chore(ci): harden ci config

.github/dependabot.yml

@@ -9,6 +9,8 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
 
   # Bump hypothesis-awkward, which is pinned to an exact version in
   # requirements-test-full.txt. Newer versions produce more varied test
@@ -21,3 +23,5 @@ updates:
       interval: "weekly"
     allow:
       - dependency-name: "hypothesis-awkward"
+    cooldown:
+      default-days: 7

.github/workflows/ci.yml

@@ -1,12 +1,14 @@
 name: CI
 
 on:
-  workflow_dispatch:
   pull_request:
   push:
     branches:
       - main
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -34,13 +36,20 @@ jobs:
 
   coverage:
     uses: ./.github/workflows/reusable-coverage.yml
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   docs:
     uses: ./.github/workflows/reusable-docs.yml
-    secrets: inherit
+    permissions:
+      id-token: write # Required by the reusable docs deploy job for AWS OIDC.
+      contents: read
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+      AWS_DEPLOY_ROLE: ${{ secrets.AWS_DEPLOY_ROLE }}
 
   pass:
+    name: Check CI result
     if: always()
     needs:
       - change-detection
@@ -53,7 +62,7 @@ jobs:
 
     steps:
       - name: Decide whether the needed jobs succeeded or failed
-        uses: re-actors/alls-green@release/v1
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
         with:
           allowed-skips: >-
             ${{

.github/workflows/deploy-cpp.yml

@@ -7,25 +7,32 @@ on:
             type: boolean
             description: Publish to PyPI
 
-jobs:
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-cpp-${{ github.ref }}
+  cancel-in-progress: true
 
+jobs:
   build-wheels:
     uses: ./.github/workflows/reusable-build-wheels.yml
 
   upload-awkward-cpp:
+    name: Upload awkward-cpp
     needs: [build-wheels]
     runs-on: ubuntu-latest
     if: inputs.publish-pypi
     permissions:
-      id-token: write
-      attestations: write
+      id-token: write # Required for trusted publishing to PyPI.
+      attestations: write # Required to sign release artifacts before publishing.
       contents: read
     environment:
       name: "pypi"
       url: "https://pypi.org/project/awkward-cpp/"
     steps:
 
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         pattern: "awkward-cpp*"
         path: dist
@@ -39,4 +46,4 @@ jobs:
       with:
         subject-path: "dist/awkward*cpp-*"
 
-    - uses: pypa/gh-action-pypi-publish@v1.14.0
+    - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

.github/workflows/deploy.yml

@@ -10,6 +10,13 @@ on:
     types:
     - published
 
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   determine-source-date-epoch:
     name: "Determine SOURCE_DATE_EPOCH"
@@ -18,10 +25,11 @@ jobs:
       source-date-epoch: ${{ steps.log.outputs.source-date-epoch }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: true
           fetch-depth: 0
+          persist-credentials: false
 
       - id: log
         name: Compute SOURCE_DATE_EPOCH
@@ -35,9 +43,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Check awkward-cpp version matches requirement
         run: pipx run nox -s check_cpp_constraint
@@ -50,9 +59,10 @@ jobs:
       SOURCE_DATE_EPOCH: ${{ needs.determine-source-date-epoch.outputs.source-date-epoch }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Prepare build files
         run: pipx run nox -s prepare
@@ -68,15 +78,16 @@ jobs:
     runs-on: ubuntu-latest
     needs: [determine-source-date-epoch]
     permissions:
-      id-token: write
-      attestations: write
+      id-token: write # Required to sign release artifacts before publishing.
+      attestations: write # Required to upload artifact attestations.
       contents: read
     env:
       SOURCE_DATE_EPOCH: ${{ needs.determine-source-date-epoch.outputs.source-date-epoch }}
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         submodules: true
+        persist-credentials: false
 
     - name: Prepare build files
       run: pipx run nox -s prepare
@@ -92,7 +103,7 @@ jobs:
       with:
         subject-path: "dist/awkward-*"
 
-    - uses: actions/upload-artifact@v7
+    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: distributions
         path: dist/*
@@ -101,23 +112,27 @@ jobs:
     name: "Bundle header-only libraries"
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
-    - uses: actions/upload-artifact@v7
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
+    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: header-only
         path: header-only
 
   upload:
+    name: Upload distributions
     needs: [build, check-requirements, check-cpp-on-pypi]
     runs-on: ubuntu-latest
     if: (github.event_name == 'release' && github.event.action == 'published') || inputs.publish-pypi
     permissions:
-      id-token: write
+      id-token: write # Required for trusted publishing to PyPI.
+      contents: read
     environment:
       name: "pypi"
       url: "https://pypi.org/project/awkward/"
     steps:
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: distributions
         path: dist
@@ -128,29 +143,34 @@ jobs:
     - name: Verify sdist artifact attestation
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: gh attestation verify dist/awkward-*.tar.gz --repo ${{ github.repository }}
+        REPOSITORY: ${{ github.repository }}
+      run: gh attestation verify dist/awkward-*.tar.gz --repo "${REPOSITORY}"
 
     - name: Verify wheel artifact attestation
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: gh attestation verify dist/awkward-*.whl --repo ${{ github.repository }}
+        REPOSITORY: ${{ github.repository }}
+      run: gh attestation verify dist/awkward-*.whl --repo "${REPOSITORY}"
 
-    - uses: pypa/gh-action-pypi-publish@v1.14.0
+    - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
 
   publish-headers:
     name: "Publish header-only libraries alongside release"
     runs-on: ubuntu-latest
     needs: [bundle-headers]
     if: github.event_name == 'release' && github.event.action == 'published'
+    permissions:
+      contents: write # Required to upload header-only archives to releases.
     steps:
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: header-only
         path: header-only
     - name: Create archive
       run: |
         # Don't include `header-only` parent directory
         env -C header-only/ zip -r header-only.zip .
-    - uses: softprops/action-gh-release@v3
-      with:
-        files: header-only/header-only.zip
+    - name: Upload archive to release
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: gh release upload "${GITHUB_REF_NAME}" header-only/header-only.zip --clobber

.github/workflows/docs-preview.yml

@@ -1,19 +1,26 @@
 name: Docs Preview
-on:
+on: # zizmor: ignore[dangerous-triggers] This privileged workflow only deploys artifacts from a completed CI run.
   workflow_run:
     workflows: [CI]
     types:
       - completed
 
+concurrency:
+  group: docs-preview-${{ github.event.workflow_run.id }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
   branch-preview:
     runs-on: ubuntu-24.04
     name: Deploy Branch Preview
     if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' }}
     permissions:
-      id-token: write
+      id-token: write # Required to assume the AWS deployment role through OIDC.
       contents: read
-      pull-requests: write
+      pull-requests: write # Required to comment with the preview URL.
     env:
       S3_BUCKET: "preview.awkward-array.org"
       DEPLOY_URL: "http://preview.awkward-array.org.s3-website.us-east-1.amazonaws.com"
@@ -22,12 +29,12 @@ jobs:
       url: "${{ env.DEPLOY_URL }}/PR${{ steps.pr_number.outputs.pr_number }}"
     steps:
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v6
+      uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
       with:
         aws-region: eu-west-2
         role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
     - name: Download rendered docs
-      uses: actions/github-script@v9
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
       with:
         script: |
           let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
@@ -55,37 +62,39 @@ jobs:
           });
           const fs = require('fs');
           const path = require('path');
-          const temp = '${{ runner.temp }}/artifacts';
+          const temp = path.join(process.env.RUNNER_TEMP, 'artifacts');
           if (!fs.existsSync(temp)){
             fs.mkdirSync(temp);
           }
           fs.writeFileSync(path.join(temp, 'docs.zip'), Buffer.from(downloadDocs.data));
           fs.writeFileSync(path.join(temp, 'pr_number.zip'), Buffer.from(downloadPRNumber.data));
     - name: Unzip artifacts
       run: |
-        unzip "${{ runner.temp }}/artifacts/docs.zip" -d "${{ runner.temp }}/artifacts"
-        unzip "${{ runner.temp }}/artifacts/pr_number.zip" -d "${{ runner.temp }}/artifacts"
+        unzip "${RUNNER_TEMP}/artifacts/docs.zip" -d "${RUNNER_TEMP}/artifacts"
+        unzip "${RUNNER_TEMP}/artifacts/pr_number.zip" -d "${RUNNER_TEMP}/artifacts"
     - name: Read PR number
       id: pr_number
       run: |
-        echo "pr_number=$(cat ${{ runner.temp }}/artifacts/pr_number.txt)" >> $GITHUB_OUTPUT
-        rm "${{ runner.temp }}/artifacts/pr_number.txt"
-        rm "${{ runner.temp }}/artifacts/docs.zip"
-        rm "${{ runner.temp }}/artifacts/pr_number.zip"
+        echo "pr_number=$(cat "${RUNNER_TEMP}/artifacts/pr_number.txt")" >> "${GITHUB_OUTPUT}"
+        rm "${RUNNER_TEMP}/artifacts/pr_number.txt"
+        rm "${RUNNER_TEMP}/artifacts/docs.zip"
+        rm "${RUNNER_TEMP}/artifacts/pr_number.zip"
     - name: Sync artifacts
       run: |
-        aws s3 sync ${{ runner.temp }}/artifacts/ "s3://${S3_BUCKET}/PR${{ steps.pr_number.outputs.pr_number }}"
+        aws s3 sync "${RUNNER_TEMP}/artifacts/" "s3://${S3_BUCKET}/PR${STEPS_PR_NUMBER_OUTPUTS_PR_NUMBER}"
+      env:
+        STEPS_PR_NUMBER_OUTPUTS_PR_NUMBER: ${{ steps.pr_number.outputs.pr_number }}
     - name: Try to find previous bot comment
-      uses: peter-evans/find-comment@v4
+      uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
       id: fc
       with:
         issue-number: ${{ steps.pr_number.outputs.pr_number }}
         comment-author: 'github-actions[bot]'
         body-includes: The documentation preview is ready to be viewed
     - name: Create comment with preview link
       if: steps.fc.outputs.comment-id == ''
-      uses: peter-evans/create-or-update-comment@v5
-      with:
-        issue-number: ${{ steps.pr_number.outputs.pr_number }}
-        body: |
-          The documentation preview is ready to be viewed at <${{ env.DEPLOY_URL }}/PR${{ steps.pr_number.outputs.pr_number }}>
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        PR_NUMBER: ${{ steps.pr_number.outputs.pr_number }}
+        PREVIEW_URL: ${{ env.DEPLOY_URL }}/PR${{ steps.pr_number.outputs.pr_number }}
+      run: gh pr comment "${PR_NUMBER}" --body "The documentation preview is ready to be viewed at <${PREVIEW_URL}>"

.github/workflows/docs-version.yml

@@ -8,6 +8,9 @@ on:
       - docs/switcher.json
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: 'docs-version-${{ github.head_ref || github.run_id }}'
   cancel-in-progress: true
@@ -17,17 +20,19 @@ jobs:
     runs-on: ubuntu-22.04
     name: Push version switcher
     permissions:
-      id-token: write
+      id-token: write # Required to assume the AWS deployment role through OIDC.
       contents: read
     env:
       S3_BUCKET: "awkward-array.org"
       CLOUDFRONT_ID: "EFM4QVENUIXHS"
     environment:
       name: docs
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
         with:
           aws-region: eu-west-2
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}