pendulum-project · bjorn3 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -8,6 +8,8 @@ updates:
   groups:
     github-actions:
       patterns: ["*"]
+  cooldown:
+    default-days: 7
 
 - package-ecosystem: cargo
   directories: ["/", "/fuzz/"]
@@ -20,3 +22,5 @@ updates:
   groups:
     cargo:
       patterns: ["*"]
+  cooldown:
+    default-days: 7
diff --git a/.github/workflows/add-prs-to-project.yaml b/.github/workflows/add-prs-to-project.yaml
@@ -1,6 +1,8 @@
 name: Add issues to nts-pool project
 
-on:
+permissions: {}
+
+on: # zizmor: ignore[dangerous-triggers] can't do anything other than write to projects
   pull_request_target:
     types:
       - opened
@@ -15,4 +17,4 @@ jobs:
           # You can target a project in a different organization
           # to the issue
           project-url: https://github.com/orgs/pendulum-project/projects/6
-          github-token: ${{ secrets.PROJECT_WRITE_PAT }}
+          github-token: ${{ secrets.PROJECT_WRITE_PAT }} # only has write access to projects
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -1,7 +1,6 @@
 name: checks
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   push:
@@ -324,6 +323,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979
         with:
           arguments: --workspace --all-features

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -1,18 +1,18 @@
 name: docker
 
 permissions:
-  contents: read
   packages: write
 
 on:
-  workflow_call: {}
   workflow_dispatch: {}
 
 jobs:
   Build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
         id: setup-buildx

diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -1,10 +1,6 @@
 name: docs
 
-permissions:
-  actions: read
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}
 
 on:
   push:
@@ -21,6 +17,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Build site
         run: utils/mkdocs.sh --no-bind-port build
@@ -31,6 +29,9 @@ jobs:
           path: target/docs/site
 
   deploy:
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -1,7 +1,6 @@
 name: nightly
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   push:
@@ -20,6 +19,8 @@ jobs:
     timeout-minutes: 45
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: test on freebsd
         uses: vmactions/freebsd-vm@c9f815bc7aa0d34c9fdd0619b034a32d6ca7b57e
         with:

diff --git a/.github/workflows/packaging.yaml b/.github/workflows/packaging.yaml
@@ -1,7 +1,6 @@
 name: packaging
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   push:
@@ -21,10 +20,8 @@ jobs:
           - i686-unknown-linux-gnu
     steps:
       - name: Setup packaging tools for cross compiled artifacts
-        uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0
-        with:
-          packages: musl-tools qemu-user-static crossbuild-essential-armhf crossbuild-essential-arm64 crossbuild-essential-i386
-          version: 1
+        run: |
+          sudo apt install --update musl-tools qemu-user-static crossbuild-essential-armhf crossbuild-essential-arm64 crossbuild-essential-i386
 
       - name: Install toolchain
         uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
@@ -39,6 +36,8 @@ jobs:
 
       - name: Checkout sources
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Build the release binaries
         run: RELEASE_TARGETS="${{ matrix.target }}" utils/build-release.sh
@@ -85,6 +84,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Download artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
@@ -99,17 +100,16 @@ jobs:
           components: "llvm-tools"
 
       - name: Check that the release commit is verified
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
-          commit_url="${{ github.api_url }}/repos/${{ github.repository }}/commits/${{ github.sha }}"
-          json_accept_header="Accept: application/vnd.github+json"
-          auth_bearer_header="Authorization: Bearer ${{ github.token }}"
-          test "$(curl -sf -H "$json_accept_header" -H "$auth_bearer_header" "$commit_url" | jq .commit.verification.verified)" == "true"
+          test "$(gh api "repos/${{ github.repository }}/commits/${{ github.sha }}" --jq .commit.verification.verified)" == "true"
 
       - name: Read the version from the manifest file
         run: echo "release_version=$(cargo read-manifest --manifest-path ntpd/Cargo.toml | jq -r .version)" >> "$GITHUB_ENV"
 
       - name: Version in Cargo.toml must match the branch name
-        run: test "release/$release_version" == "${{ github.ref_name }}"
+        run: test "release/$release_version" == "${{ github.ref_name }}" # zizmor: ignore[template-injection] attacker can't push to arbitrary branch on our repo
 
       - name: Ensure there is not already a released tag with a non-draft release
         run: test "$(gh release view "v$release_version" --json isDraft --jq .isDraft 2>/dev/null || echo "true")" == "true"
@@ -124,21 +124,14 @@ jobs:
           release_notes_body="${release_notes_body%"${release_notes_body##*[![:space:]]}"}"
           release_notes_version="$(echo "$release_notes_header" | cut -d' ' -f2 | sed 's/[][]//g')"
           echo "Found version '$release_notes_version' in release notes"
-          test "$release_notes_version" == "${{ env.release_version }}"
-          {
-            echo "release_notes_body<<RELEASE_NOTES_EOF"
-            echo "$release_notes_body"
-            echo RELEASE_NOTES_EOF
-          } >> "$GITHUB_ENV"
-
-      - name: Create a draft release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
-        with:
-          draft: true
-          fail_on_unmatched_files: true
-          tag_name: "v${{ env.release_version }}"
-          target_commitish: "${{ github.sha }}"
-          name: "Version ${{ env.release_version }}"
-          files: target/pkg/*
-          body: "${{ env.release_notes_body }}"
+          test "$release_notes_version" == "${release_version}"
+          echo "$release_notes_body" > release_notes.md
 
+      - name: Create release
-      - name: Create release
+      - name: Create a draft release
-      - name: Create release
+      - name: Create a draft release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release create "v${release_version}" --draft \
+            --target "${{ github.sha }}" \
+            --title "Version ${release_version}" \
+            --notes-file release_notes.md target/pkg/*
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -11,7 +11,7 @@ on:
     branches: [ "main" ]
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions: {}
 
 jobs:
   analysis:

diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
@@ -0,0 +1,24 @@
+name: zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  cache-poisoning:
+    ignore:
+      - checks.yaml # this workflow doesn't produce any release artifacts
+      - docker.yaml # only executed by a maintainer and built images not used in production