From a48b8facb388c25429062517aa85f182daad27d6 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 22:02:47 -0400
Subject: [PATCH 1/8] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/workflows/lint.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 1dea102..85beb7e 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -13,6 +13,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: codespell-project/actions-codespell@master
+      - uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2
         with:
           check_filenames: true

From 66f597789772ef2c05d4019c0ecaedabe802a419 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 22:06:00 -0400
Subject: [PATCH 2/8] MNT: add more things to gitignore

---
 {{cookiecutter.github_project_name}}/.gitignore | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/{{cookiecutter.github_project_name}}/.gitignore b/{{cookiecutter.github_project_name}}/.gitignore
index 49df861..fe3a084 100644
--- a/{{cookiecutter.github_project_name}}/.gitignore
+++ b/{{cookiecutter.github_project_name}}/.gitignore
@@ -151,5 +151,16 @@ cython_debug/
 [._]sw[a-p]
 [._]*.un~
 
-## vscode
-.vscode
\ No newline at end of file
+
+## Editor temporary/working/backup files #
+.#*
+[#]*#
+*~
+*$
+*.bak
+*.kdev4
+.project
+.pydevproject
+*.swp
+.idea
+.vscode/

From b4c19d8c65f2a79fac18205879710b604e5a9458 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:06:30 -0400
Subject: [PATCH 3/8] CI: auto-fix via zizmor

May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
---
 .github/workflows/lint.yml                                      | 2 ++
 {{cookiecutter.github_project_name}}/.github/workflows/lint.yml | 2 ++
 .../.github/workflows/publish.yml                               | 2 ++
 {{cookiecutter.github_project_name}}/.github/workflows/test.yml | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 85beb7e..8f4c03f 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -13,6 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2
         with:
           check_filenames: true
diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml b/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml
index 0e61f94..53c02dc 100644
--- a/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml
+++ b/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml
@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v2
       - uses: psf/black@stable
         with:
diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml b/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml
index 494b409..84b7658 100644
--- a/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml
+++ b/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml
@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Install Python
       uses: actions/setup-python@v2
       with:
diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/test.yml b/{{cookiecutter.github_project_name}}/.github/workflows/test.yml
index 1c843dd..1ae6d85 100644
--- a/{{cookiecutter.github_project_name}}/.github/workflows/test.yml
+++ b/{{cookiecutter.github_project_name}}/.github/workflows/test.yml
@@ -19,6 +19,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
         
       - name: Setup Python ${{ matrix.python-version }}
         uses: actions/setup-python@v2

From 74a27f8996e734ecaa87749bc93650db0e155819 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:14:54 -0400
Subject: [PATCH 4/8] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/workflows/lint.yml                                      | 2 ++
 {{cookiecutter.github_project_name}}/.github/workflows/lint.yml | 2 ++
 .../.github/workflows/publish.yml                               | 2 ++
 {{cookiecutter.github_project_name}}/.github/workflows/test.yml | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 8f4c03f..ceb26d8 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,4 +1,6 @@
 name: Lint
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml b/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml
index 53c02dc..27f144b 100644
--- a/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml
+++ b/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml
@@ -1,4 +1,6 @@
 name: Lint
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml b/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml
index 84b7658..ca6c31a 100644
--- a/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml
+++ b/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml
@@ -1,5 +1,7 @@
 # heavily based on https://github.com/jupyterlab/jupyterlab-git/blob/v0.22.2/.github/workflows/publish.yml
 name: Publish Package
+permissions:
+  contents: read
 
 on:
   release:
diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/test.yml b/{{cookiecutter.github_project_name}}/.github/workflows/test.yml
index 1ae6d85..ad4e5af 100644
--- a/{{cookiecutter.github_project_name}}/.github/workflows/test.yml
+++ b/{{cookiecutter.github_project_name}}/.github/workflows/test.yml
@@ -1,4 +1,6 @@
 name: Test
+permissions:
+  contents: read
 
 on:
   push:

From ed2a8a4ede2676b5c337a456e51f57c7b95b33ad Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:25:20 -0400
Subject: [PATCH 5/8] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .../.github/workflows/publish.yml                             | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml b/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml
index ca6c31a..0ea2f4c 100644
--- a/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml
+++ b/{{cookiecutter.github_project_name}}/.github/workflows/publish.yml
@@ -11,6 +11,10 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
     steps:
     - uses: actions/checkout@v2
       with:

From b64b693fdb55fe7dd2814418571647372733826d Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:34:14 -0400
Subject: [PATCH 6/8] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 {{cookiecutter.github_project_name}}/.github/workflows/lint.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml b/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml
index 27f144b..e38e77c 100644
--- a/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml
+++ b/{{cookiecutter.github_project_name}}/.github/workflows/lint.yml
@@ -16,7 +16,7 @@ jobs:
         with:
           persist-credentials: false
       - uses: actions/setup-python@v2
-      - uses: psf/black@stable
+      - uses: psf/black@8a737e727ac5ab2f1d4cf5876720ed276dc8dc4b # 25.1.0
         with:
           options: "--check"
           src: "."

From efe6689b86578c0173bcddc20478745ded9306ce Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Fri, 18 Jul 2025 11:32:04 -0400
Subject: [PATCH 7/8] CI: add dependabot config file for GHA

---
 .github/dependabot.yml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..fc9f855
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"      # Location of your workflow files
+    schedule:
+      interval: "weekly"  # Options: daily, weekly, monthly

From d8de6077266241307119d967f281ae82967dfac9 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Fri, 18 Jul 2025 14:45:56 -0400
Subject: [PATCH 8/8] ENH: add dependabot to template

---
 .../.github/dependabot.yml                                 | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 {{cookiecutter.github_project_name}}/.github/dependabot.yml

diff --git a/{{cookiecutter.github_project_name}}/.github/dependabot.yml b/{{cookiecutter.github_project_name}}/.github/dependabot.yml
new file mode 100644
index 0000000..fc9f855
--- /dev/null
+++ b/{{cookiecutter.github_project_name}}/.github/dependabot.yml
@@ -0,0 +1,7 @@
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"      # Location of your workflow files
+    schedule:
+      interval: "weekly"  # Options: daily, weekly, monthly