From 4592095491ee5cb8b7935c535b7dc70483035a49 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 20:56:50 -0400
Subject: [PATCH 1/6] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/workflows/circleci.yml | 2 +-
 .github/workflows/tests.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml
index 384bc8e..a54e030 100644
--- a/.github/workflows/circleci.yml
+++ b/.github/workflows/circleci.yml
@@ -35,7 +35,7 @@ jobs:
 
       - name: Set up reviewdog
         if: "${{ steps.fetch-artifacts.outputs.count != 0 }}"
-        uses: reviewdog/action-setup@v1
+        uses: reviewdog/action-setup@e04ffabe3898a0af8d0fb1af00c188831c4b5893 # v1
         with:
           reviewdog_version: latest
 
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 98ceb87..3cddd74 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -42,4 +42,4 @@ jobs:
           pytest -raR -n auto --cov --cov-report=
 
       - name: Upload code coverage
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3

From e8e30143ffe98e919753f7cf32561f1dcab9e02c Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 22:53:30 -0400
Subject: [PATCH 2/6] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/workflows/circleci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml
index a54e030..42dc671 100644
--- a/.github/workflows/circleci.yml
+++ b/.github/workflows/circleci.yml
@@ -10,7 +10,7 @@ jobs:
     name: Run CircleCI artifacts redirector
     steps:
       - name: GitHub Action step
-        uses: larsoner/circleci-artifacts-redirector-action@master
+        uses: scientific-python/circleci-artifacts-redirector-action@7eafdb60666f57706a5525a2f5eb76224dc8779b  # v1.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           artifact-path: 0/doc/build/html/index.html

From cf9cf71e8d11edb128a37059d2ce9f621ce65b21 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:07:43 -0400
Subject: [PATCH 3/6] CI: auto-fix via zizmor

May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
---
 .github/workflows/circleci.yml  | 6 +++++-
 .github/workflows/release.yml   | 1 +
 .github/workflows/reviewdog.yml | 3 +++
 .github/workflows/tests.yml     | 1 +
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml
index 42dc671..63f54d8 100644
--- a/.github/workflows/circleci.yml
+++ b/.github/workflows/circleci.yml
@@ -27,11 +27,15 @@ jobs:
     name: Post warnings/errors as review
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Fetch result artifacts
         id: fetch-artifacts
         run: |
-          python .circleci/fetch_doc_logs.py "${{ github.event.target_url }}"
+          python .circleci/fetch_doc_logs.py "${GITHUB_EVENT_TARGET_URL}"
+        env:
+          GITHUB_EVENT_TARGET_URL: ${{ github.event.target_url }}
 
       - name: Set up reviewdog
         if: "${{ steps.fetch-artifacts.outputs.count != 0 }}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 024c8d9..39da312 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 10
+          persist-credentials: false
 
       - name: Set up Python
         id: setup
diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml
index ce95577..82ba40e 100644
--- a/.github/workflows/reviewdog.yml
+++ b/.github/workflows/reviewdog.yml
@@ -13,6 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3
         uses: actions/setup-python@v4
@@ -47,6 +49,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@v4
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 3cddd74..3da9051 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -22,6 +22,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v4

From 6345345734af703330693ec756f5ffc80c9728ee Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:21:46 -0400
Subject: [PATCH 4/6] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/workflows/release.yml   | 2 ++
 .github/workflows/reviewdog.yml | 2 ++
 .github/workflows/tests.yml     | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 39da312..ebf6315 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,6 +1,8 @@
 ---
 
 name: Release
+permissions:
+  contents: read
 on:
   release:
     types:
diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml
index 82ba40e..a1359b2 100644
--- a/.github/workflows/reviewdog.yml
+++ b/.github/workflows/reviewdog.yml
@@ -1,5 +1,7 @@
 ---
 name: Linting
+permissions:
+  contents: read
 on:
   push:
     branches-ignore:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 3da9051..41a470f 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,6 +1,8 @@
 ---
 
 name: Tests
+permissions:
+  contents: read
 
 on:
   push:

From 2e5b7286979e3aead58c236db0fd38d95d766b9e Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Fri, 18 Jul 2025 11:34:33 -0400
Subject: [PATCH 5/6] CI: add dependabot config file for GHA

---
 .github/dependabot.yml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..fc9f855
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"      # Location of your workflow files
+    schedule:
+      interval: "weekly"  # Options: daily, weekly, monthly

From 4c0fd470ee4c5f5de2e4701259dbdd4e20c00299 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Tue, 22 Jul 2025 09:22:59 -0400
Subject: [PATCH 6/6] CI: update version string

Co-authored-by: Elliott Sales de Andrade <quantum.analyst@gmail.com>
---
 .github/workflows/circleci.yml | 2 +-
 .github/workflows/tests.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml
index 63f54d8..38c1cfb 100644
--- a/.github/workflows/circleci.yml
+++ b/.github/workflows/circleci.yml
@@ -39,7 +39,7 @@ jobs:
 
       - name: Set up reviewdog
         if: "${{ steps.fetch-artifacts.outputs.count != 0 }}"
-        uses: reviewdog/action-setup@e04ffabe3898a0af8d0fb1af00c188831c4b5893 # v1
+        uses: reviewdog/action-setup@e04ffabe3898a0af8d0fb1af00c188831c4b5893 # v1.3.2
         with:
           reviewdog_version: latest
 
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 41a470f..46b5f75 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -45,4 +45,4 @@ jobs:
           pytest -raR -n auto --cov --cov-report=
 
       - name: Upload code coverage
-        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3
+        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6