build(deps): bump super-linter/super-linter from 8.0.0 to 8.1.0 in the actions-minor group across 1 directory (#268)

* build(deps): bump super-linter/super-linter

Bumps the actions-minor group with 1 update in the / directory: [super-linter/super-linter](https://github.com/super-linter/super-linter).


Updates `super-linter/super-linter` from 8.0.0 to 8.1.0
- [Release notes](https://github.com/super-linter/super-linter/releases)
- [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md)
- [Commits](super-linter/super-linter@5119dcd...ffde3b2)

---
updated-dependencies:
- dependency-name: super-linter/super-linter
  dependency-version: 8.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* fix: Disable credential persistence for checkout actions in CI workflows

* chore: formatting

* fix: validate release version format to match X.Y.Z pattern

* fix: disable validation for GitHub Actions ZIZMOR in lint workflow

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Mark Johnson <[email protected]>

Author: dependabot[bot]

.github/workflows/check-dist.yml

@@ -25,6 +25,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Node.js
         id: setup-node

.github/workflows/ci.yml

@@ -22,6 +22,8 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         id: setup-node

.github/workflows/codeql-analysis.yml

@@ -31,6 +31,8 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         id: initialize

.github/workflows/lint.yml

@@ -24,6 +24,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Node.js
         id: setup-node
@@ -42,7 +43,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter@5119dcd8011e92182ce8219d9e9efc82f16fddb6 # v8.0.0
+        uses: super-linter/super-linter@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0
         env:
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -59,4 +60,5 @@ jobs:
           VALIDATE_TYPESCRIPT_STANDARD: false # Using biome
           VALIDATE_TYPESCRIPT_ES: false # Using biome
           VALIDATE_TYPESCRIPT_PRETTIER: false # Using biome
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false # This is new. Will investigate this further
 

.github/workflows/release-start.yml

@@ -27,6 +27,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Get all history which is required for parsing commits
+          persist-credentials: false
 
       - name: Setup Node.js
         id: setup-node
@@ -39,8 +40,18 @@ jobs:
         id: npm-ci
         run: npm ci --no-fund
 
+      - name: Validate version input
+        run: |
+          # Ensure the provided version strictly matches X.Y.Z where X,Y,Z are numeric to avoid injection.
+          if ! [[ '${{ env.VERSION }}' =~ ^[0-9]+(\.[0-9]+){2}$ ]]; then
+            echo "Error: release_version must match X.Y.Z (numeric). Got: ${{ env.VERSION }}" >&2
+            exit 1
+          fi
+
       - name: Update package.json version
-        run: npm version ${{ env.VERSION }} --no-git-tag-version
+        # Quote the value so the shell treats it as a single literal argument (prevents command/word splitting).
+        # Flag order changed (options first) for clarity but either order works.
+        run: npm version --no-git-tag-version '${{ env.VERSION }}'
 
       - name: Build the package
         run: npm run package

.github/workflows/release.yml

@@ -22,6 +22,7 @@ jobs:
         with:
           fetch-depth: 0 # Get all history
           fetch-tags: true
+          persist-credentials: true
 
       - name: Extract version from PR body
         id: extract-version

.github/workflows/test.yml

@@ -20,6 +20,7 @@ jobs:
         with:
           # Disabling shallow clone is recommended for improving relevancy of reporting
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@v4

biome.json

@@ -1,5 +1,5 @@
 {
-  "$schema": "https://biomejs.dev/schemas/2.2.0/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.2.4/schema.json",
   "vcs": {
     "enabled": true,
     "clientKind": "git",

package.json

@@ -39,8 +39,8 @@
     ]
   },
   "scripts": {
-    "check": "biome check . && npx prettier -c \"*.md\" \".github/**/*.md\"",
-    "check:fix": "biome check --write --unsafe . && npx prettier -w \"*.md\" \".github/**/*.md\"",
+    "check": "biome check . && npx prettier -c \"*.md\" \"**/*.yml\" \".github/**/*.md\"",
+    "check:fix": "biome check --write --unsafe . && npx prettier -w \"*.md\" \"**/*.yml\" \".github/**/*.md\"",
     "dev:parse-modules": "tsx scripts/dev-parse-modules.ts",
     "textlint": "textlint -c .github/linters/.textlintrc **/*.md",
     "textlint:fix": "textlint -c .github/linters/.textlintrc --fix **/*.md",