Provide GitHub Actions pinning

[lucperkins]

Summary by CodeRabbit

• Chores
  • Added automatic dependency monitoring configuration to track updates
  • Pinned GitHub Actions versions across workflows for improved stability and security
  • Implemented security policy validation for workflow actions
  • Simplified development environment setup and package management

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR pins GitHub Actions to specific commit SHAs across CI workflows, adds Dependabot configuration to manage updates automatically, introduces Zizmor security policy enforcement, and simplifies the development environment shell configuration in flake.nix.

Changes

GitHub Actions Pinning and Dependency Management

Layer / File(s)	Summary
Pin GitHub Actions to commit SHAs .github/workflows/validate.yml, .github/workflows/workflow.yml	actions/checkout is pinned from v4/v6 to commit SHA v6.0.3 across all jobs (inventory, build, success, and validate). DeterminateSystems/determinate-nix-action is pinned to commit SHA (v3.21.1). webfactory/ssh-agent is pinned from v0.9.0 to SHA (v0.10.0) in inventory and build. All checkout steps add persist-credentials: false.
Configure Dependabot for automated updates .github/dependabot.yml	New configuration enables weekly GitHub Actions dependency monitoring from the repository root with a 7-day cooldown, groups all actions, ignores DeterminateSystems/* packages, and prefixes commits with ci.
Enforce pinning policy with security scanning .github/zizmor.yml	New Zizmor configuration enables unpinned-uses policy and enforces ref-pin requirement for DeterminateSystems/* action uses.
Simplify development environment configuration flake.nix	Removes the nixpkgs-old input and consolidates devShells from a split pkgs/pkgs-old approach to a single per-system pkgs import. The default shell is rebuilt using pkgs.mkShellNoCC with consolidated packages (action-validator, prettier, zizmor). Formatter is updated to use pkgs.nixfmt.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 With actions pinned and Dependabot's care,
We've locked down the versions floating in air!
Zizmor guards the rules, the flake sings in tune,
Security and clarity beneath the same moon. 🌙✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main changeset: pinning GitHub Actions to specific commit SHAs across multiple workflow files and configuration files.
Description check	✅ Passed	No pull request description was provided, but the template only specifies a formatting instruction comment and does not mandate content sections.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch actions-pinning

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/zizmor.yml:
- Around line 1-5: The policy sets DeterminateSystems/*: ref-pin but CI
workflows still reference DeterminateSystems/flakehub-cache-action@main; update
either the policy or the workflows so they agree—either change the policy in
.github/zizmor.yml (remove or narrow the ref-pin rule for DeterminateSystems/*)
or pin all uses of DeterminateSystems/flakehub-cache-action@main in
.github/workflows/validate.yml and .github/workflows/workflow.yml to fixed refs
(tags/SHAs) instead of `@main` so the ref-pin policy is satisfied.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cce2c785-7303-4791-aa66-ca5732c80674

📥 Commits

Reviewing files that changed from the base of the PR and between 57a29b4 and e7676f3.

⛔ Files ignored due to path filters (1)

• flake.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/dependabot.yml
• .github/workflows/validate.yml
• .github/workflows/workflow.yml
• .github/zizmor.yml
• flake.nix