From 0ce513840dd666ad335e2fd9aff06ef7ebf0e586 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 21:01:46 -0400
Subject: [PATCH 1/7] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/.github/workflows/lighthouse.yml  | 2 +-
 .github/.github/workflows/pre-commit.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/.github/workflows/lighthouse.yml b/.github/.github/workflows/lighthouse.yml
index a766f75..e5425d9 100644
--- a/.github/.github/workflows/lighthouse.yml
+++ b/.github/.github/workflows/lighthouse.yml
@@ -22,7 +22,7 @@ jobs:
           make html
 
       - name: Run Lighthouse against example docs build
-        uses: treosh/lighthouse-ci-action@v2
+        uses: treosh/lighthouse-ci-action@005e1277a8a17ea0b0ef6c3332d59a7cd0f730ce # v2
         with:
           configPath: "./lighthouserc.json"
           temporaryPublicStorage: true
diff --git a/.github/.github/workflows/pre-commit.yaml b/.github/.github/workflows/pre-commit.yaml
index 82e8821..32642a4 100644
--- a/.github/.github/workflows/pre-commit.yaml
+++ b/.github/.github/workflows/pre-commit.yaml
@@ -13,4 +13,4 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2
-      - uses: pre-commit/action@v2.0.0
+      - uses: pre-commit/action@0764670bf370aab253130d534e1eda7ff497dc60 # v2.0.0

From 20e80a8c712892beb7617da94cdc98bd0959a423 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 21:08:15 -0400
Subject: [PATCH 2/7] BLD: add dist folder to gitignore

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index bacf9c1..2d088b1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 /mpl_sphinx_theme.egg-info/
 /mpl_sphinx_theme/__pycache__/
 build
+dist
\ No newline at end of file

From 94873a30ed30a58bfe5a488881f1725ea7ccef0c Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 22:03:05 -0400
Subject: [PATCH 3/7] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/.github/workflows/publish-pypi.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/.github/workflows/publish-pypi.yml b/.github/.github/workflows/publish-pypi.yml
index 78cbfe6..795af68 100644
--- a/.github/.github/workflows/publish-pypi.yml
+++ b/.github/.github/workflows/publish-pypi.yml
@@ -29,7 +29,7 @@ jobs:
           python setup.py sdist bdist_wheel
 
       - name: Publish mpl-sphinx-theme
-        uses: pypa/gh-action-pypi-publish@master
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
         with:
           user: __token__
           password: ${{ secrets.pypi_token }}

From c982fb9cf578520ceac80da93a32e5b9da3db96e Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 22:53:38 -0400
Subject: [PATCH 4/7] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/.githubold/workflows/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/.githubold/workflows/main.yml b/.github/.githubold/workflows/main.yml
index c6864b5..94d61c5 100644
--- a/.github/.githubold/workflows/main.yml
+++ b/.github/.githubold/workflows/main.yml
@@ -5,7 +5,7 @@ jobs:
     name: Run CircleCI artifacts redirector
     steps:
       - name: GitHub Action step
-        uses: larsoner/circleci-artifacts-redirector-action@master
+        uses: scientific-python/circleci-artifacts-redirector-action@7eafdb60666f57706a5525a2f5eb76224dc8779b  # v1.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           artifact-path: 0/docs/_build/html/index.html

From 425faac2a912f24fcb338d42733b6b03ced9fd8d Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:06:09 -0400
Subject: [PATCH 5/7] CI: auto-fix via zizmor

May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
---
 .github/.github/workflows/lighthouse.yml   | 2 ++
 .github/.github/workflows/pre-commit.yaml  | 2 ++
 .github/.github/workflows/publish-pypi.yml | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.github/.github/workflows/lighthouse.yml b/.github/.github/workflows/lighthouse.yml
index e5425d9..1b23fb6 100644
--- a/.github/.github/workflows/lighthouse.yml
+++ b/.github/.github/workflows/lighthouse.yml
@@ -5,6 +5,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v1
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.7
         uses: actions/setup-python@v1
diff --git a/.github/.github/workflows/pre-commit.yaml b/.github/.github/workflows/pre-commit.yaml
index 32642a4..97d6ffb 100644
--- a/.github/.github/workflows/pre-commit.yaml
+++ b/.github/.github/workflows/pre-commit.yaml
@@ -12,5 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v2
       - uses: pre-commit/action@0764670bf370aab253130d534e1eda7ff497dc60 # v2.0.0
diff --git a/.github/.github/workflows/publish-pypi.yml b/.github/.github/workflows/publish-pypi.yml
index 795af68..01ccd50 100644
--- a/.github/.github/workflows/publish-pypi.yml
+++ b/.github/.github/workflows/publish-pypi.yml
@@ -12,6 +12,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v1
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.7
         uses: actions/setup-python@v1

From a399e834fdccf85fb7fc3ba2ad024aa1ffd7cf51 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:25:44 -0400
Subject: [PATCH 6/7] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/.github/workflows/lighthouse.yml   | 2 ++
 .github/.github/workflows/pre-commit.yaml  | 2 ++
 .github/.github/workflows/publish-pypi.yml | 7 ++++++-
 .github/workflows/lint.yml                 | 2 ++
 .github/workflows/release.yml              | 2 ++
 5 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/.github/workflows/lighthouse.yml b/.github/.github/workflows/lighthouse.yml
index 1b23fb6..119ca82 100644
--- a/.github/.github/workflows/lighthouse.yml
+++ b/.github/.github/workflows/lighthouse.yml
@@ -1,4 +1,6 @@
 name: Lighthouse
+permissions:
+  contents: read
 on: [push, pull_request]
 jobs:
   CI:
diff --git a/.github/.github/workflows/pre-commit.yaml b/.github/.github/workflows/pre-commit.yaml
index 97d6ffb..3370c9b 100644
--- a/.github/.github/workflows/pre-commit.yaml
+++ b/.github/.github/workflows/pre-commit.yaml
@@ -1,4 +1,6 @@
 name: Linting
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/.github/workflows/publish-pypi.yml b/.github/.github/workflows/publish-pypi.yml
index 01ccd50..1009f57 100644
--- a/.github/.github/workflows/publish-pypi.yml
+++ b/.github/.github/workflows/publish-pypi.yml
@@ -1,4 +1,6 @@
 name: Push to PyPI
+permissions:
+  contents: read
 
 on:
   push:
@@ -8,7 +10,10 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
-
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v1
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index c940c0c..5150bb6 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,6 +1,8 @@
 ---
 
 name: Linting
+permissions:
+  contents: read
 on: [pull_request]
 
 permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 249ecf3..a344e08 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,6 +1,8 @@
 ---
 
 name: Release
+permissions:
+  contents: read
 on:
   release:
     types:

From 9ed6f033d124589bbe5f9a632ff16624b7ab9a92 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Fri, 18 Jul 2025 15:31:35 -0400
Subject: [PATCH 7/7] CI: remove permissions that break syntax

---
 .github/workflows/lint.yml    | 2 --
 .github/workflows/release.yml | 2 --
 2 files changed, 4 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 5150bb6..c940c0c 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,8 +1,6 @@
 ---
 
 name: Linting
-permissions:
-  contents: read
 on: [pull_request]
 
 permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a344e08..249ecf3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,8 +1,6 @@
 ---
 
 name: Release
-permissions:
-  contents: read
 on:
   release:
     types: