Provide GitHub Actions pinning

[lucperkins]

Summary by CodeRabbit

• Chores
  • Configured automated dependency management for GitHub Actions updates.
  • Pinned GitHub Actions to specific versions for improved security and consistency across CI/CD workflows.
  • Added security scanning to identify potential configuration issues in GitHub Actions workflows.
  • Enhanced workflow permissions for stricter access control.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request systematically hardens the repository's GitHub Actions workflows by introducing security scanning, automating dependency updates, and pinning all action references to specific commit SHAs with minimal permissions. The changes span Dependabot configuration, a new Zizmor security workflow, and consistent updates across all CI workflows.

Changes

Security Hardening via Action Pinning and Permissions

Layer / File(s)	Summary
Zizmor security enforcement setup .github/workflows/zizmor.yml, .github/zizmor.yml	Introduces a new CI workflow that runs on pushes to main and pull requests to scan for unpinned GitHub Actions. Zizmor config enforces ref-pin policy for DeterminateSystems/* actions with restricted job permissions.
Dependabot automation for pinned action updates .github/dependabot.yml	Configures Dependabot to check GitHub Actions weekly, group all action updates, prefix commits with ci, label PRs with dependencies and github-actions, explicitly ignore DeterminateSystems/* updates, and enforce a 7-day cooldown.
Build and core CI workflow hardening .github/workflows/build.yaml, .github/workflows/check-and-test.yaml, .github/workflows/flakehub.yaml	Pins actions/checkout, actions/upload-artifact, actions/download-artifact, and DeterminateSystems/determinate-nix-action to specific commit SHAs. Replaces secret inheritance with explicit permissions: contents: read. Updates cache token condition from expression form to literal if: false.
Release workflow hardening .github/workflows/release-branches.yml, .github/workflows/release-prs.yml, .github/workflows/release-tags.yml	Pins actions/checkout, actions/download-artifact, aws-actions/configure-aws-credentials, and softprops/action-gh-release to specific commit SHAs. Replaces secrets: inherit with explicit permissions: contents: read. Preserves artifact download and cache binary persistence steps.
Lockfile management workflow hardening .github/workflows/update-flake-lock.yaml	Pins actions/checkout and DeterminateSystems/determinate-nix-action to specific commit SHAs and adds explicit job permissions for contents: read.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 With pinned SHAs and permissions tight,
Our actions stay secure day and night,
Zizmor guards against the unpinned creep,
While Dependabot keeps updates deep,
Hop hop! Security's here to stay! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Provide GitHub Actions pinning' accurately summarizes the main change across all modified files—pinning GitHub Actions to specific commit SHAs instead of using tag-based references.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch actions-pinning

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release-tags.yml (1)

52-52: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Pin DeterminateSystems/push-artifact-ids to a specific commit SHA for consistency.

This workflow uses DeterminateSystems/push-artifact-ids@main, while other DeterminateSystems actions in this repository are pinned to specific commit SHAs (e.g., determinate-nix-action@bafaa638b9d5ec0e7e3ac1a7fc80453ef1fd265f). The same unpinned action also appears in release-prs.yml and release-branches.yml. Pinning all DeterminateSystems actions to commit SHAs improves security by preventing unexpected changes from automatic action updates.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-tags.yml at line 52, Replace the unpinned GitHub
Action reference DeterminateSystems/push-artifact-ids@main with a specific
commit SHA in this workflow (and do the same in release-prs.yml and
release-branches.yml) to ensure reproducible runs; locate the uses entry
"DeterminateSystems/push-artifact-ids@main" and change the tag portion to the
chosen commit SHA (e.g., DeterminateSystems/push-artifact-ids@<commit-sha>) so
the action is pinned.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/zizmor.yml:
- Line 5: The policy entry "DeterminateSystems/*: ref-pin" is active but there
are remaining workflow references using unpinned refs (e.g.,
DeterminateSystems/*`@main`); update those workflow usages to use pinned refs
(commit SHAs, tags or specific release versions) or add explicit exemptions in
.github/zizmor.yml for the specific repo refs before enforcing ref-pin; search
for occurrences of "DeterminateSystems/*`@main`" in workflow files and replace
with the pinned ref or add an exemption rule alongside "DeterminateSystems/*:
ref-pin".

---

Outside diff comments:
In @.github/workflows/release-tags.yml:
- Line 52: Replace the unpinned GitHub Action reference
DeterminateSystems/push-artifact-ids@main with a specific commit SHA in this
workflow (and do the same in release-prs.yml and release-branches.yml) to ensure
reproducible runs; locate the uses entry
"DeterminateSystems/push-artifact-ids@main" and change the tag portion to the
chosen commit SHA (e.g., DeterminateSystems/push-artifact-ids@<commit-sha>) so
the action is pinned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b55b4888-562f-4f8a-a7ff-9bb66b70b208

📥 Commits

Reviewing files that changed from the base of the PR and between 0adf8a1 and 4d42bf2.

📒 Files selected for processing (10)

• .github/dependabot.yml
• .github/workflows/build.yaml
• .github/workflows/check-and-test.yaml
• .github/workflows/flakehub.yaml
• .github/workflows/release-branches.yml
• .github/workflows/release-prs.yml
• .github/workflows/release-tags.yml
• .github/workflows/update-flake-lock.yaml
• .github/workflows/zizmor.yml
• .github/zizmor.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find DeterminateSystems action usages that are not pinned to a full 40-char SHA.
rg -nP --type=yaml "uses:\s*['\"]?DeterminateSystems\/[^@]+@(?![0-9a-f]{40}\b)[^'\"\s]+" .github/workflows .github/zizmor.yml

Repository: DeterminateSystems/magic-nix-cache

Length of output: 1051

---

Pin or exempt remaining DeterminateSystems/*@main`` refs before enforcing ref-pin.

Line 5 enforces ref-pin for DeterminateSystems/*, but the following workflows include unpinned refs that create immediate policy violations:

• .github/workflows/build.yaml:37
• .github/workflows/check-and-test.yaml:21, 28, 77
• .github/workflows/flakehub.yaml:19
• .github/workflows/release-branches.yml:60
• .github/workflows/release-prs.yml:63
• .github/workflows/release-tags.yml:52
• .github/workflows/update-flake-lock.yaml:18, 19

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/zizmor.yml at line 5, The policy entry "DeterminateSystems/*:
ref-pin" is active but there are remaining workflow references using unpinned
refs (e.g., DeterminateSystems/*`@main`); update those workflow usages to use
pinned refs (commit SHAs, tags or specific release versions) or add explicit
exemptions in .github/zizmor.yml for the specific repo refs before enforcing
ref-pin; search for occurrences of "DeterminateSystems/*`@main`" in workflow files
and replace with the pinned ref or add an exemption rule alongside
"DeterminateSystems/*: ref-pin".