From d42a5fc1ed16d34e50237d188b605c198389a4ec Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 20:57:11 -0400 Subject: [PATCH 1/4] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index df2a5af..bdf99d5 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -31,7 +31,7 @@ jobs: - name: Publish if: ${{ steps.setup.outputs.IS_RELEASE == 'true' }} - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./_build/html From 58a4b398fa9d2ef1981612f3b6bdd4009d885e88 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:08:27 -0400 Subject: [PATCH 2/4] CI: auto-fix via zizmor May include: - Avoids risky string interpolation. - Prevents checkout premissions from leaking --- .github/workflows/docs.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index bdf99d5..4f72b7a 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -15,6 +15,8 @@ jobs: }}" >> $GITHUB_OUTPUT - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Upgrade jinja run: pip install -U jinja2 @@ -24,10 +26,12 @@ jobs: - name: Build run: | - if [ "${{ steps.setup.outputs.IS_RELEASE }}" == "true" ]; then + if [ "${STEPS_SETUP_OUTPUTS_IS_RELEASE}" == "true" ]; then O="-t release" fi make html O="$O" + env: + STEPS_SETUP_OUTPUTS_IS_RELEASE: ${{ steps.setup.outputs.IS_RELEASE }} - name: Publish if: ${{ steps.setup.outputs.IS_RELEASE == 'true' }} From 74977cc3b9fcec329168bf976f9670afe11aa0fa Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:25:52 -0400 Subject: [PATCH 3/4] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/docs.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 4f72b7a..3eeed32 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,5 +1,7 @@ --- name: Docs +permissions: + contents: write on: [push, pull_request] From 1164c95b88551af630c1bd8c021a3c2ad280d197 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 11:31:47 -0400 Subject: [PATCH 4/4] CI: add dependabot config file for GHA --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fc9f855 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly