Merge branch 'master' into tiger-teams-article

Author: natalia-amorim

.github/workflows/automerge.yml

@@ -8,14 +8,16 @@ jobs:
         name: Spelling
         runs-on: ubuntu-latest
         if: github.event.pull_request.head.repo.full_name == github.repository
+        permissions:
+            contents: write
 
         steps:
-            - uses: actions/checkout@v2
+            - uses: actions/checkout@v6
               with:
                   ref: ${{ github.head_ref }}
 
             - name: Set up Python 3.8
-              uses: actions/setup-python@v2
+              uses: actions/setup-python@v6
               with:
                   python-version: 3.8
 

.github/workflows/checks.yml

@@ -0,0 +1,28 @@
+on:
+    push:
+        branches:
+            - master
+    pull_request:
+
+name: Security
+
+permissions:
+    contents: read
+
+jobs:
+    ensure-pinned-actions:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v6
+            - name: Ensure SHA pinned actions
+              uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74 # v4.0.0
+              with:
+                  allowlist: |
+                      actions/
+                      aws-actions/
+                      docker/
+                      github/
+                      hashicorp/
+                      PostHog/
+                      tailscale/

.github/workflows/ci-security.yml

@@ -0,0 +1,59 @@
+name: 'CodeQL Advanced'
+
+on:
+    push:
+        branches: ['master']
+    pull_request:
+        branches: ['master']
+    schedule:
+        - cron: '41 14 * * 1'
+
+jobs:
+    analyze:
+        name: Analyze (${{ matrix.language }})
+        # Runner size impacts CodeQL analysis time. To learn more, please see:
+        #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+        #   - https://gh.io/supported-runners-and-hardware-resources
+        #   - https://gh.io/using-larger-runners (GitHub.com only)
+        # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+        runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+        permissions:
+            # required for all workflows
+            security-events: write
+
+        strategy:
+            fail-fast: false
+            matrix:
+                include:
+                    - language: actions
+                      build-mode: none
+                    - language: javascript-typescript
+                      build-mode: none
+                    - language: python
+                      build-mode: none
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v6
+
+            # Initializes the CodeQL tools for scanning.
+            - name: Initialize CodeQL
+              uses: github/codeql-action/init@v4
+              with:
+                  languages: ${{ matrix.language }}
+                  build-mode: ${{ matrix.build-mode }}
+
+            - name: Run manual build steps
+              if: matrix.build-mode == 'manual'
+              shell: bash
+              run: |
+                  echo 'If you are using a "manual" build mode for one or more of the' \
+                    'languages you are analyzing, replace this with the commands to build' \
+                    'your code, for example:'
+                  echo '  make bootstrap'
+                  echo '  make release'
+                  exit 1
+
+            - name: Perform CodeQL Analysis
+              uses: github/codeql-action/analyze@v4
+              with:
+                  category: '/language:${{matrix.language}}'

.github/workflows/codeql.yml

@@ -11,9 +11,9 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@v6
             - name: Install uv
-              uses: astral-sh/setup-uv@v6
+              uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
             - name: Set up Python
               run: uv python install
               working-directory: scripts/hogfm

.github/workflows/hogfm-weekly.yml

@@ -13,9 +13,9 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@v6
             - name: Install uv
-              uses: astral-sh/setup-uv@v6
+              uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
             - name: Set up Python
               run: uv python install
               working-directory: scripts/hogfm

.github/workflows/hogfm.yml

@@ -26,10 +26,10 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@v6
 
             - name: Setup Node.js
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@v6
               with:
                   node-version: '22'
                   cache: 'pnpm'

.github/workflows/internal-links-check.yml

@@ -13,7 +13,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@v6
               with:
                   fetch-depth: 0
 
@@ -29,7 +29,7 @@ jobs:
 
             - name: Run markdownlint-cli2
               if: steps.changed-files.outputs.any_changed == 'true'
-              uses: DavidAnson/markdownlint-cli2-action@30a0e04f1870d58f8d717450cc6134995f993c63
+              uses: DavidAnson/markdownlint-cli2-action@30a0e04f1870d58f8d717450cc6134995f993c63 # v21
               with:
                   globs: ${{ steps.changed-files.outputs.all_changed_files }}
                   config: '.markdownlint-cli2.jsonc'

.github/workflows/markdown-lint.yml

@@ -32,10 +32,10 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@v6
 
             - name: Install uv
-              uses: astral-sh/setup-uv@v4
+              uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
 
             - name: Set up Python
               run: uv python install 3.12

.github/workflows/podcast-sync.yml

@@ -15,7 +15,7 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@v6
               with:
                   fetch-depth: 2 # Get current and previous commit for comparison
 
@@ -79,7 +79,7 @@ jobs:
                   echo "EOF" >> $GITHUB_OUTPUT
 
             - name: Send Slack notification
-              uses: 8398a7/action-slack@v3
+              uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
               with:
                   status: custom
                   custom_payload: |
@@ -122,4 +122,4 @@ jobs:
                         ]
                       }
               env:
-                  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SALES_WEBHOOK }}
+                  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_SALES_ALERTS_CHANNEL }}