From 5d90dce921987871c97b1fbd412382252ebf4dae Mon Sep 17 00:00:00 2001
From: "Kornev, Nikita" <nikita.kornev@intel.com>
Date: Wed, 5 Nov 2025 18:06:17 +0100
Subject: [PATCH 1/3] [CI] Update sycl-zizmor.yml

The workflow should only trigger on changes to the sycl branch.
Also trigger on PRs.
---
 .github/workflows/sycl-zizmor.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/sycl-zizmor.yml b/.github/workflows/sycl-zizmor.yml
index cc32367f11438..7b17556b027b3 100644
--- a/.github/workflows/sycl-zizmor.yml
+++ b/.github/workflows/sycl-zizmor.yml
@@ -3,6 +3,8 @@ name: Zizmor
 on:
   workflow_dispatch:
   push:
+    branches:
+      - sycl
     # Although workflow files (.yml) should only be placed in the
     # .github/workflows directory, composite actions may be placed anywhere.
     # Here in intel/llvm composite actions are placed in the devops/actions
@@ -13,6 +15,12 @@ on:
     paths:
       - '.github/workflows/**/*.yml'
       - 'devops/actions/**/*.yml'
+  pull_request:
+    branches:
+      - sycl
+    paths:
+      - '.github/workflows/**/*.yml'
+      - 'devops/actions/**/*.yml'
 
 permissions: {}
 

From 4e3bc18a3d94c40bc17636ed0e1e1959c5fa0a46 Mon Sep 17 00:00:00 2001
From: "Kornev, Nikita" <nikita.kornev@intel.com>
Date: Thu, 6 Nov 2025 13:33:11 +0100
Subject: [PATCH 2/3] [CI] Use pinned action references

It's unsafe to use unpinned action references. See:
https://docs.zizmor.sh/audits/#unpinned-uses
---
 .github/workflows/sycl-nightly.yml        | 4 ++--
 devops/actions/build_container/action.yml | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/sycl-nightly.yml b/.github/workflows/sycl-nightly.yml
index cab4d841ddeab..38cecb699b69e 100644
--- a/.github/workflows/sycl-nightly.yml
+++ b/.github/workflows/sycl-nightly.yml
@@ -368,7 +368,7 @@ jobs:
       with:
         name: sycl_windows_default
     - name: Sign with sigstore/cosign
-      uses: sigstore/gh-action-sigstore-python@v3.1.0
+      uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c # v3.1.0
       with:
         inputs: sycl_linux.tar.gz sycl_windows.tar.gz
     - name: Compute tag
@@ -381,7 +381,7 @@ jobs:
           echo "TAG=$(date +'%Y-%m-%d')-${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
         fi
     - name: Upload binaries
-      uses: softprops/action-gh-release@v2.4.1
+      uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
       with:
         files: |
           sycl_linux.tar.gz
diff --git a/devops/actions/build_container/action.yml b/devops/actions/build_container/action.yml
index c0d24d50ba919..6a418553c5e23 100644
--- a/devops/actions/build_container/action.yml
+++ b/devops/actions/build_container/action.yml
@@ -26,15 +26,15 @@ runs:
   using: "composite"
   steps:
   - name: Login to GitHub Container Registry
-    uses: docker/login-action@v2
+    uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
     with:
       registry: ghcr.io
       username: ${{ inputs.username }}
       password: ${{ inputs.password }}
   - name: Set up Docker Buildx
-    uses: docker/setup-buildx-action@v3.11.1
+    uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
   - name: Build and Push Container
-    uses: docker/build-push-action@v6.18.0
+    uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
     with:
       push: ${{ inputs.push }}
       tags: ${{ inputs.tags }}

From 3cc0bf93afd7cb972cf39fceaf405174dd0fc8d4 Mon Sep 17 00:00:00 2001
From: "Kornev, Nikita" <nikita.kornev@intel.com>
Date: Thu, 6 Nov 2025 13:34:18 +0100
Subject: [PATCH 3/3] Revert "[CI] Use pinned action references"

This reverts commit 4e3bc18a3d94c40bc17636ed0e1e1959c5fa0a46.
---
 .github/workflows/sycl-nightly.yml        | 4 ++--
 devops/actions/build_container/action.yml | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/sycl-nightly.yml b/.github/workflows/sycl-nightly.yml
index 38cecb699b69e..cab4d841ddeab 100644
--- a/.github/workflows/sycl-nightly.yml
+++ b/.github/workflows/sycl-nightly.yml
@@ -368,7 +368,7 @@ jobs:
       with:
         name: sycl_windows_default
     - name: Sign with sigstore/cosign
-      uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c # v3.1.0
+      uses: sigstore/gh-action-sigstore-python@v3.1.0
       with:
         inputs: sycl_linux.tar.gz sycl_windows.tar.gz
     - name: Compute tag
@@ -381,7 +381,7 @@ jobs:
           echo "TAG=$(date +'%Y-%m-%d')-${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
         fi
     - name: Upload binaries
-      uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
+      uses: softprops/action-gh-release@v2.4.1
       with:
         files: |
           sycl_linux.tar.gz
diff --git a/devops/actions/build_container/action.yml b/devops/actions/build_container/action.yml
index 6a418553c5e23..c0d24d50ba919 100644
--- a/devops/actions/build_container/action.yml
+++ b/devops/actions/build_container/action.yml
@@ -26,15 +26,15 @@ runs:
   using: "composite"
   steps:
   - name: Login to GitHub Container Registry
-    uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+    uses: docker/login-action@v2
     with:
       registry: ghcr.io
       username: ${{ inputs.username }}
       password: ${{ inputs.password }}
   - name: Set up Docker Buildx
-    uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+    uses: docker/setup-buildx-action@v3.11.1
   - name: Build and Push Container
-    uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+    uses: docker/build-push-action@v6.18.0
     with:
       push: ${{ inputs.push }}
       tags: ${{ inputs.tags }}