ci(supply-chain): pin actions to SHAs + Dependabot + zizmor audit

[citron (lcandy2)]

Summary

Supply-chain hardening for the agent-flow CI. No application source (src/**) touched.

1. Pin third-party actions to full commit SHAs (with a trailing # vX.Y.Z comment) in ci.yml and cli-pr-review.yml, so a moved or compromised mutable tag cannot change what executes. Pinned to the latest release within each current major (no major upgrades):

   Action	Pinned SHA	Tag
   actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	v6.0.2
   oven-sh/setup-bun	0c5077e51419868618aeaa5fe8019c62421857d6	v2.2.0
   anthropics/claude-code-action	787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251	v1.0.133

   SHAs resolved via gh api repos/<owner>/<repo>/commits/<tag> --jq .sha. No peter-evans/* actions are used anywhere.

2. .github/dependabot.yml — github-actions ecosystem, weekly, grouped into one PR, ci commit prefix, agent-flow label. Keeps the pinned SHAs (and their # vX.Y.Z comments) current automatically.

3. .github/workflows/zizmor.yml — static security audit (zizmor v1.25.2) of the workflows on pull_request + push: [main]. Runs via pipx run zizmor (preinstalled on the runner — no extra third-party action). Non-blocking: the audit step is continue-on-error: true and findings are written to the run summary, because zizmor flags several pre-existing/by-design items. Triage below.

zizmor findings (for triage — all currently non-blocking)

In-scope files hardened by this work:

• cli-pr-review.yml: no template-injection findings — PR ci: harden agent review workflow against prompt injection + bound the loop #35 already moved untrusted webhook bodies to env:, which cleared them. Remaining: bot-conditions (the github.actor == 'cursor[bot]' check at line 33 is "spoofable" — by design, it's one branch of a multi-condition gate) and 2× artipacked (help-level; the steward intentionally keeps checkout credentials so Scenario B can push fixes — must NOT set persist-credentials: false here).
• ci.yml: 3× artipacked (help-level; actions/checkout without persist-credentials: false). Safe to set false here later (these jobs never push); left as a follow-up to keep this PR focused.

Out-of-scope (pre-existing, in the release workflows — not modified here):

• release-binaries.yaml: dangerous-triggers (workflow_run), excessive-permissions, unpinned-uses (checkout/setup-bun on @v6/@v2), several template-injection in the Homebrew-formula sed steps.
• release.yaml: unpinned-uses + secrets-inherit on the photon-hq/buildspace/...@main reusable workflow.

These can be addressed in a dedicated follow-up; Dependabot will also start proposing pins/bumps for the action refs it understands.

Test plan

• ci.yml checks (typecheck, test, build, deps-policy, snapshot-policy, smoke) pass with the pinned SHAs.
• New zizmor (advisory) check runs and stays green (non-blocking) with findings in its summary.
• review workflow shows skipping (human-authored PR).

Made with Cursor

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

Summary by CodeRabbit

• Chores
  • Enabled weekly automated updates for GitHub Actions, limiting open PRs and grouping updates into single batches with a CI-prefixed commit message.
  • Pinned workflow action references to fixed versions for more consistent CI runs.
  • Tightened pull-request triggering conditions for review jobs.
  • Added a non-blocking static security audit of workflow configurations that publishes findings into the CI summary.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a Dependabot config for GitHub Actions, pins external action references to specific commit SHAs across CI and PR-review workflows, and adds a Zizmor workflow that runs non-blocking static audits on workflow files and publishes findings.

Changes

GitHub Actions Configuration & Security

Layer / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	Enables automated GitHub Actions updates weekly with a 5-PR limit, ci commit prefix, agent-flow label, and grouped action update patterns.
Action Pinning in CI Workflows .github/workflows/ci.yml	Pins actions/checkout and oven-sh/setup-bun to specific commit SHAs across the check, policy, and smoke jobs, replacing floating major-version tags.
Action Pinning in PR Review Workflow .github/workflows/cli-pr-review.yml	Tightens the PR actor condition to require the PR author login cursor[bot] and pins actions/checkout, oven-sh/setup-bun, and anthropics/claude-code-action to commit SHAs for PR and issue-comment flows.
Zizmor Security Audit Workflow .github/workflows/zizmor.yml	Adds a new workflow that checks out with limited credentials, runs zizmor==1.25.2 via pipx against .github/workflows/, captures output to /tmp/zizmor.txt, continues on error, and appends results to the job summary.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• photon-hq/cli#33: Modifies cli-pr-review.yml if: conditions for bot-driven review automation (overlaps gating logic).
• photon-hq/cli#32: Related edits to cli-pr-review.yml and actions used for bot workflows, including Claude action configuration.
• photon-hq/cli#35: Also tightens bot/agent gating and pins checkout/Claude-related actions in cli-pr-review.yml.

Suggested reviewers

• Copilot

Poem

🐰 A rabbit hops with cheer,
Dependencies pinned and clear,
Dependabot scans once a week,
Zizmor whispers what to seek,
Workflows steady, audits near.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete per the repository template, missing required sections like upstream version, routes, snapshots, runtime dependencies, and the completion checklist.	Complete the pull request description using the repository template structure, including all sections and the required checklist even if answers are (none).

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the three main changes: pinning actions to SHAs, adding Dependabot configuration, and adding zizmor security audit workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/supply-chain-pin-actions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/cli-pr-review.yml (1)

30-34: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove github.actor from the pull_request allowlist in cli-pr-review.yml.

jobs.review has write-scoped permissions (contents/pull-requests/issues/id-token), but the Scenario A/C gate allows pull_request runs when github.actor == 'cursor[bot]' (line 33). github.actor is not a reliable, non-malleable identity for authorization; the gate should rely only on immutable PR metadata (e.g., github.event.pull_request.user.login == 'cursor[bot]') and drop the github.actor clause.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cli-pr-review.yml around lines 30 - 34, Update the
pull_request allowlist condition in the workflow to remove the mutable actor
check: delete the `github.actor == 'cursor[bot]'` clause and keep only the
immutable PR author check (`github.event.pull_request.user.login ==
'cursor[bot]'`) so the gate relies solely on PR metadata; adjust the conditional
expression around the existing OR group to ensure syntax remains valid after
removing the `github.actor` clause.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/zizmor.yml:
- Line 40: The pipx invocation uses an unpinned package name ("pipx run zizmor
--persona=regular ..."), which allows floating versions; change the command to
pin zizmor to an explicit version by using the equality specifier (e.g., pipx
run "zizmor==X.Y.Z" --persona=regular .github/workflows/) so the workflow
installs a reproducible, fixed release of the zizmor tool.

---

Outside diff comments:
In @.github/workflows/cli-pr-review.yml:
- Around line 30-34: Update the pull_request allowlist condition in the workflow
to remove the mutable actor check: delete the `github.actor == 'cursor[bot]'`
clause and keep only the immutable PR author check
(`github.event.pull_request.user.login == 'cursor[bot]'`) so the gate relies
solely on PR metadata; adjust the conditional expression around the existing OR
group to ensure syntax remains valid after removing the `github.actor` clause.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c00ac43f-f149-4826-b03f-84df45db4ba5

📥 Commits

Reviewing files that changed from the base of the PR and between 4ff0c93 and 9acaf13.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/cli-pr-review.yml
• .github/workflows/zizmor.yml

[citron (lcandy2)]

Addressed both CodeRabbit findings in 61c9420:

• zizmor.yml:40 — pinned the auditor to zizmor==1.25.2 in the pipx run invocation for reproducible, supply-chain-stable audits.
• cli-pr-review.yml (gate, outside-diff) — dropped the github.actor == 'cursor[bot]' clause; the immutable github.event.pull_request.user.login == 'cursor[bot]' author check already covers every real Scenario A/C trigger, and github.actor is mutable. This also clears zizmor's bot-conditions error on this file (only the two intentional artipacked help-notes remain — the steward must keep checkout credentials to push Scenario B fixes).

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/cli-pr-review.yml (1)

129-140: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Disable persisted checkout credentials in both paths.

Both actions/checkout steps keep the default persist-credentials: true, which leaves the job token in .git/config for the rest of the run. In this workflow the checked-out workspace is later handed to a third-party action, so this unnecessarily widens the blast radius if the workspace is ever exfiltrated or artifacted. Set persist-credentials: false here, then add git auth only in the narrow Scenario B push path that actually needs it.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cli-pr-review.yml around lines 129 - 140, The two
actions/checkout steps (the step named "Checkout PR branch (pull_request /
pull_request_review events)" and the step named "Checkout default branch then PR
branch (issue_comment)") keep persist-credentials enabled; change both to set
persist-credentials: false to avoid leaving the job token in .git/config, and
then ensure you only add transient git authentication in the narrow Scenario B
push path that requires pushing (add auth there instead of globally).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/cli-pr-review.yml:
- Around line 129-140: The two actions/checkout steps (the step named "Checkout
PR branch (pull_request / pull_request_review events)" and the step named
"Checkout default branch then PR branch (issue_comment)") keep
persist-credentials enabled; change both to set persist-credentials: false to
avoid leaving the job token in .git/config, and then ensure you only add
transient git authentication in the narrow Scenario B push path that requires
pushing (add auth there instead of globally).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1c67d1a8-783a-4c7e-8c51-663477a395a5

📥 Commits

Reviewing files that changed from the base of the PR and between 9acaf13 and 61c9420.

📒 Files selected for processing (2)

• .github/workflows/cli-pr-review.yml
• .github/workflows/zizmor.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/zizmor.yml