From bd1ef86fc4b3ffb86b250ba9c5b5fa5107ddaa18 Mon Sep 17 00:00:00 2001
From: Pierre Sassoulas <pierre.sassoulas@gmail.com>
Date: Tue, 13 Jan 2026 15:52:08 +0100
Subject: [PATCH 1/8] [pre-commit zizmor] Make zizmor output legible in
 pre-commit.ci

---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 145a47264f2..578de71800f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -16,7 +16,7 @@ repos:
   rev: v1.19.0
   hooks:
     - id: zizmor
-      args: ["--fix"]
+      args: ["--fix", "--no-progress"]
 -   repo: https://github.com/adamchainz/blacken-docs
     rev: 1.20.0
     hooks:

From 8e821d6e17daac3dd4a94f0497f5363d70439123 Mon Sep 17 00:00:00 2001
From: Pierre Sassoulas <pierre.sassoulas@gmail.com>
Date: Tue, 13 Jan 2026 15:48:38 +0100
Subject: [PATCH 2/8] [zizmor] Set 'actions/setup-python''s version by hash

---
 .github/workflows/deploy.yml             | 2 +-
 .github/workflows/doc-check-links.yml    | 2 +-
 .github/workflows/prepare-release-pr.yml | 2 +-
 .github/workflows/test.yml               | 2 +-
 .github/workflows/update-plugin-list.yml | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index ef94adcffce..7374e3f7d96 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -48,7 +48,7 @@ jobs:
         persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: "3.13"
 
diff --git a/.github/workflows/doc-check-links.yml b/.github/workflows/doc-check-links.yml
index 6d31b9903c1..912630e0441 100644
--- a/.github/workflows/doc-check-links.yml
+++ b/.github/workflows/doc-check-links.yml
@@ -23,7 +23,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: "3.13"
           cache: pip
diff --git a/.github/workflows/prepare-release-pr.yml b/.github/workflows/prepare-release-pr.yml
index 715392e1b01..891ae6a6e3e 100644
--- a/.github/workflows/prepare-release-pr.yml
+++ b/.github/workflows/prepare-release-pr.yml
@@ -34,7 +34,7 @@ jobs:
         persist-credentials: true
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: "3.13"
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 133e9991f70..8dc2dccaa9d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -263,7 +263,7 @@ jobs:
         path: dist
 
     - name: Set up Python ${{ matrix.python }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: ${{ matrix.python }}
         check-latest: true
diff --git a/.github/workflows/update-plugin-list.yml b/.github/workflows/update-plugin-list.yml
index 7c02a7c95eb..9eb8b9c1861 100644
--- a/.github/workflows/update-plugin-list.yml
+++ b/.github/workflows/update-plugin-list.yml
@@ -26,7 +26,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: "3.13"
 

From 40a5007721d1fc9db93fc40ec5118383ec0ccd27 Mon Sep 17 00:00:00 2001
From: Pierre Sassoulas <pierre.sassoulas@gmail.com>
Date: Tue, 13 Jan 2026 15:55:45 +0100
Subject: [PATCH 3/8] [zizmor] Set 'actions/checkout''s version by hash

---
 .github/workflows/deploy.yml             | 6 +++---
 .github/workflows/doc-check-links.yml    | 2 +-
 .github/workflows/prepare-release-pr.yml | 2 +-
 .github/workflows/test.yml               | 4 ++--
 .github/workflows/update-plugin-list.yml | 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 7374e3f7d96..812c27cb916 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -25,7 +25,7 @@ jobs:
       attestations: write
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         fetch-depth: 0
         persist-credentials: false
@@ -42,7 +42,7 @@ jobs:
     permissions:
       contents: read
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         fetch-depth: 0
         persist-credentials: false
@@ -99,7 +99,7 @@ jobs:
     permissions:
       contents: write
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         fetch-depth: 0
         persist-credentials: true
diff --git a/.github/workflows/doc-check-links.yml b/.github/workflows/doc-check-links.yml
index 912630e0441..029b4dc699f 100644
--- a/.github/workflows/doc-check-links.yml
+++ b/.github/workflows/doc-check-links.yml
@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
           persist-credentials: false
diff --git a/.github/workflows/prepare-release-pr.yml b/.github/workflows/prepare-release-pr.yml
index 891ae6a6e3e..1c0e869a512 100644
--- a/.github/workflows/prepare-release-pr.yml
+++ b/.github/workflows/prepare-release-pr.yml
@@ -27,7 +27,7 @@ jobs:
       pull-requests: write
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         fetch-depth: 0
         # persist-credentials is needed in order for us to push the release branch.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8dc2dccaa9d..284de5a807b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -37,7 +37,7 @@ jobs:
   package:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         fetch-depth: 0
         persist-credentials: false
@@ -251,7 +251,7 @@ jobs:
     continue-on-error: ${{ matrix.xfail && true || false }}
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         fetch-depth: 0
         persist-credentials: false
diff --git a/.github/workflows/update-plugin-list.yml b/.github/workflows/update-plugin-list.yml
index 9eb8b9c1861..d86b4d39aef 100644
--- a/.github/workflows/update-plugin-list.yml
+++ b/.github/workflows/update-plugin-list.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
           persist-credentials: false

From 69f9cc458ae374a7a0ca6608124f78faabb18a15 Mon Sep 17 00:00:00 2001
From: Pierre Sassoulas <pierre.sassoulas@gmail.com>
Date: Tue, 13 Jan 2026 15:57:13 +0100
Subject: [PATCH 4/8] [zizmor] Set 'actions/download-artifact''s version by
 hash

---
 .github/workflows/deploy.yml | 6 +++---
 .github/workflows/test.yml   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 812c27cb916..51ff1995955 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -82,7 +82,7 @@ jobs:
       id-token: write
     steps:
     - name: Download Package
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
       with:
         name: Packages
         path: dist
@@ -121,13 +121,13 @@ jobs:
       contents: write
     steps:
     - name: Download Package
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
       with:
         name: Packages
         path: dist
 
     - name: Download release notes
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
       with:
         name: release-notes
         path: .
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 284de5a807b..d9dca4964ae 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -257,7 +257,7 @@ jobs:
         persist-credentials: false
 
     - name: Download Package
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
       with:
         name: Packages
         path: dist

From a7b745c914dc159b6c9f93cfe51608aa6be619d0 Mon Sep 17 00:00:00 2001
From: Pierre Sassoulas <pierre.sassoulas@gmail.com>
Date: Tue, 13 Jan 2026 15:58:17 +0100
Subject: [PATCH 5/8] [zizmor] Set 'actions/upload-artifact''s version by hash

---
 .github/workflows/deploy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 51ff1995955..be0519a16e2 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -64,7 +64,7 @@ jobs:
         tox -e generate-gh-release-notes -- "$VERSION" gh-release-notes.md
 
     - name: Upload release notes
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         name: release-notes
         path: gh-release-notes.md

From 9debe0013a904b67c5119470b3a27425f1189e5c Mon Sep 17 00:00:00 2001
From: Pierre Sassoulas <pierre.sassoulas@gmail.com>
Date: Tue, 13 Jan 2026 15:59:47 +0100
Subject: [PATCH 6/8] [zizmor] Set 'actions/stale''s version by hash

---
 .github/workflows/stale.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index aeac36cea60..82178a67594 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -10,7 +10,7 @@ jobs:
     permissions:
       issues: write
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.0
         with:
           debug-only: false
           days-before-issue-stale: 14

From 1e601c3b37d0e7418007df4a7f26c55eac314153 Mon Sep 17 00:00:00 2001
From: Pierre Sassoulas <pierre.sassoulas@gmail.com>
Date: Tue, 13 Jan 2026 16:00:38 +0100
Subject: [PATCH 7/8] [zizmor] Set 'actions/cache''s version by hash

---
 .github/workflows/update-plugin-list.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/update-plugin-list.yml b/.github/workflows/update-plugin-list.yml
index d86b4d39aef..bc1e1dd5923 100644
--- a/.github/workflows/update-plugin-list.yml
+++ b/.github/workflows/update-plugin-list.yml
@@ -31,7 +31,7 @@ jobs:
           python-version: "3.13"
 
       - name: requests-cache
-        uses: actions/cache@v5
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: ~/.cache/pytest-plugin-list/
           key: plugins-http-cache-${{ github.run_id }} # Can use time based key as well

From 0839504708c5b8dbae0ca38c8d920ceabd1c09a0 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 12 Jan 2026 21:03:30 +0000
Subject: [PATCH 8/8] [pre-commit.ci] pre-commit autoupdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/astral-sh/ruff-pre-commit: v0.14.10 → v0.14.11](https://github.com/astral-sh/ruff-pre-commit/compare/v0.14.10...v0.14.11)
- [github.com/woodruffw/zizmor-pre-commit: v1.19.0 → v1.20.0](https://github.com/woodruffw/zizmor-pre-commit/compare/v1.19.0...v1.20.0)
- [github.com/RobertCraigie/pyright-python: v1.1.407 → v1.1.408](https://github.com/RobertCraigie/pyright-python/compare/v1.1.407...v1.1.408)
---
 .pre-commit-config.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 578de71800f..b6ac238aca8 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 minimum_pre_commit_version: "4.4.0"
 repos:
 - repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: "v0.14.10"
+  rev: "v0.14.11"
   hooks:
     - id: ruff-check
       args: ["--fix"]
@@ -13,7 +13,7 @@ repos:
     -   id: end-of-file-fixer
     -   id: check-yaml
 - repo: https://github.com/woodruffw/zizmor-pre-commit
-  rev: v1.19.0
+  rev: v1.20.0
   hooks:
     - id: zizmor
       args: ["--fix", "--no-progress"]
@@ -50,7 +50,7 @@ repos:
             # on <3.11
           - exceptiongroup>=1.0.0rc8
 -   repo: https://github.com/RobertCraigie/pyright-python
-    rev: v1.1.407
+    rev: v1.1.408
     hooks:
     -   id: pyright
         files: ^(src/|scripts/)