Provide pinning for GitHub Actions

[lucperkins]

This pins our GitHub Actions and provides automated updates. This PR also specifies cooldown for npm dependencies.

Summary by CodeRabbit

• Chores
  • Simplified and strengthened dependency update configuration: grouping, weekly cadence, cooldown, commit/label behavior, and semver-specific thresholds for npm updates.
  • Pinned CI and downstream workflow actions to specific commit versions to improve reproducibility and security.
  • Added repository policy rules to enforce ref-pinning for referenced actions.

[netlify]

✅ Deploy Preview for detsys-ts-docs ready!

Name	Link
🔨 Latest commit	c452cdd
🔍 Latest deploy log	https://app.netlify.com/projects/detsys-ts-docs/deploys/6a034ac11e01c10008b2e019
😎 Deploy Preview	https://deploy-preview-182--detsys-ts-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR secures GitHub Actions and dependency management across the repository by pinning Actions to specific commit SHAs in CI and automation workflows, reconfiguring Dependabot with weekly update policies and semver thresholds, and enforcing ref-pinning through Zizmor policy.

Changes

Actions Pinning and Dependency Management Policy

Layer / File(s)	Summary
Dependabot configuration for automated updates .github/dependabot.yml	Dependabot entries for github-actions and npm ecosystems now include cooldown with 7-day defaults, simplified grouping patterns, commit-message prefix ci, dependency-related labels, semver-specific day thresholds for npm, and ignore rules for DeterminateSystems/*.
Workflow action pinning .github/workflows/ci.yml, .github/workflows/update-downstream.yml	actions/checkout pinned to a specific commit SHA, DeterminateSystems/determinate-nix-action switched from @v3 tag to @main branch, and peter-evans/create-pull-request pinned to a specific commit SHA in the update-downstream workflow. Credential persistence was disabled for checkouts.
Zizmor policy enforcement .github/zizmor.yml	Zizmor configuration adds unpinned-uses rule with ref-pin policy for DeterminateSystems/* namespace, enforcing pinned refs for external Actions going forward.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Poem

A rabbit hops through pinned commits so true,
No floating tags to cause a review—
Dependabot tends the weekly care,
While Zizmor stands guard over there! 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Provide pinning for GitHub Actions' directly and accurately summarizes the main change: pinning GitHub Actions across multiple workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch actions-pinning

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Around line 33-35: The labels array under the npm ecosystem's configuration
incorrectly contains "github-actions"; update the labels entry (the labels: list
associated with the npm ecosystem block) to replace "github-actions" with "npm"
so the dependabot config correctly tags npm updates with the npm label.

In @.github/zizmor.yml:
- Around line 1-5: Replace the unpinned usage of
DeterminateSystems/flakehub-cache-action@main in both CI workflows with a commit
SHA pin (same pattern used for DeterminateSystems/determinate-nix-action); find
the desired commit SHA in the DeterminateSystems/flakehub-cache-action
repository (use the full 40-character commit SHA from the commit you want to
track) and update the action references in the two workflow files that currently
reference DeterminateSystems/flakehub-cache-action@main so they read
DeterminateSystems/flakehub-cache-action@<commit-sha>, ensuring both occurrences
are changed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7e4e6c85-f84b-4711-94fa-80f3ae1fb76c

📥 Commits

Reviewing files that changed from the base of the PR and between 65d8cdf and 57bbc6a.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/update-downstream.yml
• .github/zizmor.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 21-22: Replace the mutable `@main` refs for the DeterminateSystems
actions with immutable 40-character commit SHAs: update the two usages
"DeterminateSystems/determinate-nix-action@main" and
"DeterminateSystems/flakehub-cache-action@main" to use their specific commit
SHAs (full 40-char values) so the workflow runs a pinned, immutable revision;
obtain the appropriate commit SHA for each action from their repository and
substitute it in place of "@main".

In @.github/workflows/update-downstream.yml:
- Around line 67-70: The workflow uses mutable refs for external actions;
replace the two uses lines referencing
DeterminateSystems/determinate-nix-action@main and
DeterminateSystems/flakehub-cache-action@main with immutable commit SHAs: locate
the uses entries for "DeterminateSystems/determinate-nix-action" and
"DeterminateSystems/flakehub-cache-action", find the appropriate commit SHA for
each action (e.g., from their GitHub repo commit history) and substitute `@main`
with @<full-commit-sha> for both entries so the workflow is pinned to specific
commits.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6fdb1f16-e231-46f5-b9d5-a58143e29471

📥 Commits

Reviewing files that changed from the base of the PR and between 57bbc6a and c452cdd.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/update-downstream.yml

✅ Files skipped from review due to trivial changes (1)

• .github/dependabot.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Identify action refs in workflows that are not pinned to 40-char commit SHAs.
rg -nP 'uses:\s*[^@]+@(?!(?:[0-9a-f]{40}\b))\S+' .github/workflows

Repository: DeterminateSystems/detsys-ts

Length of output: 456

---

Pin DeterminateSystems action refs to commit SHAs instead of @main.

Using @main is mutable and weakens supply-chain security guarantees. Pin to specific 40-character commit SHAs to ensure immutable workflow execution.

Suggested change

-      - uses: DeterminateSystems/determinate-nix-action@main
-      - uses: DeterminateSystems/flakehub-cache-action@main
+      - uses: DeterminateSystems/determinate-nix-action@<commit-sha>
+      - uses: DeterminateSystems/flakehub-cache-action@<commit-sha>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 21 - 22, Replace the mutable `@main`
refs for the DeterminateSystems actions with immutable 40-character commit SHAs:
update the two usages "DeterminateSystems/determinate-nix-action@main" and
"DeterminateSystems/flakehub-cache-action@main" to use their specific commit
SHAs (full 40-char values) so the workflow runs a pinned, immutable revision;
obtain the appropriate commit SHA for each action from their repository and
substitute it in place of "@main".

[lucperkins]

My zizmor config explicitly says that this is okay

[coderabbitai]

@lucperkins, you're right — I can see from the .github/zizmor.yml changes in this PR that DeterminateSystems/* is explicitly listed under policies with the ref-pin exception. That's a deliberate, documented policy decision. I'll disregard this in future reviews.

ʕ •ᴥ•ʔ

---

✏️ Learnings added

Learnt from: lucperkins
Repo: DeterminateSystems/detsys-ts PR: 182
File: .github/workflows/ci.yml:21-22
Timestamp: 2026-05-12T18:06:37.874Z
Learning: In the DeterminateSystems/detsys-ts repository, `DeterminateSystems/*` GitHub Actions (e.g., `DeterminateSystems/determinate-nix-actionmain`, `DeterminateSystems/flakehub-cache-actionmain`) are intentionally allowed to use mutable `main` refs rather than pinned commit SHAs. This exception is explicitly declared in `.github/zizmor.yml` under `policies` with `ref-pin` for the `DeterminateSystems/*` namespace, and `DeterminateSystems/*` is also excluded from Dependabot updates in `.github/dependabot.yml`. Do not flag these as unpinned action refs.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.