TanStack · AlemTuzlak · May 13, 2026
@@ -24,14 +24,15 @@
   check:
     name: Check for stale skills
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
 
@@ -109,7 +110,7 @@
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          VERSION="${{ github.event.release.tag_name || 'manual' }}"
          BRANCH="skills/review-${VERSION}"

          git config user.name "github-actions[bot]"
@@ -125,7 +126,7 @@

          The following skills may need updates after the latest release:

          ${{ steps.summary.outputs.summary }}

          ---

@@ -134,7 +135,7 @@
          Paste this into your coding agent (Claude Code, Cursor, etc.):

          ~~~
          ${{ steps.summary.outputs.prompt }}
          ~~~

          PREOF

@@ -19,6 +19,7 @@
   matrix-e2e:
     name: Matrix (${{ matrix.scenario }})
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     continue-on-error: true
     strategy:
       fail-fast: false
@@ -34,11 +35,12 @@
           - react-toolchain-deploy
     steps:
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Setup Tools
         uses: tanstack/config/.github/setup@main
       - name: Install Playwright Chrome
        run: pnpm --filter @tanstack/cli exec playwright install --with-deps chrome
      - name: Run Matrix Scenario
@@ -47,7 +49,7 @@
         run: pnpm nx run @tanstack/cli:test:e2e:matrix
       - name: Upload Playwright Report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: playwright-report-${{ matrix.scenario }}
           path: packages/cli/playwright-report

@@ -22,15 +22,20 @@ on:
       - 'docs/**'
       - 'src/**'
 
+permissions:
+  contents: read
+
 jobs:
   notify:
     name: Notify TanStack Intent
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 2
+          persist-credentials: false
 
       - name: Collect changed files
         id: changes
@@ -39,7 +44,7 @@ jobs:
           echo "files=$FILES" >> "$GITHUB_OUTPUT"
 
       - name: Dispatch to intent repo
-        uses: peter-evans/repository-dispatch@v3
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
         with:
           token: ${{ secrets.INTENT_NOTIFY_TOKEN }}
           repository: TanStack/intent

@@ -17,13 +17,15 @@
   test-unit:
     name: Test (Unit)
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     steps:
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Setup Tools
         uses: tanstack/config/.github/setup@main
       - name: Build
        run: pnpm build
      - name: Test Unit
@@ -31,27 +33,31 @@
   provenance:
     name: Provenance
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Check Provenance
-        uses: danielroe/provenance-action@v0.1.1
+        uses: danielroe/provenance-action@41bcc969e579d9e29af08ba44fcbfdf95cee6e6c # v0.1.1
         with:
           fail-on-downgrade: true
   test-e2e:
     name: Test (E2E Blocking)
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     steps:
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Setup Tools
         uses: tanstack/config/.github/setup@main
       - name: Get base and head commits for `nx affected`
-        uses: nrwl/nx-set-shas@v4.4.0
+        uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4.4.0
         with:
           main-branch-name: main
       - name: Install Playwright Chrome

@@ -23,13 +23,14 @@
     name: Release
     if: ${{ github.repository_owner == 'TanStack' && !contains(github.event.head_commit.message, '[skip ci]') }}
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     steps:
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
       - name: Setup Tools
        uses: tanstack/config/.github/setup@main
      - name: Build
        run: pnpm build
      - name: Test Unit
@@ -60,4 +61,4 @@

      - name: Publish Packages
        if: steps.release.outputs.has_changesets == 'true' && steps.changes.outputs.has_changes == 'true'
        run: pnpm changeset publish --tag "${{ steps.release.outputs.npm_tag }}"
@@ -12,16 +12,26 @@ on:
       - 'skills/**'
       - '**/skills/**'
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   validate:
     name: Validate skill files
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
 

@@ -0,0 +1,25 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ['**']
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false
+          annotations: true
diff --git a/package.json b/package.json
@@ -5,7 +5,7 @@
     "type": "git",
     "url": "git+https://github.com/TanStack/cli.git"
   },
-  "packageManager": "pnpm@10.24.0",
+  "packageManager": "pnpm@11.1.1+sha512.d1fdf5f73c617b64fa1a56a81c3c8dfe0e966e33a6010aa256b517ae77be21d93e05affc0de1a83b0e4f29d569f68b446ae8f068cd7247c0bb3df0fb4d7bdf9a",
   "type": "module",
   "scripts": {
     "cleanNodeModules": "rm -rf node_modules && pnpm -r exec rm -rf node_modules",
@@ -37,16 +37,5 @@
     "nx": "22.1.3",
     "semver": "^7.6.3",
     "typescript": "^6.0.2"
-  },
-  "pnpm": {
-    "overrides": {
-      "@tanstack/create-start": "workspace:*",
-      "create-start-app": "workspace:*",
-      "create-tanstack": "workspace:*",
-      "create-tanstack-app": "workspace:*",
-      "create-tsrouter-app": "workspace:*",
-      "@tanstack/cli": "workspace:*",
-      "@tanstack/create": "workspace:*"
-    }
   }
 }