fix(ci): resolve all zizmor findings and add zizmor pre-commit checks

.github/actions/build-and-publish-image/action.yml

@@ -115,10 +115,11 @@ runs:
       env:
         arch: ${{ inputs.arch }}
         push: ${{ inputs.push }}
+        STEPS_BUILD_OUTPUTS_DIGEST: ${{ steps.build.outputs.digest }}
       shell: bash --noprofile --norc -eo pipefail {0}
       run: |
         if test "${push}" = true; then
-          echo "${arch}=${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT";
+          echo "${arch}=${STEPS_BUILD_OUTPUTS_DIGEST}" >> "$GITHUB_OUTPUT";
         else
           echo "${arch}=" >> "$GITHUB_OUTPUT";
         fi

.github/actions/free-disk-space/action.yml

@@ -25,7 +25,9 @@ runs:
           /usr/share/dotnet \
           /usr/local/lib/android \
           /home/linuxbrew/.linuxbrew \
-          ${{ inputs.tool_cache }}/CodeQL
+          ${INPUTS_TOOL_CACHE}/CodeQL
         docker rmi $(docker image ls -aq) || true
         df -h
         docker images
+      env:
+        INPUTS_TOOL_CACHE: ${{ inputs.tool_cache }}

.github/actions/get-pr-info/action.yml

@@ -17,7 +17,7 @@ runs:
       id: get-pull-request
       with:
         retries: 3
-        script: |
+        script: | # zizmor: ignore[template-injection]
           return (
             await github.rest.pulls.get({
               repo: context.repo.repo,

.github/workflows/build-and-push-image.yml

@@ -54,14 +54,17 @@ on:
         type: boolean
         required: false
         description: "Generate sccache and sccache-dist credentials"
+    secrets:
+      SCCACHE_GH_PAT:
+        required: false
 
 permissions:
   actions: none
   checks: none
   contents: none
   deployments: none
   discussions: none
-  id-token: write
+  id-token: none
   issues: none
   packages: write
   pages: none
@@ -91,7 +94,7 @@ jobs:
         shell: bash --noprofile --norc -eo pipefail {0}
         env:
           CUDA: "${{ inputs.cuda }}"
-        run: |
+        run: | # zizmor: ignore[template-injection]
           echo "${{ toJSON(runner) }}";
           echo "CUDA_VERSION_MAJOR=$(cut -d'.' -f1 <<< "${CUDA}")" >> "$GITHUB_ENV"
           echo "CUDA_VERSION_MINOR=$(cut -d'.' -f2 <<< "${CUDA}")" >> "$GITHUB_ENV"
@@ -110,7 +113,9 @@ jobs:
         shell: bash --noprofile --norc -eo pipefail {0}
         run: |
           sudo apt update && sudo apt install -y --no-install-recommends jq git-lfs
-          # sudo sed -ri "s@$HOME@${{ runner.workspace }}@g" /etc/passwd
+        env:
+          RUNNER_WORKSPACE: ${{ runner.workspace }}
+          # sudo sed -ri "s@$HOME@${RUNNER_WORKSPACE}@g" /etc/passwd
           # sudo chown -R $(id -u):$(id -g) "${{ runner.workspace }}"
           # echo "HOME=${{ runner.workspace }}" >> "$GITHUB_ENV"
 
@@ -119,6 +124,7 @@ jobs:
         with:
           lfs: true
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Checkout LFS
         shell: bash --noprofile --norc -eo pipefail {0}
@@ -264,11 +270,13 @@ jobs:
         shell: bash --noprofile --norc -eo pipefail {0}
         env:
           ARCH: ${{ matrix.ARCH }}
+          STEPS_BUILD_OUTPUTS_DIGEST_AMD64: ${{ steps.build.outputs.digest_amd64 }}
+          STEPS_BUILD_OUTPUTS_DIGEST_ARM64: ${{ steps.build.outputs.digest_arm64 }}
         run: |
           if [[ "${ARCH}" == amd64 ]]; then
-            DIGEST="${{ steps.build.outputs.digest_amd64 }}"
+            DIGEST="${STEPS_BUILD_OUTPUTS_DIGEST_AMD64}"
           else
-            DIGEST="${{ steps.build.outputs.digest_arm64 }}"
+            DIGEST="${STEPS_BUILD_OUTPUTS_DIGEST_ARM64}"
           fi
           cat <<EOF >> "$GITHUB_OUTPUT"
           ${ARCH}={"digest":"${DIGEST}","name":"${IMAGE_NAME}","repo":"${REPOSITORY}","tag":"${IMAGE_TAG}"}
@@ -297,7 +305,7 @@ jobs:
           ARM64: ${{ needs.build.outputs.arm64 }}
           REPO: ${{ fromJSON(needs.build.outputs.amd64).repo }}
           REPO_PREFIX: "${{ env.REGISTRY }}/${{ github.actor }}"
-        run: |
+        run: | # zizmor: ignore[template-injection]
           # Create the multiarch manifest
           docker buildx imagetools create --tag \
             "${{ fromJSON(env.AMD64).name }}" \

.github/workflows/docs.yaml

@@ -19,6 +19,8 @@ jobs:
     name: Update Docs
     runs-on: ubuntu-24.04
     container: node:24.14.1-trixie
+    permissions:
+      contents: write
     steps:
       - name: Checkout main
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

.github/workflows/main.pr.yml

@@ -5,11 +5,18 @@ on:
     branches:
       - 'pull-request/**'
 
-permissions:
-  contents: write
-  id-token: write
+permissions: {}
 
 jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
+
   build-pull-request:
     name: Build pull request
     runs-on: ${{ fromJSON(github.repository != 'rapidsai/node' && '"ubuntu-latest"' || format('"linux-{0}-cpu16"', matrix.ARCH)) }}
@@ -26,12 +33,14 @@ jobs:
       DOCKER_BUILDKIT: "1"
       DOCKER_CLI_HINTS: "false"
       DOCKER_SCAN_SUGGEST: "false"
+    permissions:
+      contents: write
     steps:
       - name: Dump runner context
         shell: bash --noprofile --norc -eo pipefail {0}
         env:
           CUDA: "${{ matrix.CUDA }}"
-        run: |
+        run: | # zizmor: ignore[template-injection]
           echo "${{ toJSON(runner) }}"
           echo "CUDA_VERSION_MAJOR=$(cut -d'.' -f1 <<< "${CUDA}")" >> "$GITHUB_ENV"
           echo "CUDA_VERSION_MINOR=$(cut -d'.' -f2 <<< "${CUDA}")" >> "$GITHUB_ENV"
@@ -47,17 +56,20 @@ jobs:
       - name: Set up self-hosted runner
         if: runner.environment == 'self-hosted'
         shell: bash --noprofile --norc -eo pipefail {0}
+        env:
+          RUNNER_WORKSPACE: ${{ runner.workspace }}
         run: |
           sudo apt update && sudo apt install -y --no-install-recommends jq git-lfs
-          # sudo sed -ri "s@$HOME@${{ runner.workspace }}@g" /etc/passwd
-          # sudo chown -R $(id -u):$(id -g) "${{ runner.workspace }}"
-          # echo "HOME=${{ runner.workspace }}" >> $GITHUB_ENV
+          # sudo sed -ri "s@$HOME@${RUNNER_WORKSPACE}@g" /etc/passwd
+          # sudo chown -R $(id -u):$(id -g) "${RUNNER_WORKSPACE}"
+          # echo "HOME=${RUNNER_WORKSPACE}" >> $GITHUB_ENV
 
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           lfs: true
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Checkout LFS
         shell: bash --noprofile --norc -eo pipefail {0}

.github/workflows/merge.pr.yml

@@ -16,9 +16,9 @@ permissions:
   contents: none
   deployments: none
   discussions: none
-  id-token: write
+  id-token: none
   issues: none
-  packages: write
+  packages: write  # zizmor: ignore[excessive-permissions]
   pages: none
   pull-requests: none
   repository-projects: none
@@ -30,7 +30,8 @@ jobs:
   build-and-publish-devel-main-image:
     name: Build devel main image
     uses: ./.github/workflows/build-and-push-image.yml
-    secrets: inherit
+    secrets:
+      SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }}
     strategy:
       fail-fast: true
       matrix:
@@ -50,7 +51,8 @@ jobs:
     needs:
       - build-and-publish-devel-main-image
     uses: ./.github/workflows/build-and-push-image.yml
-    secrets: inherit
+    secrets:
+      SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }}
     strategy:
       fail-fast: true
       matrix:
@@ -73,7 +75,8 @@ jobs:
     needs:
       - build-and-publish-devel-main-image
     uses: ./.github/workflows/build-and-push-image.yml
-    secrets: inherit
+    secrets:
+      SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }}
     strategy:
       fail-fast: true
       matrix:
@@ -93,7 +96,8 @@ jobs:
       - build-and-publish-devel-packages-image
       - build-and-publish-runtime-cuda-base-image
     uses: ./.github/workflows/build-and-push-image.yml
-    secrets: inherit
+    secrets:
+      SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }}
     strategy:
       fail-fast: true
       matrix:
@@ -116,7 +120,8 @@ jobs:
       - build-and-publish-devel-packages-image
       - build-and-publish-runtime-cuda-base-image
     uses: ./.github/workflows/build-and-push-image.yml
-    secrets: inherit
+    secrets:
+      SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }}
     strategy:
       fail-fast: true
       matrix:
@@ -139,7 +144,8 @@ jobs:
       - build-and-publish-devel-packages-image
       - build-and-publish-runtime-cuda-base-image
     uses: ./.github/workflows/build-and-push-image.yml
-    secrets: inherit
+    secrets:
+      SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }}
     strategy:
       fail-fast: true
       matrix:
@@ -162,7 +168,8 @@ jobs:
       - build-and-publish-devel-packages-image
       - build-and-publish-runtime-cuda-base-image
     uses: ./.github/workflows/build-and-push-image.yml
-    secrets: inherit
+    secrets:
+      SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }}
     strategy:
       fail-fast: true
       matrix:
@@ -185,7 +192,8 @@ jobs:
       - build-and-publish-devel-packages-image
       - build-and-publish-runtime-cuda-base-image
     uses: ./.github/workflows/build-and-push-image.yml
-    secrets: inherit
+    secrets:
+      SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }}
     strategy:
       fail-fast: true
       matrix:
@@ -208,7 +216,8 @@ jobs:
       - build-and-publish-devel-packages-image
       - build-and-publish-runtime-cuda-base-image
     uses: ./.github/workflows/build-and-push-image.yml
-    secrets: inherit
+    secrets:
+      SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }}
     strategy:
       fail-fast: true
       matrix:
@@ -233,7 +242,8 @@ jobs:
       - build-and-publish-devel-packages-image
       - build-and-publish-runtime-cuda-base-image
     uses: ./.github/workflows/build-and-push-image.yml
-    secrets: inherit
+    secrets:
+      SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }}
     strategy:
       fail-fast: true
       matrix:

.github/workflows/release.yml

@@ -27,9 +27,7 @@ concurrency:
   group: release-${{ inputs.rapids-version }}
   cancel-in-progress: true
 
-permissions:
-  contents: write
-  id-token: write
+permissions: {}
 
 jobs:
 
@@ -43,6 +41,8 @@ jobs:
         ARCH: ["amd64", "arm64"]
         NODE: ["24.14.1"]
         LINUX: ["ubuntu24.04"]
+    permissions:
+      contents: write
     steps:
       - name: Extract node native addons
         shell: bash --noprofile --norc -eo pipefail {0}
@@ -78,14 +78,18 @@ jobs:
           name: rapidsai-native-addons
 
       - name: Create GitHub release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
         if: ${{ inputs.make-release == true }}
-        with:
-          body: ""
-          files: build/*.node
-          tag_name: "v${{ env.RAPIDS }}"
-          repository: ${{ github.repository }}
-          draft: ${{ inputs.draft-release == true }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+          DRAFT_RELEASE: ${{ inputs.draft-release }}
+          RAPIDS_VERSION: ${{ env.RAPIDS }}
+        run: |
+          EXTRA_RELEASE_ARGS=()
+          if [[ "${DRAFT_RELEASE}" == "true" ]]; then
+            EXTRA_RELEASE_ARGS+=("--draft")
+          fi
+
+          gh release create v$RAPIDS_VERSION build/*.node "${EXTRA_RELEASE_ARGS[@]}"
 
   publish-npm-packages:
     if: ${{ inputs.make-release == true && inputs.npm-publish == true }}

.github/zizmor.yml

@@ -0,0 +1,9 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # We require SHA-pinning for all workflows and actions _except_ for those from
+        # rapidsai/shared-workflows and rapidsai/shared-actions
+        "rapidsai/shared-workflows/*": any
+        "rapidsai/shared-actions/*": any
+        "*": hash-pin

.pre-commit-config.yaml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026, NVIDIA CORPORATION.
+# SPDX-License-Identifier: Apache-2.0
+
+repos:
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.24.1
+    hooks:
+      - id: zizmor