From 9c959e9bfa2d3a7788c6ef160b6061f9dadbcdeb Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 21:02:20 -0400
Subject: [PATCH 1/5] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/workflows/docs.yml            | 6 +++---
 .github/workflows/test_and_deploy.yml | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 55eb1aa..bb2359b 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -23,7 +23,7 @@ jobs:
         with:
           python-version: "3.10"
 
-      - uses: tlambert03/setup-qt-libs@v1
+      - uses: tlambert03/setup-qt-libs@19e4ef2d781d81f5f067182e228b54ec90d23b76 # v1
 
       - name: Install Dependencies
         run: |
@@ -32,7 +32,7 @@ jobs:
           sudo apt install graphviz --yes
 
       - name: Build Docs
-        uses: aganders3/headless-gui@v2
+        uses: aganders3/headless-gui@f85dd6316993505dfc5f21839d520ae440c84816 # v2
         with:
           run: make html
           working-directory: ./docs
@@ -55,7 +55,7 @@ jobs:
         name: docs
 
     - name: Push to GitHub pages
-      uses: JamesIves/github-pages-deploy-action@v4
+      uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4
       with:
         folder: html
         ssh-key: ${{ secrets.DEPLOY_KEY }}
diff --git a/.github/workflows/test_and_deploy.yml b/.github/workflows/test_and_deploy.yml
index 77853f7..3ba4cdd 100644
--- a/.github/workflows/test_and_deploy.yml
+++ b/.github/workflows/test_and_deploy.yml
@@ -35,7 +35,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       # these libraries enable testing on Qt on linux
-      - uses: tlambert03/setup-qt-libs@v1
+      - uses: tlambert03/setup-qt-libs@19e4ef2d781d81f5f067182e228b54ec90d23b76 # v1
 
       # strategy borrowed from vispy for installing opengl libs on windows
       - name: Install Windows OpenGL
@@ -62,7 +62,7 @@ jobs:
         if: ${{ always() }}
 
       - name: Coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5
         # Don't run coverage on merge queue CI to avoid duplicating reports
         # to codecov. See https://github.com/matplotlib/napari-matplotlib/issues/155
         if: github.event_name != 'merge_group'

From f1b0255e4af15d7011079d42ffddf1909505096b Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 22:03:10 -0400
Subject: [PATCH 2/5] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/workflows/test_and_deploy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test_and_deploy.yml b/.github/workflows/test_and_deploy.yml
index 3ba4cdd..07e97ac 100644
--- a/.github/workflows/test_and_deploy.yml
+++ b/.github/workflows/test_and_deploy.yml
@@ -99,4 +99,4 @@ jobs:
           python -m build .
 
       - name: Publish package
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4

From 3e690b4e63bff54f918f96464c3814f546a920a6 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:08:13 -0400
Subject: [PATCH 3/5] CI: auto-fix via zizmor

May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
---
 .github/workflows/docs.yml            | 4 ++++
 .github/workflows/test_and_deploy.yml | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index bb2359b..fe939f8 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -18,6 +18,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v5
         with:
@@ -50,6 +52,8 @@ jobs:
     if: contains(github.ref, 'tags')
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/download-artifact@v4.3.0
       with:
         name: docs
diff --git a/.github/workflows/test_and_deploy.yml b/.github/workflows/test_and_deploy.yml
index 07e97ac..7cc9d03 100644
--- a/.github/workflows/test_and_deploy.yml
+++ b/.github/workflows/test_and_deploy.yml
@@ -28,6 +28,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
@@ -84,6 +86,8 @@ jobs:
       id-token: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v5
         with:

From df58a93682473372dd37aed99deaf6488aedf48f Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:21:26 -0400
Subject: [PATCH 4/5] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/workflows/docs.yml            | 2 ++
 .github/workflows/test_and_deploy.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index fe939f8..6a5d182 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,4 +1,6 @@
 name: Build docs
+permissions:
+  contents: read
 
 on:
 
diff --git a/.github/workflows/test_and_deploy.yml b/.github/workflows/test_and_deploy.yml
index 7cc9d03..ff84bf2 100644
--- a/.github/workflows/test_and_deploy.yml
+++ b/.github/workflows/test_and_deploy.yml
@@ -1,4 +1,6 @@
 name: tests
+permissions:
+  contents: read
 
 on:
   push:

From 90e38c3ca2aa10eadeb16bc9d99909f644c337f4 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Fri, 18 Jul 2025 14:02:09 -0400
Subject: [PATCH 5/5] CI: run pre-commit on GHA

---
 .github/workflows/test_and_deploy.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/workflows/test_and_deploy.yml b/.github/workflows/test_and_deploy.yml
index ff84bf2..0521c9e 100644
--- a/.github/workflows/test_and_deploy.yml
+++ b/.github/workflows/test_and_deploy.yml
@@ -19,6 +19,19 @@ concurrency:
     cancel-in-progress: true
 
 jobs:
+  pre-commit:
+    name: precommit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55  # v5.5.0
+        with:
+          python-version: "3.x"
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  # v3.0.1
+        with:
+          extra_args: --hook-stage manual --all-files
   test:
     name: ${{ matrix.platform }} py${{ matrix.python-version }}
     runs-on: ${{ matrix.platform }}