SciTools · trexfeathers · Jun 5, 2026 · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026
diff --git a/.github/workflows/benchmarks_report.yml b/.github/workflows/benchmarks_report.yml
@@ -2,25 +2,40 @@
 # Separated for security:
 #  https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
 
+# Reference
+#    - https://github.com/actions/github-script
+#    - https://github.com/actions/upload-artifact
+#    - https://github.com/actions/checkout
+#    - https://github.com/actions/download-artifact
+#    - https://github.com/actions/setup-python
+
 name: benchmarks-report
 run-name: Report benchmark results
 
 on:
-  workflow_run:
+  # Security: it is impossible to fully avoid this exposure, so long as we want results
+  #  from pull request CI to be posted as a comment. `permissions`, and `bm_runner.py`
+  #  are as locked-down as possible, and maintainers must manually approve workflow
+  #  runs from external authors, to mitigate the risk. The remaining vulnerability
+  #  is spam comments.
+  workflow_run: # zizmor: ignore[dangerous-triggers]
     workflows: [benchmarks-run]
     types:
       - completed
 
 jobs:
   download:
+    permissions:
+      actions: read
+      contents: read
     runs-on: ubuntu-latest
     outputs:
       reports_exist: ${{ steps.unzip.outputs.reports_exist }}
     steps:
       - name: Download artifact
         id: download-artifact
         # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
-        uses: actions/github-script@v9
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3
         with:
           script: |
             let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
@@ -54,28 +69,33 @@ jobs:
           echo "reports_exist=$reports_exist" >> "$GITHUB_OUTPUT"
 
       - name: Store artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
         with:
           name: benchmark_reports
           path: benchmark_reports
 
   post_reports:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     needs: download
     if: needs.download.outputs.reports_exist == 1
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Download artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
         with:
           name: benchmark_reports
           path: .github/workflows/benchmark_reports
 
       - name: Set up Python
         # benchmarks/bm_runner.py only needs builtins to run.
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
 
       - name: Post reports
         env:

diff --git a/.github/workflows/benchmarks_run.yml b/.github/workflows/benchmarks_run.yml
@@ -2,6 +2,12 @@
 #  - In the last 24 hours' commits.
 #  - Introduced by this pull request.
 
+# Reference
+#    - https://github.com/actions/checkout
+#    - https://github.com/MarceloPrado/has-changed-path
+#    - https://github.com/actions/cache
+#    - https://github.com/actions/upload-artifact
+
 name: benchmarks-run
 run-name: Run benchmarks
 
@@ -19,6 +25,8 @@ on:
     # Add the `labeled` type to the default list.
     types: [labeled, opened, synchronize, reopened]
 
+permissions: {}
+
 jobs:
   pre-checks:
     # This workflow supports two different scenarios (overnight and branch).
@@ -29,9 +37,10 @@ jobs:
       overnight: ${{ steps.overnight.outputs.check }}
       branch: ${{ steps.branch.outputs.check }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 2
+          persist-credentials: false
       - id: files-changed
         uses: marceloprado/has-changed-path@df1b7a3161b8fb9fd8c90403c66a9e66dfde50cb
         with:
@@ -72,16 +81,17 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install run dependencies
         run: pip install asv nox!=2025.05.01
 
       - name: Cache environment directories
         id: cache-env-dir
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae
         with:
           path: |
             .nox
@@ -91,7 +101,7 @@ jobs:
 
       - name: Cache test data directory
         id: cache-test-data
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae
         with:
           path: |
             ${{ env.IRIS_TEST_DATA_PATH }}
@@ -115,27 +125,29 @@ jobs:
         #  the proposed merge with the base branch.
         if: needs.pre-checks.outputs.branch == 'true'
         env:
+          BASE_REF: ${{ github.base_ref }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.number }}
         run: |
-          nox -s benchmarks -- branch origin/${{ github.base_ref }}
+          nox -s benchmarks -- branch origin/${BASE_REF}
 
       - name: Run overnight benchmarks
         # If the 'overnight' condition(s) are met: use the bm_runner to compare
         #  each of the last 24 hours' commits to their parents.
         id: overnight
         if: needs.pre-checks.outputs.overnight == 'true'
         env:
+          FIRST_COMMIT: ${{ inputs.first_commit }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         # The first_commit argument allows a custom starting point - useful
         #  for manual re-running.
         run: |
-          first_commit=${{ inputs.first_commit }}
+          first_commit=${FIRST_COMMIT}
           if [ "$first_commit" == "" ]
           then
             first_commit=$(git log --after="$(date -d "1 day ago" +"%Y-%m-%d") 23:00:00" --pretty=format:"%h" | tail -n 1)
           fi
-          
+
           if [ "$first_commit" != "" ]
           then
             nox -s benchmarks -- overnight $first_commit
@@ -157,15 +169,15 @@ jobs:
       - name: Upload any benchmark reports
         # Uploading enables more downstream processing e.g. posting a PR comment.
         if: success() || steps.overnight.outcome == 'failure'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
         with:
           name: benchmark_reports
           path: .github/workflows/benchmark_reports
 
       - name: Archive asv results
         # Store the raw ASV database(s) to help manual investigations.
         if: ${{ always() }}
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
         with:
           name: asv-raw-results
           path: benchmarks/.asv/results
diff --git a/.github/workflows/benchmarks_validate.yml b/.github/workflows/benchmarks_validate.yml
@@ -1,3 +1,7 @@
+# Reference
+#    - https://github.com/actions/checkout
+#    - https://github.com/actions/cache
+
 name: benchmarks-validate
 run-name: Validate the benchmarking setup
 
@@ -17,6 +21,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   validate:
     runs-on: ubuntu-latest
@@ -27,16 +33,17 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install run dependencies
         run: pip install asv nox!=2025.05.01
 
-      - name: Cache environment directories
-        id: cache-env-dir
-        uses: actions/cache@v5
+      - name: Restore environment cache
+        id: cache-restore
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae
         with:
           path: |
             .nox
@@ -46,3 +53,15 @@ jobs:
 
       - name: Validate setup
         run: nox -s benchmarks -- validate
+
+      - name: Save environment cache
+        # Security: PRs are potentially malformed/malicious, so only allow runs on trunk
+        #  branches to update the cache, to avoid cache poisoning.
+        if: github.event_name == 'push'
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae
+        with:
+          path: |
+            .nox
+            benchmarks/.asv/env
+            $CONDA/pkgs
+          key: ${{ steps.cache-restore.outputs.cache-primary-key }}
diff --git a/.github/workflows/ci-citation.yml b/.github/workflows/ci-citation.yml
@@ -1,3 +1,7 @@
+# Reference:
+#   - https://github.com/actions/checkout
+#   - https://github.com/citation-file-format/cffconvert-github-action
+
 name: ci-citation
 
 on:
@@ -15,14 +19,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   validate:
     name: "validate"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "check CITATION.cff"
         uses: citation-file-format/cffconvert-github-action@4cf11baa70a673bfdf9dad0acc7ee33b3f4b6084

diff --git a/.github/workflows/ci-linkchecks.yml b/.github/workflows/ci-linkchecks.yml
@@ -1,4 +1,9 @@
-name: Linkcheck
+# References:
+#   - https://github.com/actions/checkout
+#   - https://github.com/lycheeverse/lychee-action
+#   - https://github.com/peter-evans/create-issue-from-file
+
+name: ci-linkchecks
 
 on:
   workflow_dispatch:
@@ -16,7 +21,7 @@ jobs:
       issues: write # required for peter-evans/create-issue-from-file
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
           persist-credentials: false

diff --git a/.github/workflows/ci-manifest.yml b/.github/workflows/ci-manifest.yml
@@ -1,5 +1,6 @@
 # Reference
 #    - https://github.com/actions/checkout
+#    - https://github.com/SciTools/workflows
 
 name: ci-manifest
 
@@ -20,7 +21,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   manifest:
     name: "check-manifest"
-    uses: scitools/workflows/.github/workflows/ci-manifest.yml@2026.05.0
+    uses: scitools/workflows/.github/workflows/ci-manifest.yml@1f2141422a63321a32575ddd186e53acff12550c
diff --git a/.github/workflows/ci-template-check.yml b/.github/workflows/ci-template-check.yml
@@ -4,13 +4,17 @@
 name: ci-template-check
 
 on:
-  pull_request_target:
+  pull_request_target:  # zizmor: ignore[dangerous-triggers]
     branches:
       - main
 
+permissions: {}
+
 jobs:
   prompt-share:
-    uses: scitools/workflows/.github/workflows/ci-template-check.yml@2026.05.0
-    secrets: inherit
+    uses: scitools/workflows/.github/workflows/ci-template-check.yml@1f2141422a63321a32575ddd186e53acff12550c
+    secrets:
+      AUTH_APP_ID: ${{ secrets.AUTH_APP_ID }}
+      AUTH_APP_PRIVATE_KEY: ${{ secrets.AUTH_APP_PRIVATE_KEY }}
     with:
       pr_number: ${{ github.event.pull_request.number }}
diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml
@@ -1,6 +1,7 @@
 # reference:
 #   - https://github.com/actions/cache
 #   - https://github.com/actions/checkout
+#   - https://github.com/codecov/codecov-action
 #   - https://github.com/marketplace/actions/setup-miniconda
 
 name: ci-tests
@@ -21,6 +22,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   tests:
     name: "${{ matrix.session }} (py${{ matrix.python-version }} ${{ matrix.os }})"
@@ -56,9 +59,10 @@ jobs:
 
     steps:
       - name: "checkout"
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "environment configure"
         env:
@@ -83,7 +87,7 @@ jobs:
           env_name: ${{ env.ENV_NAME }}
 
       - name: "conda install"
-        uses: conda-incubator/setup-miniconda@v4
+        uses: conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5
         with:
           miniforge-version: latest
           channels: conda-forge
@@ -145,6 +149,6 @@ jobs:
 
       - name: "upload coverage report"
         if: ${{ matrix.coverage }}
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.CODECOV_TOKEN }}