ci(supply-chain): pin actions to SHAs + Dependabot + zizmor audit

.github/dependabot.yml

@@ -0,0 +1,19 @@
+version: 2
+updates:
+  # Keep GitHub Actions pinned-by-SHA references current. Dependabot bumps the
+  # commit SHA (and the trailing `# vX.Y.Z` comment) whenever a new release of
+  # a pinned action ships, so SHA-pinning stays secure without going stale.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci"
+    labels:
+      - "agent-flow"
+    groups:
+      # Batch all action bumps into a single PR to keep review noise low.
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/ci.yml

@@ -21,8 +21,8 @@ jobs:
       matrix:
         task: [typecheck, test, build]
     steps:
-      - uses: actions/checkout@v6
-      - uses: oven-sh/setup-bun@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
         with:
           bun-version: "1.3.13"
       - run: bun install --frozen-lockfile
@@ -41,10 +41,10 @@ jobs:
       matrix:
         check: [snapshot-policy, deps-policy]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
         with:
           bun-version: "1.3.13"
       - run: bun install --frozen-lockfile
@@ -60,8 +60,8 @@ jobs:
       matrix:
         os: [ubuntu-latest, macos-latest]
     steps:
-      - uses: actions/checkout@v6
-      - uses: oven-sh/setup-bun@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
         with:
           bun-version: "1.3.13"
       - run: bun install --frozen-lockfile

.github/workflows/cli-pr-review.yml

@@ -30,7 +30,7 @@ jobs:
     if: |
       (
         github.event_name == 'pull_request' &&
-        (github.event.pull_request.user.login == 'cursor[bot]' || github.actor == 'cursor[bot]')
+        github.event.pull_request.user.login == 'cursor[bot]'
       ) ||
       (
         github.event_name == 'issue_comment' &&
@@ -128,14 +128,14 @@ jobs:
 
       - name: Checkout PR branch (pull_request / pull_request_review events)
         if: steps.scenario.outputs.name != 'skip' && steps.cap.outputs.exceeded != 'true' && github.event_name != 'issue_comment'
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Checkout default branch then PR branch (issue_comment)
         if: steps.scenario.outputs.name != 'skip' && steps.cap.outputs.exceeded != 'true' && github.event_name == 'issue_comment'
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
@@ -153,7 +153,7 @@ jobs:
 
       - name: Setup Bun
         if: steps.scenario.outputs.name != 'skip' && steps.cap.outputs.exceeded != 'true'
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
         with:
           bun-version: "1.3.13"
 
@@ -205,7 +205,7 @@ jobs:
 
           echo "Wrote sanitized untrusted context to $out ($(wc -c < "$out") bytes)."
 
-      - uses: anthropics/claude-code-action@v1
+      - uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1.0.133
         if: steps.scenario.outputs.name != 'skip' && steps.cap.outputs.exceeded != 'true'
         env:
           GH_TOKEN: ${{ github.token }}

.github/workflows/zizmor.yml

@@ -0,0 +1,53 @@
+name: zizmor
+
+# Static security analysis of our GitHub Actions workflows (supply-chain,
+# injection, permission and trigger hygiene).
+#
+# Non-blocking on purpose: zizmor surfaces some pre-existing / by-design items
+# (e.g. the agent steward's broad write permissions and templated `run:` steps),
+# so this audit reports findings to the run summary without failing CI. Flip the
+# `continue-on-error` step to blocking once the backlog has been triaged.
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    name: zizmor (advisory)
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor (non-blocking)
+        id: audit
+        continue-on-error: true
+        env:
+          # zizmor uses GH_TOKEN for its online audits (e.g. resolving action
+          # refs). The job only has read access to this repo's contents.
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -o pipefail
+          # pipx is preinstalled on GitHub-hosted ubuntu runners, so no extra
+          # third-party action is needed to fetch the auditor. Pin the auditor
+          # version for reproducible, supply-chain-stable audits (Dependabot's
+          # pip ecosystem is not enabled, so bump this manually).
+          pipx run "zizmor==1.25.2" --persona=regular .github/workflows/ | tee /tmp/zizmor.txt
+
+      - name: Publish findings to job summary
+        if: always()
+        run: |
+          {
+            echo "## zizmor audit (advisory / non-blocking)"
+            echo ""
+            echo '```'
+            cat /tmp/zizmor.txt 2>/dev/null || echo "(no output captured)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"