zizmorcore · woodruffw · May 18, 2025 · May 18, 2025 · May 18, 2025
diff --git a/.github/pinact.yml b/.github/pinact.yml
@@ -0,0 +1,6 @@
+version: 3
+
+files:
+  - pattern: workflows/*.yml
+  - pattern: ../docs/usage.md
+  - pattern: ../docs/audits.md
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -20,4 +20,4 @@ jobs:
           persist-credentials: false
 
       - name: Run zizmor 🌈
-        uses: zizmorcore/zizmor-action@006ecee4788dece29e278dcf69fa6bb01e09c47b # v0.0.1
+        uses: zizmorcore/zizmor-action@b2767f4d401a041e2d7b4b92f4c5c205e0e6e38a # v0.0.2
diff --git a/Makefile b/Makefile
@@ -30,3 +30,7 @@ docs/snippets/sponsors.html: docs/snippets/sponsors.json docs/snippets/render-sp
 refresh-schemas:
 	curl https://json.schemastore.org/github-workflow.json > crates/zizmor/src/data/github-workflow.json
 	curl https://json.schemastore.org/github-action.json > crates/zizmor/src/data/github-action.json
+
+.PHONY: pinact
+pinact:
+	pinact run --update --verify
diff --git a/docs/audits.md b/docs/audits.md
@@ -56,7 +56,7 @@ with `#!yaml persist-credentials: true`.
       artipacked:
         runs-on: ubuntu-latest
         steps:
-          - uses: actions/checkout@v4
+          - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     ```
 
 === "After :white_check_mark:"
@@ -68,7 +68,7 @@ with `#!yaml persist-credentials: true`.
       artipacked:
         runs-on: ubuntu-latest
         steps:
-          - uses: actions/checkout@v4
+          - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
             with:
               persist-credentials: false
     ```
@@ -337,13 +337,13 @@ by default, and then set specific job-level permissions as needed.
 
             steps:
               - name: Download distributions
-                uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+                uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
                 with:
                   name: distributions
                   path: dist/
 
               - name: publish
-                uses: pypa/gh-action-pypi-publish@v1.12.4
+                uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
         ```
 
     === "After :white_check_mark:"
@@ -374,13 +374,13 @@ by default, and then set specific job-level permissions as needed.
 
             steps:
               - name: Download distributions
-                uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+                uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
                 with:
                   name: distributions
                   path: dist/
 
               - name: publish
-                uses: pypa/gh-action-pypi-publish@v1.12.4
+                uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
         ```
 
 ## `forbidden-uses`
@@ -725,7 +725,7 @@ Address the source of obfuscation by simplifying the expression,
             runs-on: ubuntu-latest
             steps:
               - name: Checkout
-                uses: actions/checkout@v4
+                uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
                 with:
                   repository: ${{ format('{0}/{1}', 'octocat', 'hello-world') }}
         ```
@@ -738,7 +738,7 @@ Address the source of obfuscation by simplifying the expression,
             runs-on: ubuntu-latest
             steps:
               - name: Checkout
-                uses: actions/checkout@v4
+                uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
                 with:
                   repository: octocat/hello-world
         ```
@@ -1306,7 +1306,7 @@ For Docker actions (like `docker://ubuntu`): add an appropriate
           unpinned-uses:
               runs-on: ubuntu-latest
               steps:
-              - uses: actions/checkout@v4 # (1)!
+              - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
                 with:
                 persist-credentials: false
 
@@ -1316,9 +1316,6 @@ For Docker actions (like `docker://ubuntu`): add an appropriate
                 args: hello!
         ```
 
-        1. Or `actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683` for a SHA-pinned action.
-
-
 ## `unredacted-secrets`
 
 | Type     | Examples                | Introduced in | Works offline  | Enabled by default | Configurable |

diff --git a/docs/usage.md b/docs/usage.md
@@ -327,7 +327,7 @@ sensitive `zizmor`'s analyses are:
     as its pin instead of a hashed pin:
 
     ```yaml
-    uses: actions/checkout@v3
+    uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     ```
 
     produces:
@@ -434,16 +434,18 @@ Multiple different audits can be ignored with a single comment by
 separating each rule with a comma, e.g.
 `# zizmor: ignore[artipacked,ref-confusion]`.
 
-To ignore a single `artipacked` finding:
+To ignore a single `template-injection` finding:
 
 ```yaml title="example.yml"
-uses: actions/checkout@v3 # zizmor: ignore[artipacked]
+run: | # zizmor: ignore[template-injection]
+  echo "${{ github.event.issue.title }}"
 ```
 
 Ignore comments can also have a trailing explanation:
 
 ```yaml title="example.yml"
-uses: actions/checkout@v3 # zizmor: ignore[artipacked] this is actually fine
+run: | # zizmor: ignore[template-injection] i promise this is safe
+  echo "${{ github.event.issue.title }}"
 ```
 
 !!! important
@@ -586,20 +588,20 @@ two primary ways to use `zizmor` in GitHub Actions:
           actions: read # only needed for private repos
         steps:
           - name: Checkout repository
-            uses: actions/checkout@v4
+            uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
             with:
               persist-credentials: false
 
           - name: Install the latest version of uv
-            uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0
+            uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
 
           - name: Run zizmor 🌈
             run: uvx zizmor --format=sarif . > results.sarif # (2)!
             env:
               GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # (1)!
 
           - name: Upload SARIF file
-            uses: github/codeql-action/upload-sarif@v3
+            uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
             with:
               sarif_file: results.sarif
               category: zizmor
@@ -657,10 +659,10 @@ two primary ways to use `zizmor` in GitHub Actions:
           actions: read # only needed for private repos
         steps:
           - name: Checkout repository
-            uses: actions/checkout@v4
+            uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
           - name: Install the latest version of uv
-            uses: astral-sh/setup-uv@v5
+            uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
 
           - name: Run zizmor 🌈
             run: uvx zizmor --format=github . # (2)!