vyperlang · banteg · May 21, 2026 · May 21, 2026 · May 21, 2026 · May 21, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,20 +5,25 @@ on:
     inputs:
       tag:
         default: ''
+        type: string
   push:
     branches:
       - master
   pull_request:
   release:
     types: [published]  # releases and pre-releases (release candidates)
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: bash
 
 jobs:
   unix-build:
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 45
     strategy:
       matrix:
         os:
@@ -29,22 +34,22 @@ jobs:
           - macos-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
             # grab the commit passed in via `tag`, if any
             ref: ${{ github.event.inputs.tag }}
             # need to fetch unshallow so that setuptools_scm can infer the version
             fetch-depth: 0
+            persist-credentials: false
 
       # debug
       - name: Git shorthash
         run: git rev-parse --short HEAD
 
       - name: Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.11"
-          cache: "pip"
 
       - name: Generate Binary
         run: |
@@ -58,31 +63,32 @@ jobs:
 
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: vyper-${{ runner.os }}
           path: dist/vyper.*
 
   windows-build:
     runs-on: windows-latest
+    timeout-minutes: 45
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
             # grab the commit passed in via `tag`, if any
             ref: ${{ github.event.inputs.tag }}
             # need to fetch unshallow so that setuptools_scm can infer the version
             fetch-depth: 0
+            persist-credentials: false
 
       # debug
       - name: Git shorthash
         run: git rev-parse --short HEAD
 
       - name: Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.11"
-          cache: "pip"
 
       - name: Generate Binary
         run: >-
@@ -91,7 +97,7 @@ jobs:
           ./make.cmd freeze
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: vyper-${{ runner.os }}
           path: dist/vyper.*
@@ -100,34 +106,46 @@ jobs:
     needs: [windows-build, unix-build]
     if: ${{ github.event_name == 'release' }}
     runs-on: ubuntu-latest
+    timeout-minutes: 45
+    permissions:
+      # Upload generated binaries to the GitHub release.
+      contents: write
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/download-artifact@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: artifacts/
           merge-multiple: true
 
       - name: Upload assets
         working-directory: artifacts
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPOSITORY: ${{ github.repository }}
+          RELEASE_ID: ${{ github.event.release.id }}
         run: |
-          set -Eeuxo pipefail
+          set -Eeuo pipefail
           for BIN_NAME in $(ls)
           do
             curl -L \
               --no-progress-meter \
               -X POST \
-              -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"\
+              -H "Authorization: Bearer ${GH_TOKEN}"\
               -H "Content-Type: application/octet-stream" \
-              "https://uploads.github.com/repos/${{ github.repository }}/releases/${{ github.event.release.id }}/assets?name=${BIN_NAME/+/%2B}" \
+              "https://uploads.github.com/repos/${REPOSITORY}/releases/${RELEASE_ID}/assets?name=${BIN_NAME/+/%2B}" \
               --data-binary "@${BIN_NAME}"
           done
 
   # check build success for pull requests
   build-success:
     if: always()
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     needs: [windows-build, unix-build]
+    permissions: {}
     steps:
       - name: check that all builds succeeded
         if: ${{ contains(needs.*.result, 'failure') }}

diff --git a/.github/workflows/bytecode-size-comment.yml b/.github/workflows/bytecode-size-comment.yml
@@ -0,0 +1,62 @@
+name: Bytecode Size PR Comment
+
+on:
+  workflow_run: # zizmor: ignore[dangerous-triggers] Comment-only follow-up; never checks out or executes PR code.
+    workflows: ["Bytecode Size Report"]
+    types: [completed]
+
+permissions: {}
+
+jobs:
+  comment:
+    if: >
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.pull_requests[0].number != null
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    permissions:
+      # Download the report artifact from the completed measurement run.
+      actions: read
+      # Required by artifact download and workflow run metadata reads.
+      contents: read
+      # Update only the benchmark report comment on the pull request.
+      pull-requests: write
+    steps:
+      - name: Download report
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: bytecode-size-report
+          path: report
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Post or update PR comment
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        with:
+          script: |
+            const fs = require('fs');
+            const marker = '<!-- bytecode-size-report -->';
+            const report = fs.readFileSync('report/report.md', 'utf8');
+            const body = marker + '\n\n' + report;
+            const issue_number = context.payload.workflow_run.pull_requests[0].number;
+            const comments = await github.paginate(github.rest.issues.listComments, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number
+            });
+            const existing = comments.find(c => c.body.includes(marker));
+            if (existing) {
+              return github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body
+              });
+            }
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number,
+              body
+            });
diff --git a/.github/workflows/bytecode-size.yml b/.github/workflows/bytecode-size.yml
@@ -3,63 +3,38 @@ name: Bytecode Size Report
 on:
   pull_request:
     branches: [master]
-  pull_request_target:
-    branches: [master]
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
   bytecode-size:
-    # pull_request: untrusted contributors only (step summary, no comment)
-    # pull_request_target: trusted contributors only (step summary + comment)
-    if: |
-      (github.event_name == 'pull_request' && !contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)) ||
-      (github.event_name == 'pull_request_target' && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association))
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     steps:
-      - name: Invalidate existing comment
-        if: github.event_name == 'pull_request_target'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const marker = '<!-- bytecode-size-report -->';
-            const comments = await github.paginate(github.rest.issues.listComments, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.payload.pull_request.number
-            });
-            const existing = comments.find(c => c.body.includes(marker));
-            if (!existing) return;
-            await github.rest.issues.updateComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              comment_id: existing.id,
-              body: marker + '\n\n⏳ **Recalculating bytecode sizes...**'
-            });
-
       - name: Checkout merge commit
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
           path: head
           fetch-depth: 0
           fetch-tags: true
+          persist-credentials: false
 
       - name: Checkout base
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.base_ref }}
           path: base
           fetch-depth: 0
           fetch-tags: true
+          persist-credentials: false
 
       - name: Copy scripts to base
         run: cp -r head/.github/scripts base/.github/
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.12"
 
@@ -80,50 +55,15 @@ jobs:
         run: python .github/scripts/measure_bytecode.py > ../head-sizes.json
 
       - name: Generate report
-        id: report
         run: |
           python3 head/.github/scripts/compare_bytecode.py base-sizes.json head-sizes.json > report.md
           cat report.md >> "$GITHUB_STEP_SUMMARY"
-          {
-            echo 'REPORT<<EOF'
-            cat report.md
-            echo 'EOF'
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Post or update PR comment
-        if: github.event_name == 'pull_request_target'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const marker = '<!-- bytecode-size-report -->';
-            const body = marker + '\n\n' + process.env.REPORT;
-            const comments = await github.paginate(github.rest.issues.listComments, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.payload.pull_request.number
-            });
-            const existing = comments.find(c => c.body.includes(marker));
-            if (existing) {
-              return github.rest.issues.updateComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: existing.id,
-                body: body
-              });
-            }
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.payload.pull_request.number,
-              body: body
-            });
-        env:
-          REPORT: ${{ steps.report.outputs.REPORT }}
 
       - name: Upload size data
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
-          name: bytecode-sizes
+          name: bytecode-size-report
           path: |
             base-sizes.json
             head-sizes.json
+            report.md
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -6,29 +6,37 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     permissions:
+      # Required for CodeQL to read workflow metadata.
       actions: read
+      # Required to checkout and analyze repository contents.
       contents: read
+      # Required to upload CodeQL analysis results.
       security-events: write
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
         with:
           languages: python
           queries: +security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
         with:
           category: "/language:python"