[5.2.x] Addressed unpinned-uses zizmor finding.

Backport of 86b8058b40145fb5ba4fd859676225f533eca986 from main.

3 files changed, 11 insertions, 1 deletions

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 6cc11b3357..6c9d2a3e1a 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -19,7 +19,8 @@ jobs:
           path: "."
           persist-credentials: false
       - name: Setup Miniforge
-        uses: conda-incubator/setup-miniconda@v3
+        # Pinned to v3.2.0.
+        uses: conda-incubator/setup-miniconda@835234971496cad1653abb28a638a281cf32541f
         with:
           miniforge-version: "24.1.2-0"
           activate-environment: asv-bench
diff --git a/.github/workflows/check_commit_messages.yml b/.github/workflows/check_commit_messages.yml
index 70f1dd7d1e..a4594d611c 100644
--- a/.github/workflows/check_commit_messages.yml
+++ b/.github/workflows/check_commit_messages.yml
@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check-commit-prefix:
     if: startsWith(github.event.pull_request.base.ref, 'stable/')
diff --git a/zizmor.yml b/zizmor.yml
new file mode 100644
index 0000000000..8d1b34ed48
--- /dev/null
+++ b/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin
+        psf/*: ref-pin