tonistiigi · crazy-max · Apr 21, 2026 · Apr 21, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,6 +5,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 2
     labels:
       - "dependencies"
       - "bot"
diff --git a/.github/workflows/.build.yml b/.github/workflows/.build.yml
@@ -28,13 +28,20 @@ on:
         type: boolean
         required: false
         default: true
+    secrets:
+      DOCKERIO_USERNAME:
+        required: false
+      DOCKERIO_PASSWORD:
+        required: false
 
 env:
   REPO_SLUG: tonistiigi/binfmt
 
 jobs:
   prepare-build:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read # to checkout the repo
     outputs:
       image_name: ${{ env.REPO_SLUG }}
       qemu_repo: ${{ steps.set.outputs.qemu_repo }}
@@ -45,11 +52,11 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set outputs
         id: set
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           INPUT_GITHUB-RUN-NUMBER: ${{ github.run_number }}
           INPUT_TARGET: ${{ inputs.target }}
@@ -104,11 +111,11 @@ jobs:
             core.setOutput('git_tag', gitTag);
 
   image:
-    uses: docker/github-builder/.github/workflows/bake.yml@v1
+    uses: docker/github-builder/.github/workflows/bake.yml@7d2a02426d4b989616ba5aaee4e879afd4134b0d # v1.6.0
     needs:
       - prepare-build
     permissions:
-      contents: read # same as global permission
+      contents: read # to checkout the repo
       id-token: write # for signing attestation(s) with GitHub OIDC Token
     with:
       distribute: ${{ github.event_name == 'pull_request' }}
@@ -145,10 +152,10 @@ jobs:
           scope: ${{ needs.prepare-build.outputs.image_name }}@push
 
   qemu-archive:
-    uses: docker/github-builder/.github/workflows/bake.yml@v1
+    uses: docker/github-builder/.github/workflows/bake.yml@7d2a02426d4b989616ba5aaee4e879afd4134b0d # v1.6.0
     if: inputs.target == 'mainline'
     permissions:
-      contents: read # same as global permission
+      contents: read # to checkout the repo
       id-token: write # for signing attestation(s) with GitHub OIDC Token
     with:
       setup-qemu: true
@@ -160,12 +167,14 @@ jobs:
 
   qemu-archive-finalize:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read # maximum permission
     needs:
       - qemu-archive
     steps:
       -
         name: Download artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           path: /tmp/buildx-output
           pattern: ${{ needs.qemu-archive.outputs.artifact-name }}*
@@ -193,17 +202,17 @@ jobs:
           tree -nh .
       -
         name: Upload qemu archives release
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: release-qemu
           path: /tmp/qemu-artifacts/*
           if-no-files-found: error
 
   binfmt-archive:
-    uses: docker/github-builder/.github/workflows/bake.yml@v1
+    uses: docker/github-builder/.github/workflows/bake.yml@7d2a02426d4b989616ba5aaee4e879afd4134b0d # v1.6.0
     if: inputs.target == 'mainline'
     permissions:
-      contents: read # same as global permission
+      contents: read # to checkout the repo
       id-token: write # for signing attestation(s) with GitHub OIDC Token
     with:
       setup-qemu: true
@@ -217,10 +226,12 @@ jobs:
     runs-on: ubuntu-24.04
     needs:
       - binfmt-archive
+    permissions:
+      contents: read # maximum permission
     steps:
       -
         name: Download artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           path: /tmp/buildx-output
           pattern: ${{ needs.binfmt-archive.outputs.artifact-name }}*
@@ -248,7 +259,7 @@ jobs:
           tree -nh .
       -
         name: Upload binfmt archives release
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: release-binfmt
           path: /tmp/binfmt-artifacts/*
@@ -266,7 +277,7 @@ jobs:
       -
         name: Download archives releases
         if: inputs.target == 'mainline'
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           pattern: release-*
           merge-multiple: true
@@ -280,7 +291,7 @@ jobs:
       -
         name: Prepare
         id: prepare
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           INPUT_META-JSON: ${{ needs.image.outputs.meta-json }}
         with:
@@ -308,4 +319,4 @@ jobs:
             * logs: ${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}
             * qemu repo: ${{ needs.prepare-build.outputs.qemu_repo }}/tree/${{ needs.prepare-build.outputs.qemu_ref }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 8 */6 * *' # every 6 days
@@ -30,13 +33,13 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Expose GitHub Runtime
-        uses: crazy-max/ghaction-github-runtime@v3
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
       -
         name: Warm cache
         run: |
@@ -52,11 +55,11 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Generate matrix
         id: generate
-        uses: docker/bake-action/subaction/matrix@v6
+        uses: docker/bake-action/subaction/matrix@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
         with:
           target: validate
 
@@ -71,10 +74,10 @@ jobs:
     steps:
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
       -
         name: Validate
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
         with:
           targets: ${{ matrix.target }}
 
@@ -85,13 +88,13 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Expose GitHub Runtime
-        uses: crazy-max/ghaction-github-runtime@v3
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
       -
         name: Run
         run: |
@@ -113,14 +116,14 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
       -
         name: Test buildkit
         if: matrix.target == 'buildkit'
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
         with:
           source: .
           targets: buildkit-test
@@ -129,7 +132,7 @@ jobs:
       -
         name: Load mainline for testing
         if: matrix.target == 'mainline'
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
         with:
           source: .
           targets: mainline
@@ -196,10 +199,10 @@ jobs:
           fi
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Load for testing
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
         with:
           source: .
           targets: ${{ matrix.target }}
@@ -214,7 +217,7 @@ jobs:
           docker run --rm --privileged tonistiigi/binfmt:test --install all
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
       -
         name: Test
         working-directory: test/dockerfiles/${{ matrix.dockerfile }}
@@ -235,15 +238,17 @@ jobs:
       -
         name: Check container logs
         if: ${{ matrix.logs_ctn_name != '' && matrix.logs_check != '' }}
-        uses: crazy-max/.github/.github/actions/container-logs-check@main
+        uses: crazy-max/.github/.github/actions/container-logs-check@64a0bfaf6e6bb1c448d6e4c42b11034ee7094f16 # v1.7.1
         with:
           container_name: ${{ matrix.logs_ctn_name }}
           log_check: ${{ matrix.logs_check }}
           timeout: 120
 
   build:
     uses: ./.github/workflows/.build.yml
-    secrets: inherit
+    permissions:
+      contents: read # same as global permission
+      id-token: write # to create OIDC token for signing
     needs:
       - validate
       - install-and-test
@@ -259,3 +264,6 @@ jobs:
     with:
       target: ${{ matrix.target }}
       dry-run: ${{ github.event_name == 'pull_request' }}
+    secrets:
+      DOCKERIO_USERNAME: ${{ secrets.DOCKERIO_USERNAME }}
+      DOCKERIO_PASSWORD: ${{ secrets.DOCKERIO_PASSWORD }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,12 @@
 name: release
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
@@ -38,7 +45,9 @@ on:
 jobs:
   release:
     uses: ./.github/workflows/.build.yml
-    secrets: inherit
+    permissions:
+      contents: write # to create GitHub release
+      id-token: write # to create OIDC token for signing
     with:
       target: ${{ inputs.target }}
       release: true
@@ -47,3 +56,6 @@ jobs:
       qemu_version: ${{ inputs.qemu_version }}
       latest: ${{ inputs.latest }}
       dry-run: ${{ inputs.dry-run }}
+    secrets:
+      DOCKERIO_USERNAME: ${{ secrets.DOCKERIO_USERNAME }}
+      DOCKERIO_PASSWORD: ${{ secrets.DOCKERIO_PASSWORD }}
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,26 @@
+name: zizmor
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  run:
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@64a0bfaf6e6bb1c448d6e4c42b11034ee7094f16 # v1.7.1
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      min-severity: medium
+      min-confidence: medium
+      persona: pedantic
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  # This rule does not model reusable workflows correctly. Their effective
+  # permissions are determined by the caller and can only be downgraded.
+  excessive-permissions:
+    ignore:
+      - .build.yml