-project/setup-pdm@v4
+      # https://github.com/pdm-project/setup-pdm/releases/tag/v4.4
+      - uses: pdm-project/setup-pdm@94a823180e06fcde4ad29308721954a521c96ed0
         with:
           python-version: 3.12
           cache: true
diff --git a/.github/workflows/scan-workflows.yml b/.github/workflows/scan-workflows.yml
@@ -27,10 +27,12 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v5
+        # https://github.com/astral-sh/setup-uv/releases/tag/v6.1.0
+        uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb
 
       - name: Run zizmor 🌈
-        run: uvx zizmor --format sarif . > results.sarif
+        # Only scan this repo's workflows, not anything in submodules
+        run: uvx zizmor==1.8.0 --format sarif .github > results.sarif
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -121,7 +121,8 @@ jobs:
           # Use latest Python, so it understands all syntax.
           python-version: "3.13"
 
-      - uses: hynek/setup-cached-uv@v2
+      # https://github.com/hynek/setup-cached-uv/releases/tag/v2.3.0
+      - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817
 
       - uses: actions/download-artifact@v4
         with:
