From d96c629804bd6a57f6d8d0d1bc8d7091b22f0849 Mon Sep 17 00:00:00 2001
From: Matt Fisher <mfisher87@gmail.com>
Date: Wed, 8 Apr 2026 20:27:50 -0600
Subject: [PATCH 1/4] Tighten permissions scope on publish job

---
 .github/workflows/publish.yaml | 35 ++++++++++++++++++++++++----------
 1 file changed, 25 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 138ac36..20da615 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -4,21 +4,17 @@ on:
   release:
     types: [published]  # Triggers when you click "Publish release" in GitHub
 
+permissions: {}
+
 jobs:
-  build-and-publish:
-    name: Build and Publish
+  build:
+    name: Build
     runs-on: ubuntu-latest
-
-    environment: pypi
-
-    # Permissions required for Trusted Publishing (OIDC) authentication
-    permissions:
-      id-token: write
-      contents: read
-
     steps:
     - name: Checkout Code
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@v5
@@ -33,5 +29,24 @@ jobs:
     - name: Build Package
       run: python -m build
 
+    - uses: actions/upload-artifact@v6
+      with:
+        name: dist
+        path: dist/
+
+  pypi-public:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/transformez
+    permissions:
+      id-token: write
+    steps:
+    - name: Get dist artifact
+      uses: actions/download-artifact@v7
+      with:
+        name: dist
+        path: dist/
     - name: Publish to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1

From 0a14267694c7df0a3944e0a98faa29ad6b8dc42e Mon Sep 17 00:00:00 2001
From: Matt Fisher <mfisher87@gmail.com>
Date: Wed, 8 Apr 2026 20:31:05 -0600
Subject: [PATCH 2/4] Add zizmor GHA security audit tool

---
 .github/workflows/zizmor.yml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..956464a
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,28 @@
+name: "GitHub Actions Security Analysis with zizmor 🌈"
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - ".github/workflows/*"
+  pull_request:
+    paths:
+      - ".github/workflows/*"
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: "Run zizmor 🌈"
+    runs-on: "ubuntu-latest"
+    permissions:
+      security-events: "write" # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - name: "Checkout repository"
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: "Run zizmor 🌈"
+        uses: "zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8" # v0.5.2

From a592eef2df31e20365d2f91dd931a8e6ee1f5e65 Mon Sep 17 00:00:00 2001
From: Matt Fisher <mfisher87@gmail.com>
Date: Wed, 8 Apr 2026 20:31:50 -0600
Subject: [PATCH 3/4] Hashpin all actions

---
 .github/workflows/pr-rtd-link.yml |  2 +-
 .github/workflows/publish.yaml    | 10 +++++-----
 .github/workflows/test.yml        |  4 ++--
 .github/workflows/typecheck.yml   |  4 ++--
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/pr-rtd-link.yml b/.github/workflows/pr-rtd-link.yml
index 586ebca..299e5bf 100644
--- a/.github/workflows/pr-rtd-link.yml
+++ b/.github/workflows/pr-rtd-link.yml
@@ -16,7 +16,7 @@ jobs:
   autolink-rtd-previews:
     runs-on: "ubuntu-latest"
     steps:
-      - uses: "readthedocs/actions/preview@v1"
+      - uses: "readthedocs/actions/preview@b8bba1484329bda1a3abe986df7ebc80a8950333"  # v1
         with:
           project-slug: "transformez"
           message-template: |
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 20da615..8ded987 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -12,12 +12,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
       with:
         persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
       with:
         python-version: '3.x'
 
@@ -29,7 +29,7 @@ jobs:
     - name: Build Package
       run: python -m build
 
-    - uses: actions/upload-artifact@v6
+    - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6
       with:
         name: dist
         path: dist/
@@ -44,9 +44,9 @@ jobs:
       id-token: write
     steps:
     - name: Get dist artifact
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # v7
       with:
         name: dist
         path: dist/
     - name: Publish to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # release/v1
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index cac12d9..1de2340 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -16,10 +16,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
 
       - name: Install dependencies
         run: uv sync --group test
diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml
index f379cf0..632b9fe 100644
--- a/.github/workflows/typecheck.yml
+++ b/.github/workflows/typecheck.yml
@@ -16,10 +16,10 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
     - name: Install the latest version of uv
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
 
     - name: Install dependencies
       run: |

From 9819f1130f4d4ba9de2aa60a9e77b1aa6f1bfb59 Mon Sep 17 00:00:00 2001
From: Matt Fisher <mfisher87@gmail.com>
Date: Wed, 8 Apr 2026 20:32:47 -0600
Subject: [PATCH 4/4] Add dependabot monthly GHA autoupdate config

---
 .github/dependabot.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..bafce97
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    cooldown:
+      default-days: 7
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - "version-update:semver-minor"
+          - "version-update:semver-patch"
+    groups:
+      gha-dependencies:
+        patterns:
+          - "*"