[6.0.x] Addressed unpinned-uses zizmor finding.

Backport of 86b8058b40 from main.
2026-02-09 02:49:25 +08:00 · 2025-11-14 13:58:40 -05:00
parent bc33e240e1
commit 3a493d4545
3 changed files with 11 additions and 1 deletions
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -19,7 +19,8 @@ jobs:
          path: "."
          persist-credentials: false
      - name: Setup Miniforge
-        uses: conda-incubator/setup-miniconda@v3
+        # Pinned to v3.2.0.
+        uses: conda-incubator/setup-miniconda@835234971496cad1653abb28a638a281cf32541f
        with:
          miniforge-version: "24.1.2-0"
          activate-environment: asv-bench
--- a/.github/workflows/check_commit_messages.yml
+++ b/.github/workflows/check_commit_messages.yml
@@ -8,6 +8,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  check-commit-prefix:
    if: startsWith(github.event.pull_request.base.ref, 'stable/')
--- a/zizmor.yml
+++ b/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin
+        psf/*: ref-pin