diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5e2d436 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +# See GitHub's documentation for more information on this file: +# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 3 diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index a676ce0..3c8507f 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -7,11 +7,15 @@ on: pull_request: branches: [ 'main', 'release-*' ] +permissions: {} + jobs: action-lint: name: Action lint runs-on: ubuntu-latest + permissions: + contents: read # actions/checkout + action-actionlint read the tree steps: - name: Harden Runner @@ -21,6 +25,8 @@ jobs: - name: Check out code uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + persist-credentials: false - name: Find yamls id: get_yamls diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..bfab275 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,12 @@ +rules: + dependabot-cooldown: + config: + days: 3 + # Cosmetic pedantic-only findings — suppressed per the campaign + # zizmor-config recipe. concurrency-limits fired against this repo's + # Action Lint workflow (docs.zizmor.sh/audits/#concurrency-limits); + # anonymous-definition is disabled as a standing campaign convention. + anonymous-definition: + disable: true + concurrency-limits: + disable: true