From 86b8058b40145fb5ba4fd859676225f533eca986 Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Fri, 14 Nov 2025 13:58:40 -0500
Subject: [PATCH] Addressed unpinned-uses zizmor finding.

---
 .github/workflows/benchmark.yml             | 3 ++-
 .github/workflows/check_commit_messages.yml | 3 +++
 zizmor.yml                                  | 6 ++++++
 3 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 zizmor.yml

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 1e56313807..c803546c78 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -19,7 +19,8 @@ jobs:
           path: "."
           persist-credentials: false
       - name: Setup Miniforge
-        uses: conda-incubator/setup-miniconda@v3
+        # Pinned to v3.2.0.
+        uses: conda-incubator/setup-miniconda@835234971496cad1653abb28a638a281cf32541f
         with:
           miniforge-version: "24.1.2-0"
           activate-environment: asv-bench
diff --git a/.github/workflows/check_commit_messages.yml b/.github/workflows/check_commit_messages.yml
index dc841fef3f..ece0bcac4e 100644
--- a/.github/workflows/check_commit_messages.yml
+++ b/.github/workflows/check_commit_messages.yml
@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check-commit-prefix:
     if: startsWith(github.event.pull_request.base.ref, 'stable/')
diff --git a/zizmor.yml b/zizmor.yml
new file mode 100644
index 0000000000..8d1b34ed48
--- /dev/null
+++ b/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin
+        psf/*: ref-pin