From f2d397fd01abf102147b7c6d3cedfb754248466e Mon Sep 17 00:00:00 2001
From: Thomas de Meyer <demeyerthom@users.noreply.github.com>
Date: Tue, 28 Apr 2026 14:48:59 +0200
Subject: [PATCH 1/3] Add pinact and zizmor workflow checks

---
 .github/workflows/checks.yml          | 16 +++++++-------
 .github/workflows/codeql-analysis.yml |  6 ++---
 .github/workflows/pinact.yaml         | 32 +++++++++++++++++++++++++++
 .github/workflows/release-dry-run.yml |  6 ++---
 .github/workflows/release.yml         |  6 ++---
 .github/workflows/zizmor.yaml         | 32 +++++++++++++++++++++++++++
 6 files changed, 81 insertions(+), 17 deletions(-)
 create mode 100644 .github/workflows/pinact.yaml
 create mode 100644 .github/workflows/zizmor.yaml

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index f00dc593d..f28ef63de 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -14,9 +14,9 @@ jobs:
         os: [ ubuntu-latest, macos-latest, windows-latest ]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
         with:
           python-version: ${{ matrix.python }}
 
@@ -25,7 +25,7 @@ jobs:
         run: echo "::set-output name=python_version::$(python --version)"
 
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: .venv
           key: ${{ runner.os }}-${{ steps.get_python_version.outputs.python_version }}-dependencies-${{ hashFiles('**/poetry.lock') }}
@@ -67,7 +67,7 @@ jobs:
         shell: bash
         run: poetry run coverage xml
 
-      - uses: codecov/codecov-action@v3
+      - uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6
         with:
           files: ./coverage.xml
 
@@ -80,16 +80,16 @@ jobs:
         ports:
           - "3000:3000"
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
         with:
           python-version: "3.10"
       - name: Get Python Version
         id: get_python_version
         run: echo "::set-output name=python_version::$(python --version)"
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: .venv
           key: ${{ runner.os }}-${{ steps.get_python_version.outputs.python_version }}-dependencies-${{ hashFiles('**/poetry.lock') }}
@@ -107,7 +107,7 @@ jobs:
       - name: Check for any file changes
         run: python .github/check_for_changes.py
       - name: Cache Generated Client Dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: integration-tests/.venv
           key: ${{ runner.os }}-${{ steps.get_python_version.outputs.python_version }}-integration-dependencies-${{ hashFiles('**/poetry.lock') }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 1134a27db..2dcf84d93 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -16,7 +16,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -29,10 +29,10 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: python
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
diff --git a/.github/workflows/pinact.yaml b/.github/workflows/pinact.yaml
new file mode 100644
index 000000000..2ae23a34f
--- /dev/null
+++ b/.github/workflows/pinact.yaml
@@ -0,0 +1,32 @@
+name: Pinact
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+    paths:
+      - ".github/workflows/**"
+      - ".github/actions/**"
+
+permissions: {}
+
+jobs:
+  pinact:
+    # Only run on pull requests from the same repository
+    if: github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Pin actions
+        uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
+        with:
+          skip_push: true
+          verify: true
+          min_age: 7
diff --git a/.github/workflows/release-dry-run.yml b/.github/workflows/release-dry-run.yml
index 15c8f3c22..2a861e32d 100644
--- a/.github/workflows/release-dry-run.yml
+++ b/.github/workflows/release-dry-run.yml
@@ -9,12 +9,12 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
           token: ${{ secrets.PAT }}
       - name: Install Knope
-        uses: knope-dev/action@v1
+        uses: knope-dev/action@f694bf4663f7c20743102e732728d676b2ab95db # v1
         with:
           version: 0.6.2
-      - run: knope release --dry-run
\ No newline at end of file
+      - run: knope release --dry-run
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ab53a0542..00bb9a8e6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,19 +6,19 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
           token: ${{ secrets.PAT }}
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v5
+        uses: crazy-max/ghaction-import-gpg@d6f3f49f3345e29369fe57596a3ca8f94c4d2ca7 # v5.4.0
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           git_user_signingkey: true
           git_commit_gpgsign: true
           git_push_gpgsign: false
       - name: Install Knope
-        uses: knope-dev/action@v1
+        uses: knope-dev/action@f694bf4663f7c20743102e732728d676b2ab95db # v1
         with:
           version: 0.6.2
       - name: Bump Version & Create GitHub Release
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
new file mode 100644
index 000000000..8e6493b97
--- /dev/null
+++ b/.github/workflows/zizmor.yaml
@@ -0,0 +1,32 @@
+name: Zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+    paths:
+      - ".github/workflows/**"
+      - ".github/actions/**"
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          advanced-security: false
+          annotations: true
+          min-severity: high

From 1b6575be0c135f84a0a418055f85fb9f4f4e222c Mon Sep 17 00:00:00 2001
From: Thomas de Meyer <demeyerthom@users.noreply.github.com>
Date: Fri, 8 May 2026 14:53:29 +0200
Subject: [PATCH 2/3] Fix unpinnable action refs and apply zizmor fixes

---
 .github/workflows/checks.yml          | 4 ++++
 .github/workflows/codeql-analysis.yml | 1 +
 .github/workflows/release-dry-run.yml | 1 +
 .github/workflows/release.yml         | 1 +
 4 files changed, 7 insertions(+)

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index f28ef63de..cbc9d61fa 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -15,6 +15,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
         with:
@@ -81,6 +83,8 @@ jobs:
           - "3000:3000"
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
         with:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 2dcf84d93..9d482ae19 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -21,6 +21,7 @@ jobs:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
+        persist-credentials: false
 
     # If this run was triggered by a pull request event, then checkout
     # the head of the pull request instead of the merge commit.
diff --git a/.github/workflows/release-dry-run.yml b/.github/workflows/release-dry-run.yml
index 2a861e32d..e72318907 100644
--- a/.github/workflows/release-dry-run.yml
+++ b/.github/workflows/release-dry-run.yml
@@ -13,6 +13,7 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.PAT }}
+          persist-credentials: false
       - name: Install Knope
         uses: knope-dev/action@f694bf4663f7c20743102e732728d676b2ab95db # v1
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 00bb9a8e6..169222c41 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,7 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.PAT }}
+          persist-credentials: false
       - name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@d6f3f49f3345e29369fe57596a3ca8f94c4d2ca7 # v5.4.0
         with:

From ca85029d1bf3a4f860bc1135664d4b526e3277df Mon Sep 17 00:00:00 2001
From: Thomas de Meyer <demeyerthom@users.noreply.github.com>
Date: Fri, 8 May 2026 14:55:32 +0200
Subject: [PATCH 3/3] Fix unpinnable action refs and apply zizmor fixes

---
 .github/workflows/codeql-analysis.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 9d482ae19..d9dcf94a7 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -30,10 +30,10 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
+      uses: github/codeql-action/init@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3.35.4
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: python
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
+      uses: github/codeql-action/analyze@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3.35.4