From e3b1431c06628b436a137343a8ecdaabb6bb4ff9 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 21:02:28 -0400 Subject: [PATCH 1/8] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/update-changelog.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-changelog.yaml b/.github/workflows/update-changelog.yaml index 1432b5e0..11686072 100644 --- a/.github/workflows/update-changelog.yaml +++ b/.github/workflows/update-changelog.yaml @@ -19,14 +19,14 @@ jobs: ref: main - name: Update Changelog - uses: stefanzweifel/changelog-updater-action@v1 + uses: stefanzweifel/changelog-updater-action@a938690fad7edf25368f37e43a1ed1b34303eb36 # v1 with: release-notes: ${{ github.event.release.body }} latest-version: ${{ github.event.release.name }} path-to-changelog: CHANGES.md - name: Commit updated CHANGELOG - uses: stefanzweifel/git-auto-commit-action@v4 + uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4 with: branch: main commit_message: Update CHANGELOG From cb712eba9983ea5c4a84eaf8b7b771ee3fc77849 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:07:31 -0400 Subject: [PATCH 2/8] CI: auto-fix via zizmor May include: - Avoids risky string interpolation. - Prevents checkout premissions from leaking --- .github/workflows/update-changelog.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/update-changelog.yaml b/.github/workflows/update-changelog.yaml index 11686072..35c0272f 100644 --- a/.github/workflows/update-changelog.yaml +++ b/.github/workflows/update-changelog.yaml @@ -17,6 +17,7 @@ jobs: uses: actions/checkout@v2 with: ref: main + persist-credentials: false - name: Update Changelog uses: stefanzweifel/changelog-updater-action@a938690fad7edf25368f37e43a1ed1b34303eb36 # v1 From 03e2714f3c9c6337f7ede905b9a2b97955400a63 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:14:32 -0400 Subject: [PATCH 3/8] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/test_and_publish.yml | 2 ++ .github/workflows/update-changelog.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/test_and_publish.yml b/.github/workflows/test_and_publish.yml index e2519a71..4db5cd0c 100644 --- a/.github/workflows/test_and_publish.yml +++ b/.github/workflows/test_and_publish.yml @@ -1,4 +1,6 @@ name: CI +permissions: + contents: read on: push: diff --git a/.github/workflows/update-changelog.yaml b/.github/workflows/update-changelog.yaml index 35c0272f..1d488ebd 100644 --- a/.github/workflows/update-changelog.yaml +++ b/.github/workflows/update-changelog.yaml @@ -3,6 +3,8 @@ # the git repo of the changes. name: "Update Changelog" +permissions: + contents: read on: release: From 340947cdcc3e86ffd315a30864848268da77a5d7 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 11:31:28 -0400 Subject: [PATCH 4/8] CI: add dependabot config file for GHA --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..fc9f8550 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly From 2e4cd57602f55de435a83e09f4b936e8fa15af84 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 14:23:32 -0400 Subject: [PATCH 5/8] CI: switch to write permission as it needs to push Co-authored-by: Ryan May --- .github/workflows/update-changelog.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-changelog.yaml b/.github/workflows/update-changelog.yaml index 1d488ebd..90ad4868 100644 --- a/.github/workflows/update-changelog.yaml +++ b/.github/workflows/update-changelog.yaml @@ -4,7 +4,7 @@ name: "Update Changelog" permissions: - contents: read + contents: write on: release: From b9939251ec271a3c160e15302a4bcaf4e86a9aaf Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 15:27:26 -0400 Subject: [PATCH 6/8] CI: preserve credentials from checkout We need them later. --- .github/workflows/update-changelog.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-changelog.yaml b/.github/workflows/update-changelog.yaml index 90ad4868..fb6c998c 100644 --- a/.github/workflows/update-changelog.yaml +++ b/.github/workflows/update-changelog.yaml @@ -19,7 +19,7 @@ jobs: uses: actions/checkout@v2 with: ref: main - persist-credentials: false + persist-credentials: true - name: Update Changelog uses: stefanzweifel/changelog-updater-action@a938690fad7edf25368f37e43a1ed1b34303eb36 # v1 From f96cdb618bd121f347be265bf8e4607d99140a21 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 22 Jul 2025 09:03:10 -0400 Subject: [PATCH 7/8] STY: drop whitespace Co-authored-by: Stuart Mumford --- .github/dependabot.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fc9f8550..d1480d39 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,4 +1,3 @@ - version: 2 updates: - package-ecosystem: "github-actions" From a0f064e45a2bfbdd6677db8ce759462028e821bb Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 22 Jul 2025 09:13:18 -0400 Subject: [PATCH 8/8] CI: slow down cadence of checking for updates --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d1480d39..34a629dd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,4 +3,4 @@ updates: - package-ecosystem: "github-actions" directory: "/" # Location of your workflow files schedule: - interval: "weekly" # Options: daily, weekly, monthly + interval: "monthly" # Options: daily, weekly, monthly