From 6d024249f46c303b7d223a97b7ab5432c12c37bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= <cr52@protonmail.com>
Date: Wed, 29 Oct 2025 08:20:37 +0100
Subject: [PATCH 1/3] SEC: enable security scan for github actions using zizmor

---
 .github/workflows/ci_workflows.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/ci_workflows.yml b/.github/workflows/ci_workflows.yml
index cc7773e..0dd9a9c 100644
--- a/.github/workflows/ci_workflows.yml
+++ b/.github/workflows/ci_workflows.yml
@@ -8,7 +8,22 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+
   tests:
     name: ${{ matrix.name }} [ ${{ matrix.os }} ]
     runs-on: ${{ matrix.os }}

From 7732362a0ad394948cb26ffe6fdcdc11e7563a57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= <cr52@protonmail.com>
Date: Thu, 30 Oct 2025 13:31:12 +0100
Subject: [PATCH 2/3] SEC: pin GHA workflows to exact hashes and apply
 auto-fixes from zizmor

---
 .github/dependabot.yml             |  2 ++
 .github/workflows/ci_workflows.yml | 15 +++++++++------
 liberfa/erfa                       |  2 +-
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ec8a646..0e9be25 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,3 +8,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/ci_workflows.yml b/.github/workflows/ci_workflows.yml
index 0dd9a9c..04d4c5c 100644
--- a/.github/workflows/ci_workflows.yml
+++ b/.github/workflows/ci_workflows.yml
@@ -72,12 +72,13 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
         submodules: true
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ matrix.python }}
         allow-prereleases: true
@@ -115,12 +116,13 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
         submodules: true
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ matrix.python }}
     - name: Install APT packages
@@ -140,12 +142,13 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
         submodules: true
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         # this is mainly meant to be useful on old or exotic archs
         # so we use our oldest-supported Python
diff --git a/liberfa/erfa b/liberfa/erfa
index 9915ba3..1d9738b 160000
--- a/liberfa/erfa
+++ b/liberfa/erfa
@@ -1 +1 @@
-Subproject commit 9915ba38c9365f8b0738269b8c2ac1fdd5f8dee3
+Subproject commit 1d9738bed9954188722f976774d0903e5dae1857

From fff867a5021effc3a81fc5c3b37c677b3633bbf0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= <cr52@protonmail.com>
Date: Thu, 30 Oct 2025 13:48:16 +0100
Subject: [PATCH 3/3] MNT: add missing comment to publish.yml

---
 .github/workflows/publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6e4ee09..d2c6a98 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -52,7 +52,8 @@ jobs:
         - cp3*win32
         - cp3*win_amd64
         - pp3*-win_amd64
-        # Windows arm64 wheels
+        # NumPy doesn't have wheels for this target + Python older than 3.11
+        # so we resort to manual version selection until 3.10 is dropped
         - cp3{11,12,13,14}-win_arm64
 
     secrets: