From d42a5fc1ed16d34e50237d188b605c198389a4ec Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 20:57:11 -0400
Subject: [PATCH 1/4] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/workflows/docs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index df2a5af..bdf99d5 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -31,7 +31,7 @@ jobs:
 
       - name: Publish
         if: ${{ steps.setup.outputs.IS_RELEASE == 'true' }}
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./_build/html

From 58a4b398fa9d2ef1981612f3b6bdd4009d885e88 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:08:27 -0400
Subject: [PATCH 2/4] CI: auto-fix via zizmor

May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
---
 .github/workflows/docs.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index bdf99d5..4f72b7a 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -15,6 +15,8 @@ jobs:
           }}" >> $GITHUB_OUTPUT
 
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Upgrade jinja
         run: pip install -U jinja2
@@ -24,10 +26,12 @@ jobs:
 
       - name: Build
         run: |
-          if [ "${{ steps.setup.outputs.IS_RELEASE }}" == "true" ]; then
+          if [ "${STEPS_SETUP_OUTPUTS_IS_RELEASE}" == "true" ]; then
             O="-t release"
           fi
           make html O="$O"
+        env:
+          STEPS_SETUP_OUTPUTS_IS_RELEASE: ${{ steps.setup.outputs.IS_RELEASE }}
 
       - name: Publish
         if: ${{ steps.setup.outputs.IS_RELEASE == 'true' }}

From 74977cc3b9fcec329168bf976f9670afe11aa0fa Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:25:52 -0400
Subject: [PATCH 3/4] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/workflows/docs.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 4f72b7a..3eeed32 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,5 +1,7 @@
 ---
 name: Docs
+permissions:
+  contents: write
 
 on: [push, pull_request]
 

From 1164c95b88551af630c1bd8c021a3c2ad280d197 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Fri, 18 Jul 2025 11:31:47 -0400
Subject: [PATCH 4/4] CI: add dependabot config file for GHA

---
 .github/dependabot.yml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..fc9f855
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"      # Location of your workflow files
+    schedule:
+      interval: "weekly"  # Options: daily, weekly, monthly