From 6af7c5891fd8b459f24577e4e85add05f966840e Mon Sep 17 00:00:00 2001
From: Patrick Linnane <patrick@linnane.io>
Date: Tue, 1 Apr 2025 14:56:27 -0700
Subject: ci: add `zizmor` (#188)

Signed-off-by: Patrick Linnane <patrick@linnane.io>
---
 .github/workflows/zizmor.yml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

(limited to '.github')

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..c2a03ab
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,35 @@
+name: zizmor
+
+on:
+    push:
+      paths:
+        - '.github/workflows/*.ya?ml'
+    pull_request:
+      paths:
+        - '.github/workflows/*.ya?ml'
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif 
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
-- 
cgit v1.2.3


From fc237a16900362eac5395a424d88fe6381b4affa Mon Sep 17 00:00:00 2001
From: Patrick Linnane <patrick@linnane.io>
Date: Tue, 1 Apr 2025 15:33:44 -0700
Subject: workflows: fix zizmor findings (part 1) (#190)

Signed-off-by: Patrick Linnane <patrick@linnane.io>
---
 .github/workflows/docker-pr.yml   | 5 ++++-
 .github/workflows/docker.yml      | 1 +
 .github/workflows/docs-deploy.yml | 2 ++
 .github/workflows/go.yml          | 2 ++
 4 files changed, 9 insertions(+), 1 deletion(-)

(limited to '.github')

diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml
index b124f75..03539f7 100644
--- a/.github/workflows/docker-pr.yml
+++ b/.github/workflows/docker-pr.yml
@@ -19,6 +19,7 @@ jobs:
         with:
           fetch-tags: true
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Homebrew
         uses: Homebrew/actions/setup-homebrew@master
@@ -62,4 +63,6 @@ jobs:
 
       - run: |
           echo "Test this with:"
-          echo "docker pull ${{ steps.build.outputs.docker_image }}"
\ No newline at end of file
+          echo "docker pull ${DOCKER_IMAGE}"
+        env:
+          DOCKER_IMAGE: ${{ steps.build.outputs.docker_image }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index c3a532f..d094453 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -25,6 +25,7 @@ jobs:
         with:
           fetch-tags: true
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Homebrew
         uses: Homebrew/actions/setup-homebrew@master
diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml
index 1636c48..652351f 100644
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -17,6 +17,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 09b543a..3c333dd 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: build essential
       run: |
-- 
cgit v1.2.3


From 01c2e458435427014556e91e2bece71056d96e12 Mon Sep 17 00:00:00 2001
From: Patrick Linnane <patrick@linnane.io>
Date: Tue, 1 Apr 2025 21:09:46 -0700
Subject: dependabot: enable (#189)

* dependabot: enable

Signed-off-by: Patrick Linnane <patrick@linnane.io>

* dependabot: group updates

Signed-off-by: Patrick Linnane <patrick@linnane.io>

---------

Signed-off-by: Patrick Linnane <patrick@linnane.io>
Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Xe Iaso <me@xeiaso.net>
---
 .github/dependabot.yml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 .github/dependabot.yml

(limited to '.github')

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..dbe7232
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,28 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      gomod:
+        patterns:
+          - "*"
+
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      npm:
+        patterns:
+          - "*"
-- 
cgit v1.2.3


From 515453c607f09fe0bd1be10b38a1a0e9fef7d75f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 2 Apr 2025 00:15:49 -0400
Subject: build(deps): bump actions/cache from 3 to 4 in the github-actions
 group (#198)

Bumps the github-actions group with 1 update: [actions/cache](https://github.com/actions/cache).


Updates `actions/cache` from 3 to 4
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/go.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to '.github')

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 3c333dd..0be7b37 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -59,7 +59,7 @@ jobs:
           ${{ runner.os }}-golang-
 
     - name: Cache playwright binaries
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       id: playwright-cache
       with:
         path: |
-- 
cgit v1.2.3