From 6b1eb8f286079f1760ee76472ffd87699a508c17 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 21:02:32 -0400
Subject: [PATCH 1/5] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/workflows/docs.yml    | 2 +-
 .github/workflows/testing.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 92afbf8..3419dd8 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -17,7 +17,7 @@ jobs:
         run: make -Cdoc html
       - name: Publish
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./doc/build/html
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index 8d8c8b7..07fb797 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -41,4 +41,4 @@ jobs:
         coverage report
 
     - name: Upload code coverage
-      uses: codecov/codecov-action@v1
+      uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # v1

From f69e8fa92dc3040d588362d48faa2735a1e7c19b Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:07:59 -0400
Subject: [PATCH 2/5] CI: auto-fix via zizmor

May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
---
 .github/workflows/docs.yml    | 2 ++
 .github/workflows/testing.yml | 1 +
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 3419dd8..2145b48 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - name: Install Python dependencies
         run: pip install -r requirements-doc.txt
 
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index 07fb797..c5a7780 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -19,6 +19,7 @@ jobs:
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2

From 073c865d9b13ade949ae48e96412d55e1aff56a6 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:14:39 -0400
Subject: [PATCH 3/5] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/workflows/docs.yml    | 2 ++
 .github/workflows/testing.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 2145b48..a55aa37 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,4 +1,6 @@
 name: Docs
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index c5a7780..cf95c14 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -1,4 +1,6 @@
 name: Unit Tests
+permissions:
+  contents: read
 
 on:
   push:

From 65db549d5c82c82b3c63696367213ccd07487789 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Fri, 18 Jul 2025 11:31:44 -0400
Subject: [PATCH 4/5] CI: add dependabot config file for GHA

---
 .github/dependabot.yml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..fc9f855
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"      # Location of your workflow files
+    schedule:
+      interval: "weekly"  # Options: daily, weekly, monthly

From 87862de68dfc6f7074a4c7f8609efe406e2cc770 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Tue, 22 Jul 2025 09:21:01 -0400
Subject: [PATCH 5/5] CI: set comment to correct version

---
 .github/workflows/docs.yml    | 2 +-
 .github/workflows/testing.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index a55aa37..7bd70a8 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -21,7 +21,7 @@ jobs:
         run: make -Cdoc html
       - name: Publish
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./doc/build/html
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index cf95c14..03d0032 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -44,4 +44,4 @@ jobs:
         coverage report
 
     - name: Upload code coverage
-      uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # v1
+      uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # v1.5.2