Harden GHA

[GabrielBianconi]

Note

Medium Risk
Workflow changes adjust permissions, concurrency, and action versions, which can impact CI/benchmark execution and merge-queue behavior if misconfigured.

Overview
Hardens GitHub Actions execution. Existing CI and Benchmark workflows now use workflow-level concurrency, least-privilege permissions, and SHA-pinned actions (with persist-credentials: false on checkout).

Adds security enforcement. Introduces a new security workflow that runs pinact (fails on unpinned uses:) and zizmor (uploads SARIF to code scanning), plus a final gate job that treats skips as failures in merge queue.

Adds .github/zizmor.yml to tune zizmor rules/ignores to avoid duplicate findings with pinact and document intentional exceptions (e.g., dtolnay/rust-toolchain and unpinned Postgres image).

^{Reviewed by Cursor Bugbot for commit 36b59fc. Bugbot is set up for automated code reviews on this repo. Configure here.}

[tensorzero-cla-bot]

✅ All contributors to this pull request have signed the TensorZero CLA. Thank you!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ad3033f620

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[GabrielBianconi]

I have read the Contributor License Agreement (CLA) and hereby sign the CLA.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 80d1a9cd92

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 80d1a9c. Configure here.}