ci: harden CI/CD — SHA-pin actions, bump pnpm to 11.1.2, add zizmor

.github/dependabot.yml

@@ -0,0 +1,36 @@
+version: 2
+
+# Keeps the SHA pins in .github/workflows/*.yml current. Dependabot reads the
+# trailing `# v<version>` comment after each pinned SHA and opens PRs that
+# bump both the SHA and the comment in lockstep. Without this file, pins go
+# stale and we lose the security guarantee they provide.
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: "daily"
+    groups:
+      minor-and-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Workaround for dependabot/dependabot-core#14202: without an explicit
+      # major group, major updates matching the minor-and-patch pattern are
+      # silently suppressed. Remove this group when #14202 is fixed to get
+      # individual (ungrouped) PRs per major bump instead.
+      major:
+        patterns:
+          - "*"
+        update-types:
+          - "major"
+    labels:
+      - dependencies
+      - github-actions
+    commit-message:
+      prefix: "chore(ci)"
+      include: scope
+    open-pull-requests-limit: 10
+    cooldown:
+      default-days: 1

.github/workflows/auto-approve-community.yml

@@ -5,24 +5,27 @@ on:
     types: [opened, synchronize, reopened]
 
 permissions:
-  pull-requests: write
   contents: read
 
 jobs:
   auto-approve:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Fetch PR head
         run: |
           git fetch origin pull/${{ github.event.pull_request.number }}/head:pr-head
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
         with:
           node-version: "22"
 

.github/workflows/build-python-preview.yml

@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.repository }}-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -16,10 +19,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e  # v6.8.0
         with:
           version: ">=0.8.0"
 
@@ -32,7 +37,9 @@ jobs:
           echo "Preview version: ${VERSION}"
 
       - name: Rewrite pyproject.toml versions
-        run: uv run python scripts/rewrite-python-preview-versions.py ${{ steps.version.outputs.version }}
+        run: uv run python scripts/rewrite-python-preview-versions.py ${STEPS_VERSION_OUTPUTS_VERSION}
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Build ag-ui-protocol
         working-directory: sdks/python
@@ -75,17 +82,19 @@ jobs:
         run: |
           mkdir -p pr-metadata
           echo "${{ github.event.pull_request.number }}" > pr-metadata/pr-number
-          echo "${{ steps.version.outputs.version }}" > pr-metadata/version
+          echo "${STEPS_VERSION_OUTPUTS_VERSION}" > pr-metadata/version
           echo "${{ github.sha }}" > pr-metadata/sha
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Upload dist artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
         with:
           name: python-preview-dist
           path: dist-preview/
 
       - name: Upload PR metadata
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
         with:
           name: python-preview-metadata
           path: pr-metadata/

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,32 @@
+name: Dependabot Auto-Merge (Minor/Patch)
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-approve and merge minor/patch github-actions updates
+        if: >-
+          steps.metadata.outputs.package-ecosystem == 'github_actions' &&
+          (steps.metadata.outputs.update-type == 'version-update:semver-minor' ||
+           steps.metadata.outputs.update-type == 'version-update:semver-patch')
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr review "$PR_URL" --approve
+          gh pr merge "$PR_URL" --auto --merge

.github/workflows/dependabot-major-analysis.yml

@@ -0,0 +1,144 @@
+name: Dependabot Major Version Analysis
+
+on:
+  pull_request_target:
+    types: [opened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  analyze-major:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Analyze major version bump
+        if: >-
+          steps.metadata.outputs.package-ecosystem == 'github_actions' &&
+          steps.metadata.outputs.update-type == 'version-update:semver-major'
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
+        env:
+          DEP_NAME: ${{ steps.metadata.outputs.dependency-names }}
+          PREV_VERSION: ${{ steps.metadata.outputs.previous-version }}
+          NEW_VERSION: ${{ steps.metadata.outputs.new-version }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const depName = process.env.DEP_NAME;
+            const prevVersion = process.env.PREV_VERSION;
+            const newVersion = process.env.NEW_VERSION;
+            const parts = depName.split('/');
+            const owner = parts[0];
+            const repo = parts[1];
+            const repoSlug = `${owner}/${repo}`;
+
+            let releases = [];
+            try {
+              const { data } = await github.rest.repos.listReleases({ owner, repo, per_page: 50 });
+              releases = data;
+            } catch (err) {
+              core.warning(`Could not fetch releases for ${repoSlug}: ${err.message}`);
+            }
+
+            const prevMajor = parseInt(prevVersion.replace(/^v/, ''), 10);
+            const newMajor = parseInt(newVersion.replace(/^v/, ''), 10);
+
+            const relevantReleases = releases.filter(r => {
+              const major = parseInt(r.tag_name.replace(/^v/, ''), 10);
+              return major > prevMajor && major <= newMajor;
+            });
+
+            let releaseNotesSummary = '';
+            let breakingChanges = '';
+
+            if (relevantReleases.length === 0) {
+              releaseNotesSummary = '_No releases found between these versions._';
+              breakingChanges = `_Unable to determine breaking changes automatically. Please review the [full changelog](https://github.com/${repoSlug}/releases)._`;
+            } else {
+              for (const release of relevantReleases.slice(0, 10)) {
+                const body = release.body || '_No release notes._';
+                releaseNotesSummary += `### ${release.tag_name}${release.name && release.name !== release.tag_name ? ' — ' + release.name : ''}\n\n`;
+                releaseNotesSummary += body.substring(0, 2000);
+                if (body.length > 2000) releaseNotesSummary += '\n\n_...truncated_';
+                releaseNotesSummary += '\n\n---\n\n';
+                const lines = body.split('\n');
+                for (const line of lines) {
+                  if (/breaking|BREAKING|removed|deprecated|incompatible|migration/i.test(line)) {
+                    breakingChanges += `- ${line.trim()}\n`;
+                  }
+                }
+              }
+            }
+
+            if (!breakingChanges) {
+              breakingChanges = '_No explicit breaking changes detected in release notes. Manual review recommended._';
+            }
+
+            let commentBody = `## :warning: Major Version Update — Manual Review Required
+
+            | Field | Value |
+            |-------|-------|
+            | **Action** | [\`${depName}\`](https://github.com/${repoSlug}) |
+            | **Previous** | \`v${prevVersion}\` |
+            | **New** | \`v${newVersion}\` |
+            | **Type** | Major (\`v${prevMajor}\` → \`v${newMajor}\`) |
+
+            ### Breaking Changes
+
+            ${breakingChanges}
+
+            ### Release Notes (v${prevMajor + 1} → v${newMajor})
+
+            ${releaseNotesSummary}
+
+            ### Next Steps
+
+            1. Review breaking changes above
+            2. Check if workflow inputs/outputs changed
+            3. Verify compatibility with your CI/CD configuration
+
+            > Full changelog: https://github.com/${repoSlug}/releases
+
+            ---
+            _Generated automatically for Dependabot major version PRs._`.replace(/^            /gm, '');
+
+            if (commentBody.length > 64000) {
+              commentBody = commentBody.substring(0, 63900) + '\n\n_...comment truncated due to size limit._';
+            }
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: commentBody,
+            });
+
+            try {
+              const labelsToAdd = ['major-update', 'needs-review'];
+              for (const label of labelsToAdd) {
+                try {
+                  await github.rest.issues.getLabel({ owner: context.repo.owner, repo: context.repo.repo, name: label });
+                } catch {
+                  const colors = { 'major-update': 'B60205', 'needs-review': 'FBCA04' };
+                  await github.rest.issues.createLabel({
+                    owner: context.repo.owner, repo: context.repo.repo,
+                    name: label, color: colors[label] || 'EDEDED',
+                  });
+                }
+              }
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.pull_request.number,
+                labels: labelsToAdd,
+              });
+            } catch (err) {
+              core.warning(`Could not add labels: ${err.message}`);
+            }