From 1328b1cdc15611329eb5a67d2cd941bc4754df22 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:25:13 -0400
Subject: [PATCH 1/5] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/workflows/main.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 8ea3441..0415f5a 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: write
 
 on: [push, pull_request]
 

From 08b5a555b4e59b6e169168830d27d9a9455f0061 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:36:36 -0400
Subject: [PATCH 2/5] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/workflows/main.yaml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 0415f5a..2e8c7f1 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -1,11 +1,11 @@
 name: CI
-permissions:
-  contents: write
-
 on: [push, pull_request]
 
 jobs:
   pre-commit:
+    permissions:
+      contents: read
+
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v4
@@ -13,6 +13,9 @@ jobs:
       - uses: pre-commit/action@v3.0.1
   build:
     runs-on: ubuntu-20.04
+    permissions:
+      contents: write
+
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5

From 042eff83a68a499dfa0d73c3bbebc974e7fcd4cd Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Fri, 18 Jul 2025 14:37:50 -0400
Subject: [PATCH 3/5] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/workflows/main.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 2e8c7f1..dcb0048 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -10,7 +10,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
-      - uses: pre-commit/action@v3.0.1
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
   build:
     runs-on: ubuntu-20.04
     permissions:
@@ -79,7 +79,7 @@ jobs:
             >> $GITHUB_STEP_SUMMARY
       - name: Publish cheatsheets and handouts
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./docs/_build/html/

From 25791eb3b5f7b62f64d9d2c0c459be268883f7e8 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Fri, 18 Jul 2025 14:39:36 -0400
Subject: [PATCH 4/5] CI: apply zizmor auto-fixes

---
 .github/workflows/main.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index dcb0048..727becd 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -9,6 +9,8 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
       - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
   build:
@@ -18,6 +20,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.10"
@@ -75,8 +79,10 @@ jobs:
       - name: Output artifacts URL
         run: |
           echo 'Artifact URL:' \
-            '${{ steps.diffs-artifact-upload.outputs.artifact-url }}' \
+            '${STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL}' \
             >> $GITHUB_STEP_SUMMARY
+        env:
+          STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL: ${{ steps.diffs-artifact-upload.outputs.artifact-url }}
       - name: Publish cheatsheets and handouts
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4

From bc88c6d250b7a382ad5858c6b86d8af27ab287f0 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Tue, 22 Jul 2025 09:16:53 -0400
Subject: [PATCH 5/5] CI: update version string

Co-authored-by: Elliott Sales de Andrade <quantum.analyst@gmail.com>
---
 .github/workflows/main.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 727becd..2f98d8c 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -85,7 +85,7 @@ jobs:
           STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL: ${{ steps.diffs-artifact-upload.outputs.artifact-url }}
       - name: Publish cheatsheets and handouts
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
-        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./docs/_build/html/