From 6d2aebb88423adaf1d4eaff6e177cc86becb811f Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 15 May 2026 15:20:58 -0400 Subject: [PATCH 1/5] feat(ci): add zizmor config and pre-commit --- .github/zizmor.yml | 9 +++++++++ .pre-commit-config.yaml | 4 ++++ 2 files changed, 13 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..1b6ea1e5 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,9 @@ +rules: + unpinned-uses: + config: + policies: + # We require SHA-pinning for all workflows and actions _except_ for those from + # rapidsai/shared-workflows and rapidsai/shared-actions + "rapidsai/shared-workflows/*": any + "rapidsai/shared-actions/*": any + "*": hash-pin diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ec89a3be..921830b2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -44,6 +44,10 @@ repos: additional_dependencies: [tomli] exclude: "^.*.jsonlines$" args: ["--toml", "pyproject.toml", "--ignore-words-list=classfication"] + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor default_language_version: python: python3 From 6346110f9895348a75b3afbe3ced376be2bc31bc Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 15 May 2026 15:21:18 -0400 Subject: [PATCH 2/5] fix(ci): hash-pin all third-party actions --- .github/workflows/build-and-deploy.yml | 6 +++--- .github/workflows/pre-commit.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index d616b3f2..fcff4a75 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -22,19 +22,19 @@ jobs: name: Build (and deploy) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 - name: Build env: DEPLOYMENT_DOCS_BUILD_STABLE: ${{ startsWith(github.event.ref, 'refs/tags/') && 'true' || 'false' }} run: uv run make dirhtml SPHINXOPTS="-W --keep-going -n" - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 if: ${{ github.repository == 'rapidsai/deployment' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') }} with: role-to-assume: ${{ vars.AWS_ROLE_ARN }} diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 43f1890a..1d03753f 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -9,8 +9,8 @@ jobs: name: "pre-commit hooks" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.12" - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 From bee0d56a0c5c2a1243853632249a3bfb973117b5 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 15 May 2026 15:28:32 -0400 Subject: [PATCH 3/5] fix(ci): use explicit permissions per-job --- .github/workflows/pre-commit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 1d03753f..a9b430f8 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -4,6 +4,7 @@ on: push: pull_request: +permissions: {} jobs: checks: name: "pre-commit hooks" From 00cba4aa948006094b5ac65f9da8dcacf7b31771 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 15 May 2026 15:31:16 -0400 Subject: [PATCH 4/5] fix(ci): fix artipacked --- .github/workflows/build-and-deploy.yml | 1 + .github/workflows/pre-commit.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index fcff4a75..9ab896b1 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index a9b430f8..f18fed8b 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -11,6 +11,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.12" From de2c71565a673165377a94cb7529c8c6ddf1eadd Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 15 May 2026 15:34:15 -0400 Subject: [PATCH 5/5] fix(ci): disable cache on uv install action --- .github/workflows/build-and-deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index 9ab896b1..d17fd118 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -29,6 +29,8 @@ jobs: - name: Install uv uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 + with: + enable-cache: false - name: Build env: