From a1b21a3d6fcd630bb727660931a99f5e1146126d Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 20:58:00 -0400
Subject: [PATCH 1/4] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/workflows/lint.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 13791ce..35d15e8 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -17,7 +17,7 @@ jobs:
         run: pip3 install flake8
 
       - name: Set up reviewdog
-        uses: reviewdog/action-setup@v1
+        uses: reviewdog/action-setup@e04ffabe3898a0af8d0fb1af00c188831c4b5893 # v1
 
       - name: Run flake8
         env:
@@ -39,4 +39,4 @@ jobs:
         uses: actions/setup-python@v3
 
       - name: ansible-lint
-        uses: reviewdog/action-ansiblelint@v1
+        uses: reviewdog/action-ansiblelint@5b8ca4b12dcbcdf63d4739dacd90609abafe8924 # v1

From da99055c1a1923aea50dff9dc74ffb7d3a38815f Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:06:25 -0400
Subject: [PATCH 2/4] CI: auto-fix via zizmor

May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
---
 .github/workflows/codeql-analysis.yml | 2 ++
 .github/workflows/lint.yml            | 4 ++++
 .github/workflows/tests.yml           | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 51ace69..eb13d70 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -28,6 +28,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v1
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 35d15e8..67520de 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -9,6 +9,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3
         uses: actions/setup-python@v3
@@ -34,6 +36,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3
         uses: actions/setup-python@v3
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index ce4018f..257a10f 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -11,6 +11,8 @@ jobs:
         python-version: ["3.11", "3.12"]
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Install Python ${{ matrix.python-version }}
         uses: actions/setup-python@v3

From dadd7ddf25a9c00bcc374c4be87fb9dcb3549502 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:14:44 -0400
Subject: [PATCH 3/4] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/workflows/lint.yml  | 2 ++
 .github/workflows/tests.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 67520de..7d3a9b0 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,6 +1,8 @@
 ---
 
 name: Linting
+permissions:
+  contents: read
 on: [pull_request]
 
 jobs:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 257a10f..3a946f5 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,6 +1,8 @@
 ---
 
 name: Tests
+permissions:
+  contents: read
 on: [push, pull_request]
 
 jobs:

From dcb6bbc15934a91ddb7dd5b990f5f36fac42f578 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Fri, 18 Jul 2025 11:30:59 -0400
Subject: [PATCH 4/4] CI: add dependabot config file for GHA

---
 .github/dependabot.yml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..fc9f855
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"      # Location of your workflow files
+    schedule:
+      interval: "weekly"  # Options: daily, weekly, monthly