Provide GitHub Actions pinning

[lucperkins]

• Decommission nixpkgs-fmt
• Provide GitHub Actions pinning

Summary by CodeRabbit

• Chores
  • Pinned GitHub Actions to specific commit SHAs for enhanced security.
  • Updated dependency management configuration with automated cooldown periods and filtering rules.
  • Migrated code formatting and linting tools to updated versions.
  • Refactored development environment configuration for improved consistency.

[coderabbitai]

📝 Walkthrough

Walkthrough

Switches the Nix formatter from nixpkgs-fmt to nix-fmt (treefmt --ci with nixfmt-tree) across nix/check.nix, flake.nix, and CI. Hardens CI by pinning GitHub Actions to commit SHAs, introducing zizmor linting with a new config file, and updating Dependabot with cooldowns and a DeterminateSystems/* ignore rule.

Changes

CI Tooling and Security Hardening

Layer / File(s)	Summary
Nix formatter switch: nixpkgs-fmt → nix-fmt nix/check.nix, flake.nix, .github/workflows/ci.yml	check-nixpkgs-fmt (running nixpkgs-fmt --check .) is replaced by check-nix-fmt (running treefmt --ci with nixfmt-tree). All other check commands in nix/check.nix are refactored to multiline writeShellApplication blocks. flake.nix devShell packages and the checks attribute set are rewired to reference check-nix-fmt, and the CI formatting step is updated accordingly.
CI security: action pinning, zizmor, and Dependabot config .github/zizmor.yml, .github/workflows/ci.yml, .github/workflows/publish.yml, .github/dependabot.yml	New .github/zizmor.yml requires DeterminateSystems/* actions to use ref-pin strategy. The Lints CI job pins actions/checkout to a commit SHA, disables credential persistence, and adds a zizmor linting step. publish.yml pins actions/checkout and rust-lang/crates-io-auth-action to commit SHAs. Dependabot gains cooldown (7 days) for both GitHub Actions and Cargo entries, a DeterminateSystems/* ignore rule, and a ci commit-message prefix.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hoppity-hop through the CI lane,
Pinned to a SHA, no version refrain!
treefmt --ci now checks all the nix,
zizmor keeps actions from sneaky old tricks.
Dependabot cools for a seven-day rest,
This bunny approves — these changes are best! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Provide GitHub Actions pinning' directly describes the main objective of the PR, which is implementing GitHub Actions pinning across three workflow files. While the PR also decommissions nixpkgs-fmt, that is secondary to the primary GitHub Actions pinning work.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch actions-pinning

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 26-29: Replace the floating `@main` references with immutable commit
SHAs for all three DeterminateSystems actions: nix-installer-action,
flakehub-cache-action, and flake-checker-action. For each action, change the
`@main` tag to a specific commit SHA (format `@abc123`...) to ensure reproducibility
and strengthen supply-chain integrity. Look up the current stable commit hash
for each action and apply it consistently across all three uses directives.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 37a9252a-40c0-4065-aa57-e027ad545da2

📥 Commits

Reviewing files that changed from the base of the PR and between a812ff2 and 560ed68.

⛔ Files ignored due to path filters (1)

• flake.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/publish.yml
• .github/zizmor.yml
• flake.nix
• nix/check.nix

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Non-SHA action refs =="
rg -nP '^\s*-\s*uses:\s*[^@]+@(?![0-9a-f]{40}\b)' .github/workflows

echo "== Floating `@main` refs =="
rg -nP '^\s*-\s*uses:\s*[^@]+@main\b' .github/workflows

Repository: DeterminateSystems/detsys-ids-client

Length of output: 482

---

🏁 Script executed:

cd .github/workflows && sed -n '24,32p' ci.yml

Repository: DeterminateSystems/detsys-ids-client

Length of output: 386

---

Pin DeterminateSystems actions to immutable commit SHAs.

Lines 26-29 still use floating @main refs for all three DeterminateSystems actions (nix-installer-action, flakehub-cache-action, and flake-checker-action), which weakens supply-chain integrity and reproducibility compared to SHA pinning.

Suggested change

-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/flakehub-cache-action@main
+      - uses: DeterminateSystems/nix-installer-action@<40-char-commit-sha>
+      - uses: DeterminateSystems/flakehub-cache-action@<40-char-commit-sha>
       - name: Check Nixpkgs input
-        uses: DeterminateSystems/flake-checker-action@main
+        uses: DeterminateSystems/flake-checker-action@<40-char-commit-sha>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 26 - 29, Replace the floating `@main`
references with immutable commit SHAs for all three DeterminateSystems actions:
nix-installer-action, flakehub-cache-action, and flake-checker-action. For each
action, change the `@main` tag to a specific commit SHA (format `@abc123`...) to
ensure reproducibility and strengthen supply-chain integrity. Look up the
current stable commit hash for each action and apply it consistently across all
three uses directives.