rapidsai · rapids-bot · Apr 27, 2026 · Apr 24, 2026 · Apr 24, 2026 · Apr 24, 2026
@@ -25,10 +25,11 @@ runs:
     - name: Test feature
       shell: bash
       run: |
-        devcontainer features test ${{ inputs.args }} ./features;
+        devcontainer features test $ARGS ./features;
       env:
         NODE_NO_WARNINGS: 1
         VAULT_S3_TTL: "900" # 15 minutes
+        ARGS: ${{ inputs.args }}
         gh_token: "${{ inputs.gh_token }}"
         aws_role_arn: "${{ inputs.aws_role_arn }}"
         rw_sccache_bucket: "${{ inputs.rw_sccache_bucket }}"

@@ -38,11 +38,18 @@ runs:
   steps:
     - name: Build ${{ inputs.repo }}:${{ inputs.tag }}
       shell: powershell
+      env:
+        REPO: ${{ inputs.repo }}
+        CL: ${{ inputs.cl }}
+        CUDA: ${{ inputs.cuda }}
+        VERSION: ${{ inputs.version }}
+        ISOLATION: ${{ inputs.isolation }}
+        EDITION: ${{ inputs.edition }}
       run: |
         .\windows\build-windows-image.ps1 `
-          -repo ${{ inputs.repo }} `
-          -clVersion ${{ inputs.cl }} `
-          -cudaVersion ${{ inputs.cuda }} `
-          -repoVersion ${{ inputs.version }} `
-          -isolation ${{ inputs.isolation }} `
-          -edition windows${{ inputs.edition }}
+          -repo $env:REPO `
+          -clVersion $env:CL `
+          -cudaVersion $env:CUDA `
+          -repoVersion $env:VERSION `
+          -isolation $env:ISOLATION `
+          -edition windows$env:EDITION
@@ -26,12 +26,16 @@ runs:
     - id: json
       name: Make image/.devcontainer/devcontainer.json
       shell: bash
+      env:
+        INPUT_OS: ${{ inputs.os }}
+        INPUT_FEATURES: ${{ inputs.features }}
+        INPUT_CONTAINER_ENV: ${{ inputs.container_env }}
       run: |
         bash --noprofile --norc -x -eo pipefail       \
           .github/actions/devcontainer-json/action.sh \
-          '${{ inputs.os }}'                          \
-          '${{ inputs.features }}'                    \
-          '${{ inputs.container_env }}'               \
+          "$INPUT_OS"                                 \
+          "$INPUT_FEATURES"                           \
+          "$INPUT_CONTAINER_ENV"                      \
         3>> "$GITHUB_OUTPUT"                          \
         4> image/.devcontainer/devcontainer.json.out  ;
 

@@ -36,14 +36,17 @@ runs:
     - name: Report changes
       if: inputs.full_matrix != 'true'
       shell: bash
-      run: echo '${{ toJSON(steps.changes.outputs) }}'
+      run: echo '${{ toJSON(steps.changes.outputs) }}' # zizmor: ignore[template-injection]
 
     - name: Determine the feature matrix
       id: matrix
       shell: bash
+      env:
+        FULL_MATRIX: ${{ inputs.full_matrix }}
+        CHANGED_FILES: ${{ steps.changes.outputs.all_changed_and_modified_files }}
       run: |
         bash --noprofile --norc -x -eo pipefail \
           .github/actions/feature-matrix/action.sh \
-          '${{ inputs.full_matrix }}' \
-          '${{ steps.changes.outputs.all_changed_and_modified_files }}' \
+          "$FULL_MATRIX" \
+          "$CHANGED_FILES" \
         | tee -a "$GITHUB_OUTPUT";
@@ -13,6 +13,8 @@ runs:
   steps:
     - name: Free up disk space
       shell: bash --noprofile --norc -x -eo pipefail {0}
+      env:
+        TOOL_CACHE: ${{ inputs.tool_cache }}
       run: |
           df -h;
           docker images;
@@ -37,11 +39,11 @@ runs:
           sudo rm -rf /usr/local/share/chromium;
           sudo rm -rf /usr/local/share/powershell;
           sudo rm -rf /home/linuxbrew/.linuxbrew;
-          sudo rm -rf ${{ inputs.tool_cache }}/go;
-          sudo rm -rf ${{ inputs.tool_cache }}/Ruby;
-          sudo rm -rf ${{ inputs.tool_cache }}/PyPy;
-          sudo rm -rf ${{ inputs.tool_cache }}/CodeQL;
-          sudo rm -rf ${{ inputs.tool_cache }}/Python;
+          sudo rm -rf $TOOL_CACHE/go;
+          sudo rm -rf $TOOL_CACHE/Ruby;
+          sudo rm -rf $TOOL_CACHE/PyPy;
+          sudo rm -rf $TOOL_CACHE/CodeQL;
+          sudo rm -rf $TOOL_CACHE/Python;
           docker rmi $(docker image ls -aq) || true;
           docker images;
           df -h;
@@ -13,7 +13,7 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/github-script@v7
+    - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
       id: get-pull-request
       with:
         retries: 3
@@ -23,12 +23,12 @@ runs:
               repo: context.repo.repo,
               owner: context.repo.owner,
               pull_number: (() => {
-                switch('${{ github.event_name }}') {
+                switch(context.eventName) {
                   case 'pull_request':
                   case 'pull_request_target':
-                    return '${{ github.ref }}'.split('/')[2];
+                    return context.ref.split('/')[2];
                   case 'push':
-                    const branch = '${{ github.ref_name }}';
+                    const branch = context.ref.replace(/^refs\/(heads|tags)\//, '');
                     if (!branch.match(new RegExp('^pull-request/[0-9]+$'))) {
                       throw new Error(`${branch} does not match PR branch pattern.`);
                     }

@@ -44,16 +44,21 @@ runs:
     - name: Report changes
       if: inputs.full_matrix != 'true'
       shell: bash
-      run: echo '${{ toJSON(steps.changes.outputs) }}'
+      run: echo '${{ toJSON(steps.changes.outputs) }}' # zizmor: ignore[template-injection]
 
     - name: Determine the image matrix
       id: matrix
       shell: bash
+      env:
+        FULL_MATRIX: ${{ inputs.full_matrix }}
+        FEATURES: ${{ inputs.features || '[]' }}
+        SCENARIOS: ${{ inputs.scenarios || '[]' }}
+        CHANGED_FILES: ${{ steps.changes.outputs.all_changed_and_modified_files }}
       run: |
         bash --noprofile --norc -x -eo pipefail \
           .github/actions/image-matrix/action.sh \
-          '${{ inputs.full_matrix }}' \
-          '${{ inputs.features || '[]' }}' \
-          '${{ inputs.scenarios || '[]' }}' \
-          '${{ steps.changes.outputs.all_changed_and_modified_files }}' \
+          "$FULL_MATRIX" \
+          "$FEATURES" \
+          "$SCENARIOS" \
+          "$CHANGED_FILES" \
         | tee -a $GITHUB_OUTPUT;
@@ -6,7 +6,7 @@ runs:
   using: composite
   steps:
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: '20'
     - name: Install devcontainers CLI

@@ -7,7 +7,7 @@ runs:
   steps:
     - name: Dump environment
       shell: bash -eo pipefail {0}
-      run: |
+      run: | # zizmor: ignore[template-injection]
         echo "env: ${{ toJSON(env) }}"
         echo "runner: '${{ toJSON(runner) }}'"
 
@@ -20,34 +20,34 @@ runs:
     - if: runner.environment == 'self-hosted'
       name: Setup self-hosted runner environment
       shell: bash -eo pipefail {0}
-      run: |
-        echo "HOME=${{ runner.workspace }}" >> $GITHUB_ENV;
-        echo "TMPDIR=${{ runner.temp }}" >> $GITHUB_ENV;
+      run: | # zizmor: ignore[github-env]
+        echo "HOME=$RUNNER_WORKSPACE" >> "$GITHUB_ENV";
+        echo "TMPDIR=$RUNNER_TEMP" >> "$GITHUB_ENV";
 
     - if: runner.environment == 'self-hosted'
       name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: '20'
 
     - if: runner.environment != 'self-hosted'
       name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
 
     - name: Create docker context
       shell: bash
       run: docker context create builder
 
     - if: runner.environment != 'self-hosted'
       name: Setup docker buildx on github-hosted runners
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       with:
         buildkitd-flags: --debug
         endpoint: builder
 
     - if: runner.environment == 'self-hosted'
       name: Setup docker buildx on self-hosted runners
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       with:
         buildkitd-flags: --debug --config /etc/buildkit/buildkitd.toml
         endpoint: builder

@@ -38,11 +38,18 @@ runs:
   steps:
     - name: Test ${{ inputs.repo }}:${{ inputs.tag }}
       shell: powershell
+      env:
+        REPO: ${{ inputs.repo }}
+        CL: ${{ inputs.cl }}
+        CUDA: ${{ inputs.cuda }}
+        VERSION: ${{ inputs.version }}
+        ISOLATION: ${{ inputs.isolation }}
+        EDITION: ${{ inputs.edition }}
       run: |
         .github\actions\test-windows-image\action.ps1 `
-          -repo ${{ inputs.repo }} `
-          -clVersion ${{ inputs.cl }} `
-          -cudaVersion ${{ inputs.cuda }} `
-          -repoVersion ${{ inputs.version }} `
-          -isolation ${{ inputs.isolation }} `
-          -edition windows${{ inputs.edition }}
+          -repo $env:REPO `
+          -clVersion $env:CL `
+          -cudaVersion $env:CUDA `
+          -repoVersion $env:VERSION `
+          -isolation $env:ISOLATION `
+          -edition windows$env:EDITION
@@ -5,9 +5,12 @@ on:
     - cron: '0 0 * * *'
   workflow_call:
 
+permissions: {}
+
 jobs:
   check-event:
     name: Check GH Event
+    permissions: {}
     runs-on: ubuntu-latest
     outputs:
       ok: ${{ steps.check_gh_event.outputs.ok }}
@@ -27,8 +30,8 @@ jobs:
     name: ${{ matrix.libs }}
     if: needs.check-event.outputs.ok == 'true'
     needs: check-event
-    secrets: inherit
-    uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main
+    secrets: inherit  # zizmor: ignore[secrets-inherit]
+    uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main  # zizmor: ignore[unpinned-uses]
     permissions:
       actions: read
       packages: read

@@ -22,12 +22,12 @@ jobs:
         arch: [amd64, arm64]
     steps:
       - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           persist-credentials: false
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }}
           password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }}

@@ -41,7 +41,7 @@ jobs:
       version: ${{ steps.json.outputs.version }}
     steps:
       - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -58,7 +58,7 @@ jobs:
           container_env: "${{ inputs.container_env }}"
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }}
           password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }}
@@ -80,7 +80,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }}
           password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }}

@@ -37,18 +37,23 @@ jobs:
           - { edition: "2022", runner: "${{ github.repository != 'rapidsai/devcontainers' && 'windows-2022' || 'windows-amd64-cpu4' }}" }
     steps:
       - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
           persist-credentials: false
 
       - id: info
         name: Get container info
         shell: bash
+        env:
+          INPUT_REPO: ${{ inputs.repo }}
+          INPUT_OS: ${{ inputs.os }}
+          MATRIX_EDITION: ${{ matrix.edition }}
+          INPUT_FEATURES: ${{ inputs.features }}
         run: |
-          repo="${{ inputs.repo }}";
-          cl="${{ fromJSON(inputs.features)[1].version }}";
-          cuda="${{ fromJSON(inputs.features)[0].version }}";
+          repo="$INPUT_REPO";
+          cl="$(echo "$INPUT_FEATURES" | jq -r '.[1].version')";
+          cuda="$(echo "$INPUT_FEATURES" | jq -r '.[0].version')";
           version="$(git describe --abbrev=0 --tags | sed 's/[a-zA-Z]//g' | cut -d '.' -f -2)";
           base_tag="cuda${cuda}-cl${cl}";
           tag_without_os="${version}-${base_tag}";
@@ -59,11 +64,11 @@ jobs:
           version=${version}
           base_tag=${base_tag}
           tag_without_os=${tag_without_os}
-          tag=${tag_without_os}-${{ inputs.os }}${{ matrix.edition }}
+          tag=${tag_without_os}-${INPUT_OS}${MATRIX_EDITION}
           EOF
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }}
           password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }}
@@ -91,16 +96,26 @@ jobs:
       - if: inputs.push == 'true'
         name: Push ${{ steps.info.outputs.tag }}
         shell: powershell
+        env:
+          REPO: ${{ steps.info.outputs.repo }}
+          TAG: ${{ steps.info.outputs.tag }}
+          TAG_WITHOUT_OS: ${{ steps.info.outputs.tag_without_os }}
         run: |
-          docker image tag ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }} ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag_without_os }}
-          docker push ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag_without_os }}
-          docker push ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }}
+          docker image tag ${env:REPO}:${env:TAG} ${env:REPO}:${env:TAG_WITHOUT_OS}
+          docker push ${env:REPO}:${env:TAG_WITHOUT_OS}
+          docker push ${env:REPO}:${env:TAG}
 
       - if: inputs.push == 'true' && github.ref_name == 'main'
         name: Push latest-${{ steps.info.outputs.base_tag }}
         shell: powershell
+        env:
+          REPO: ${{ steps.info.outputs.repo }}
+          TAG: ${{ steps.info.outputs.tag }}
+          BASE_TAG: ${{ steps.info.outputs.base_tag }}
+          INPUT_OS: ${{ inputs.os }}
+          MATRIX_EDITION: ${{ matrix.edition }}
         run: |
-          docker image tag ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }} ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }}-${{ inputs.os }}${{ matrix.edition }}
-          docker image tag ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }} ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }}
-          docker push ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }}-${{ inputs.os }}${{ matrix.edition }}
-          docker push ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }}
+          docker image tag ${env:REPO}:${env:TAG} ${env:REPO}:latest-${env:BASE_TAG}-${env:INPUT_OS}${env:MATRIX_EDITION}
+          docker image tag ${env:REPO}:${env:TAG} ${env:REPO}:latest-${env:BASE_TAG}
+          docker push ${env:REPO}:latest-${env:BASE_TAG}-${env:INPUT_OS}${env:MATRIX_EDITION}
+          docker push ${env:REPO}:latest-${env:BASE_TAG}