From 5c10fccb80c59b83c4d7271f49d91bbc4dde6d95 Mon Sep 17 00:00:00 2001
From: Matthew Fishman <mfishman@flatironinstitute.org>
Date: Thu, 30 Apr 2026 16:02:57 -0400
Subject: [PATCH 1/2] Test hardened ITensorActions workflows

---
 .github/workflows/FormatCheck.yml            | 10 +++----
 .github/workflows/FormatCheckComment.yml     | 16 ++++++++++
 .github/workflows/IntegrationTest.yml        | 31 ++++++--------------
 .github/workflows/IntegrationTestRequest.yml |  6 ++--
 4 files changed, 33 insertions(+), 30 deletions(-)
 create mode 100644 .github/workflows/FormatCheckComment.yml

diff --git a/.github/workflows/FormatCheck.yml b/.github/workflows/FormatCheck.yml
index 3c290ea..9168279 100644
--- a/.github/workflows/FormatCheck.yml
+++ b/.github/workflows/FormatCheck.yml
@@ -1,16 +1,14 @@
 name: "Format Check"
 on:
-  pull_request_target:
+  pull_request:
     types:
       - "opened"
       - "synchronize"
       - "reopened"
       - "ready_for_review"
-permissions:
-  contents: "read"
-  actions: "write"
-  pull-requests: "write"
 jobs:
   format-check:
     name: "Format Check"
-    uses: "ITensor/ITensorActions/.github/workflows/FormatCheck.yml@main"
+    uses: "ITensor/ITensorActions/.github/workflows/FormatCheck.yml@dc36f8c88cd2858bdfa5e2458d108027d6b72807"
+    with:
+      concurrent-jobs: true
diff --git a/.github/workflows/FormatCheckComment.yml b/.github/workflows/FormatCheckComment.yml
new file mode 100644
index 0000000..3afeca9
--- /dev/null
+++ b/.github/workflows/FormatCheckComment.yml
@@ -0,0 +1,16 @@
+name: "Format Check Comment"
+on:
+  workflow_run:
+    workflows:
+      - "Format Check"
+    types:
+      - "completed"
+jobs:
+  comment:
+    name: "Format Check Comment"
+    if: "github.event.workflow_run.event == 'pull_request'"
+    permissions:
+      pull-requests: "write"
+      actions: "read"
+    uses: "ITensor/ITensorActions/.github/workflows/FormatCheckComment.yml@dc36f8c88cd2858bdfa5e2458d108027d6b72807"
+    secrets: "inherit"
diff --git a/.github/workflows/IntegrationTest.yml b/.github/workflows/IntegrationTest.yml
index c639054..68fcb55 100644
--- a/.github/workflows/IntegrationTest.yml
+++ b/.github/workflows/IntegrationTest.yml
@@ -4,7 +4,7 @@ on:
     branches:
       - "main"
     tags: "*"
-  pull_request_target:
+  pull_request:
     types:
       - "opened"
       - "synchronize"
@@ -14,27 +14,14 @@ on:
 jobs:
   integration-test:
     name: "IntegrationTest"
-    strategy:
-      fail-fast: false
-      matrix:
-        pkg:
-          - "BlockSparseArrays"
-          - "DiagonalArrays"
-          - "FusionTensors"
-          - "GradedArrays"
-    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTest.yml@main"
+    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTest.yml@dc36f8c88cd2858bdfa5e2458d108027d6b72807"
     secrets: "inherit"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"
-      pkg: "${{ matrix.pkg }}"
-  integration-gate:
-    name: "IntegrationTest"
-    needs: "integration-test"
-    if: "${{ always() && needs.integration-test.result != 'skipped' }}"
-    runs-on: "ubuntu-latest"
-    steps:
-      - name: "Fail if any downstream integration test failed"
-        run: |
-          echo "integration-test.result = ${{ needs.integration-test.result }}"
-          test "${{ needs.integration-test.result }}" = "success"
-          
+      pkgs: |
+        [
+          "BlockSparseArrays",
+          "DiagonalArrays",
+          "FusionTensors",
+          "GradedArrays"
+        ]
diff --git a/.github/workflows/IntegrationTestRequest.yml b/.github/workflows/IntegrationTestRequest.yml
index 6f58e45..f4182b7 100644
--- a/.github/workflows/IntegrationTestRequest.yml
+++ b/.github/workflows/IntegrationTestRequest.yml
@@ -8,7 +8,9 @@ jobs:
     if: |
       github.event.issue.pull_request &&
       contains(fromJSON('["OWNER", "COLLABORATOR", "MEMBER"]'), github.event.comment.author_association)
-      
-    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTestRequest.yml@main"
+    permissions:
+      checks: "write"
+      pull-requests: "write"
+    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTestRequest.yml@dc36f8c88cd2858bdfa5e2458d108027d6b72807"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"

From c2df0fd88eca8321a6b93f550b7c1d409d7295f2 Mon Sep 17 00:00:00 2001
From: Matthew Fishman <mfishman@flatironinstitute.org>
Date: Thu, 30 Apr 2026 21:04:43 -0400
Subject: [PATCH 2/2] Switch ITensorActions workflow refs to v1

---
 .github/workflows/FormatCheck.yml            | 4 +---
 .github/workflows/FormatCheckComment.yml     | 2 +-
 .github/workflows/IntegrationTest.yml        | 2 +-
 .github/workflows/IntegrationTestRequest.yml | 2 +-
 4 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/FormatCheck.yml b/.github/workflows/FormatCheck.yml
index 9168279..7bbbfee 100644
--- a/.github/workflows/FormatCheck.yml
+++ b/.github/workflows/FormatCheck.yml
@@ -9,6 +9,4 @@ on:
 jobs:
   format-check:
     name: "Format Check"
-    uses: "ITensor/ITensorActions/.github/workflows/FormatCheck.yml@dc36f8c88cd2858bdfa5e2458d108027d6b72807"
-    with:
-      concurrent-jobs: true
+    uses: "ITensor/ITensorActions/.github/workflows/FormatCheck.yml@v1"
diff --git a/.github/workflows/FormatCheckComment.yml b/.github/workflows/FormatCheckComment.yml
index 3afeca9..b4b78b2 100644
--- a/.github/workflows/FormatCheckComment.yml
+++ b/.github/workflows/FormatCheckComment.yml
@@ -12,5 +12,5 @@ jobs:
     permissions:
       pull-requests: "write"
       actions: "read"
-    uses: "ITensor/ITensorActions/.github/workflows/FormatCheckComment.yml@dc36f8c88cd2858bdfa5e2458d108027d6b72807"
+    uses: "ITensor/ITensorActions/.github/workflows/FormatCheckComment.yml@v1"
     secrets: "inherit"
diff --git a/.github/workflows/IntegrationTest.yml b/.github/workflows/IntegrationTest.yml
index 68fcb55..23997cc 100644
--- a/.github/workflows/IntegrationTest.yml
+++ b/.github/workflows/IntegrationTest.yml
@@ -14,7 +14,7 @@ on:
 jobs:
   integration-test:
     name: "IntegrationTest"
-    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTest.yml@dc36f8c88cd2858bdfa5e2458d108027d6b72807"
+    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTest.yml@v1"
     secrets: "inherit"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"
diff --git a/.github/workflows/IntegrationTestRequest.yml b/.github/workflows/IntegrationTestRequest.yml
index f4182b7..3c12615 100644
--- a/.github/workflows/IntegrationTestRequest.yml
+++ b/.github/workflows/IntegrationTestRequest.yml
@@ -11,6 +11,6 @@ jobs:
     permissions:
       checks: "write"
       pull-requests: "write"
-    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTestRequest.yml@dc36f8c88cd2858bdfa5e2458d108027d6b72807"
+    uses: "ITensor/ITensorActions/.github/workflows/IntegrationTestRequest.yml@v1"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"