From 1f68ab484f08c9ecdf1fa9d391d74eb631bd390b Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@arcticsecurity.com>
Date: Wed, 3 Jun 2026 19:22:27 +0000
Subject: [PATCH 1/4] Limit actions permissions to minimum

---
 .github/workflows/ci.yml      | 8 ++++++++
 .github/workflows/release.yml | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ece6516..432c883 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,10 +4,14 @@ name: CI
 on:
   push:
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-slim
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -25,6 +29,8 @@ jobs:
   typecheck:
     runs-on: ubuntu-slim
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -44,6 +50,8 @@ jobs:
         python: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
     runs-on: ${{ matrix.os }}
     timeout-minutes: 15
+    permissions:
+      contents: read
     needs:
       - lint
       - typecheck
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8db5a10..e003fdb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   publish:
     runs-on: ubuntu-slim

From bbaeb5b5281f6eb5c7cf50db6c291b0d2051be3e Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@arcticsecurity.com>
Date: Wed, 3 Jun 2026 19:29:00 +0000
Subject: [PATCH 2/4] Don't keep credentials after checkout

---
 .github/workflows/ci.yml      | 6 ++++++
 .github/workflows/release.yml | 1 +
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 432c883..d4b14e7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Install latest version of uv
         uses: astral-sh/setup-uv@v7
       - name: Install dependencies
@@ -34,6 +36,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Install latest version of uv
         uses: astral-sh/setup-uv@v7
       - name: Install dependencies
@@ -58,6 +62,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Install latest version of uv
         uses: astral-sh/setup-uv@v7
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e003fdb..69f2502 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,6 +21,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Setup UV
         uses: astral-sh/setup-uv@v7
       - name: Detect version change

From 1846888678f6df47ba3ae9c9f16176a1b5cf6bbf Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@arcticsecurity.com>
Date: Wed, 3 Jun 2026 19:46:40 +0000
Subject: [PATCH 3/4] Use gh command directly instead of external action

---
 .github/workflows/release.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 69f2502..24ff776 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -52,8 +52,7 @@ jobs:
           uv publish
       - name: Create GitHub release
         if: steps.version-check.outputs.NEW_VERSION == 'true'
-        uses: softprops/action-gh-release@v3
-        with:
-          tag_name: v${{ steps.version-check.outputs.VERSION }}
-          generate_release_notes: true
-          files: dist/*
+        run: gh release create "$TAG" dist/* --generate-notes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: v${{ steps.version-check.outputs.VERSION }}

From 5c47f412ec918b218ccbb9c840960cc8ebd9b3d2 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@arcticsecurity.com>
Date: Wed, 3 Jun 2026 19:51:12 +0000
Subject: [PATCH 4/4] Pin external actions versions and enable dependabot

---
 .github/dependabot.yml        |  9 +++++++++
 .github/workflows/ci.yml      | 12 ++++++------
 .github/workflows/release.yml |  4 ++--
 3 files changed, 17 insertions(+), 8 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..d04ea26
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,9 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d4b14e7..0a91d4a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,11 +14,11 @@ jobs:
       contents: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           persist-credentials: false
       - name: Install latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
       - name: Install dependencies
         run: uv sync --group dev
       - name: Run ruff format
@@ -35,11 +35,11 @@ jobs:
       contents: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           persist-credentials: false
       - name: Install latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
       - name: Install dependencies
         run: uv sync --group dev
       - name: Run mypy
@@ -61,11 +61,11 @@ jobs:
       - typecheck
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           persist-credentials: false
       - name: Install latest version of uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
         with:
           python-version: ${{ matrix.python }}
       - name: Install dependencies
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 24ff776..7ed6de8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,12 +18,12 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
           persist-credentials: false
       - name: Setup UV
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
       - name: Detect version change
         id: version-check
         run: |