hoverkraft-tech · neilime · Jun 5, 2026 · Jun 4, 2026
diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json
@@ -1,19 +1,19 @@
 {
-  "features": {
-    "ghcr.io/devcontainers/features/docker-in-docker:3": {
-      "version": "3.0.1",
-      "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:ca2508495b01ba29eba93e8153772a2daa65eaa86471cc6863fe2a3d21933df9",
-      "integrity": "sha256:ca2508495b01ba29eba93e8153772a2daa65eaa86471cc6863fe2a3d21933df9"
-    },
-    "ghcr.io/devcontainers/features/github-cli:1": {
-      "version": "1.1.0",
-      "resolved": "ghcr.io/devcontainers/features/github-cli@sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671",
-      "integrity": "sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671"
-    },
-    "ghcr.io/devcontainers/features/node:2": {
-      "version": "2.0.0",
-      "resolved": "ghcr.io/devcontainers/features/node@sha256:fedd4c11f7adfb64283b578dddc7da906728daa25fa293351c9d913231acf12f",
-      "integrity": "sha256:fedd4c11f7adfb64283b578dddc7da906728daa25fa293351c9d913231acf12f"
-    }
-  }
+	"features": {
+		"ghcr.io/devcontainers/features/docker-in-docker:3": {
+			"version": "3.0.1",
+			"resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:ca2508495b01ba29eba93e8153772a2daa65eaa86471cc6863fe2a3d21933df9",
+			"integrity": "sha256:ca2508495b01ba29eba93e8153772a2daa65eaa86471cc6863fe2a3d21933df9"
+		},
+		"ghcr.io/devcontainers/features/github-cli:1": {
+			"version": "1.1.0",
+			"resolved": "ghcr.io/devcontainers/features/github-cli@sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671",
+			"integrity": "sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671"
+		},
+		"ghcr.io/devcontainers/features/node:2": {
+			"version": "2.0.0",
+			"resolved": "ghcr.io/devcontainers/features/node@sha256:fedd4c11f7adfb64283b578dddc7da906728daa25fa293351c9d913231acf12f",
+			"integrity": "sha256:fedd4c11f7adfb64283b578dddc7da906728daa25fa293351c9d913231acf12f"
+		}
+	}
 }
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,31 +1,31 @@
 {
-  "name": "ci-github-nodejs",
-  "image": "mcr.microsoft.com/devcontainers/base:debian",
-  "features": {
-    "ghcr.io/devcontainers/features/node:2": {},
-    "ghcr.io/devcontainers/features/docker-in-docker:3": {
-      "moby": false
-    },
-    "ghcr.io/devcontainers/features/github-cli:1": {
-      "extensions": "nektos/gh-act"
-    }
-  },
-  "remoteEnv": {
-    "GITHUB_TOKEN": "${localEnv:GITHUB_TOKEN}"
-  },
-  "customizations": {
-    "vscode": {
-      "extensions": [
-        "eamodio.gitlens",
-        "github.vscode-github-actions",
-        "github.copilot",
-        "github.copilot-chat",
-        "ms-vscode.makefile-tools",
-        "esbenp.prettier-vscode"
-      ],
-      "settings": {
-        "terminal.integrated.defaultProfile.linux": "zsh"
-      }
-    }
-  }
+	"name": "ci-github-nodejs",
+	"image": "mcr.microsoft.com/devcontainers/base:debian",
+	"features": {
+		"ghcr.io/devcontainers/features/node:2": {},
+		"ghcr.io/devcontainers/features/docker-in-docker:3": {
+			"moby": false
+		},
+		"ghcr.io/devcontainers/features/github-cli:1": {
+			"extensions": "nektos/gh-act"
+		}
+	},
+	"remoteEnv": {
+		"GITHUB_TOKEN": "${localEnv:GITHUB_TOKEN}"
+	},
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"eamodio.gitlens",
+				"github.vscode-github-actions",
+				"github.copilot",
+				"github.copilot-chat",
+				"ms-vscode.makefile-tools",
+				"biomejs.biome"
+			],
+			"settings": {
+				"terminal.integrated.defaultProfile.linux": "zsh"
+			}
+		}
+	}
 }
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,6 +7,8 @@ updates:
       interval: weekly
       day: friday
       time: "04:00"
+    cooldown:
+      default-days: 7
     groups:
       docker-dependencies:
         patterns:
@@ -21,6 +23,8 @@ updates:
       interval: weekly
       day: friday
       time: "04:00"
+    cooldown:
+      default-days: 7
     groups:
       github-actions-dependencies:
         patterns:
@@ -39,6 +43,8 @@ updates:
       interval: weekly
       day: friday
       time: "04:00"
+    cooldown:
+      default-days: 7
     groups:
       npm-dependencies:
         patterns:
@@ -51,3 +57,5 @@ updates:
       interval: weekly
       day: friday
       time: "04:00"
+    cooldown:
+      default-days: 7
diff --git a/.github/linters/.codespellrc b/.github/linters/.codespellrc
@@ -0,0 +1,3 @@
+[codespell]
+check-hidden =
+skip = */package-lock.json,*/tests/pnpm/pnpm-lock.yaml,*/tests/pnpm-package-manager/pnpm-lock.yaml,*/tests/yarn/yarn.lock,*/go.mod,*/go.sum,*.log,.git
diff --git a/.github/linters/.jscpd.json b/.github/linters/.jscpd.json
@@ -1,8 +1,8 @@
 {
-  "threshold": 5,
-  "ignore": [
-    "**/tests/npm/coverage/**",
-    "**/node_modules/**",
-    "**/.pnpm-store/**"
-  ]
+	"threshold": 5,
+	"ignore": [
+		"**/tests/npm/coverage/**",
+		"**/node_modules/**",
+		"**/.pnpm-store/**"
+	]
 }
diff --git a/.github/workflows/__greetings.yml b/.github/workflows/__greetings.yml
@@ -3,14 +3,14 @@ name: Greetings
 on:
   issues:
     types: [opened]
-  pull_request_target:
+  pull_request:
     branches: [main]
 
 permissions: {}
 
 jobs:
   greetings:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@b553a696531fbd36743ccbb0c76c717971b8acdb # 0.35.4
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@4bb7594b1bf3696c54b2bbae970376056853f8ea # 0.36.0
     permissions:
       contents: read
       issues: write

diff --git a/.github/workflows/__main-ci.yml b/.github/workflows/__main-ci.yml
@@ -30,7 +30,6 @@ jobs:
       security-events: write
       statuses: write
     # jscpd:ignore-end
-    secrets: inherit
 
   release:
     needs: ci

diff --git a/.github/workflows/__need-fix-to-issue.yml b/.github/workflows/__need-fix-to-issue.yml
@@ -18,7 +18,7 @@ permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@b553a696531fbd36743ccbb0c76c717971b8acdb # 0.35.4
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@4bb7594b1bf3696c54b2bbae970376056853f8ea # 0.36.0
     permissions:
       contents: read
       issues: write

diff --git a/.github/workflows/__pull-request-ci.yml b/.github/workflows/__pull-request-ci.yml
@@ -23,4 +23,3 @@ jobs:
       issues: read
       security-events: write
       statuses: write
-    secrets: inherit
diff --git a/.github/workflows/__semantic-pull-request.yml b/.github/workflows/__semantic-pull-request.yml
@@ -2,7 +2,7 @@
 name: "Pull Request - Semantic Lint"
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - edited
@@ -12,7 +12,7 @@ permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@b553a696531fbd36743ccbb0c76c717971b8acdb # 0.35.4
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@4bb7594b1bf3696c54b2bbae970376056853f8ea # 0.36.0
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
@@ -7,12 +7,16 @@ permissions: {}
 
 jobs:
   linter:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@b553a696531fbd36743ccbb0c76c717971b8acdb # 0.35.4
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@4bb7594b1bf3696c54b2bbae970376056853f8ea # 0.36.0
     permissions:
       contents: read
       statuses: write
       actions: read
       security-events: write
+    with:
+      # FIXME: Remove this once JS deps will be updated to versions that do not trigger Trivy vulnerabilities
+      linter-env: |
+        VALIDATE_TRIVY=false
 
   test-action-dependencies-cache:
     name: Test action "dependencies-cache"
@@ -60,7 +64,6 @@ jobs:
       id-token: write
       issues: read
       security-events: write
-    secrets: inherit
 
   test-workflow-release:
     name: Test workflow "release"

diff --git a/.github/workflows/__stale.yml b/.github/workflows/__stale.yml
@@ -8,7 +8,7 @@ permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@b553a696531fbd36743ccbb0c76c717971b8acdb # 0.35.4
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@4bb7594b1bf3696c54b2bbae970376056853f8ea # 0.36.0
     permissions:
       issues: write
       pull-requests: write
diff --git a/.github/workflows/__test-action-dependencies-cache.yml b/.github/workflows/__test-action-dependencies-cache.yml
@@ -30,6 +30,8 @@ jobs:
 
       - name: Arrange - Checkout sources
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Arrange - Setup Node.js runtime
         id: arrange-setup-node
@@ -39,9 +41,12 @@ jobs:
 
       - name: Arrange - Verify expected package manager
         id: arrange-check-package-manager
+        env:
+          ACTUAL_RUN_SCRIPT_COMMAND: ${{ steps.arrange-setup-node.outputs.run-script-command }}
+          EXPECTED_PACKAGE_MANAGER: ${{ matrix.package-manager }}
         run: |
-          if [[ "${{ steps.arrange-setup-node.outputs.run-script-command }}" != "${{ matrix.package-manager }}"* ]]; then
-            echo "Package manager is not ${{ matrix.package-manager }}"
+          if [[ "$ACTUAL_RUN_SCRIPT_COMMAND" != "$EXPECTED_PACKAGE_MANAGER"* ]]; then
+            echo "Package manager is not $EXPECTED_PACKAGE_MANAGER"
             exit 1
           fi
 

diff --git a/.github/workflows/__test-action-get-package-manager.yml b/.github/workflows/__test-action-get-package-manager.yml
@@ -44,6 +44,8 @@ jobs:
     steps:
       - name: Arrange - Checkout sources
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Act - Run "get-package-manager" action
         id: act-get-package-manager
@@ -52,23 +54,32 @@ jobs:
           working-directory: ${{ matrix.working-directory }}
 
       - name: Assert - Check "get-package-manager" outputs
+        env:
+          ACTUAL_PACKAGE_MANAGER: ${{ steps.act-get-package-manager.outputs.package-manager }}
+          EXPECTED_PACKAGE_MANAGER: ${{ matrix.package-manager }}
+          ACTUAL_CACHE_DEPENDENCY_PATH: ${{ steps.act-get-package-manager.outputs.cache-dependency-path }}
+          EXPECTED_CACHE_DEPENDENCY_PATH: ${{ matrix.cache-dependency-path }}
+          ACTUAL_INSTALL_COMMAND: ${{ steps.act-get-package-manager.outputs.install-command }}
+          EXPECTED_INSTALL_COMMAND: ${{ matrix.install-command }}
+          ACTUAL_RUN_SCRIPT_COMMAND: ${{ steps.act-get-package-manager.outputs.run-script-command }}
+          EXPECTED_RUN_SCRIPT_COMMAND: ${{ matrix.run-script-command }}
         run: |
-          if [ "${{ steps.act-get-package-manager.outputs.package-manager }}" != '${{ matrix.package-manager }}' ]; then
+          if [ "$ACTUAL_PACKAGE_MANAGER" != "$EXPECTED_PACKAGE_MANAGER" ]; then
             echo "get-package-manager outputs result is not valid"
             exit 1
           fi
 
-          if [ "${{ steps.act-get-package-manager.outputs.cache-dependency-path }}" != '${{ matrix.cache-dependency-path }}' ]; then
+          if [ "$ACTUAL_CACHE_DEPENDENCY_PATH" != "$EXPECTED_CACHE_DEPENDENCY_PATH" ]; then
             echo "get-package-manager outputs cache-dependency-path is not valid"
             exit 1
           fi
 
-          if [ "${{ steps.act-get-package-manager.outputs.install-command }}" != '${{ matrix.install-command }}' ]; then
+          if [ "$ACTUAL_INSTALL_COMMAND" != "$EXPECTED_INSTALL_COMMAND" ]; then
             echo "get-package-manager outputs install-command is not valid"
             exit 1
           fi
 
-          if [ "${{ steps.act-get-package-manager.outputs.run-script-command }}" != '${{ matrix.run-script-command }}' ]; then
+          if [ "$ACTUAL_RUN_SCRIPT_COMMAND" != "$EXPECTED_RUN_SCRIPT_COMMAND" ]; then
             echo "get-package-manager outputs run-script-command is not valid"
             exit 1
           fi
diff --git a/.github/workflows/__test-action-has-installed-dependencies.yml b/.github/workflows/__test-action-has-installed-dependencies.yml
@@ -32,6 +32,8 @@ jobs:
     steps:
       - name: Arrange - Checkout sources
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Arrange - Setup Node.js runtime
         id: arrange-setup-node
@@ -41,9 +43,12 @@ jobs:
 
       - name: Arrange - Verify expected package manager
         id: arrange-check-package-manager
+        env:
+          ACTUAL_RUN_SCRIPT_COMMAND: ${{ steps.arrange-setup-node.outputs.run-script-command }}
+          EXPECTED_PACKAGE_MANAGER: ${{ matrix.package-manager }}
         run: |
-          if [[ "${{ steps.arrange-setup-node.outputs.run-script-command }}" != "${{ matrix.package-manager }}"* ]]; then
-            echo "Package manager is not ${{ matrix.package-manager }}"
+          if [[ "$ACTUAL_RUN_SCRIPT_COMMAND" != "$EXPECTED_PACKAGE_MANAGER"* ]]; then
+            echo "Package manager is not $EXPECTED_PACKAGE_MANAGER"
             exit 1
           fi
 

diff --git a/.github/workflows/__test-action-package.yml b/.github/workflows/__test-action-package.yml
@@ -30,6 +30,8 @@ jobs:
     steps:
       - name: Arrange - Checkout sources
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Act - Run "package" action
         id: act-package
@@ -93,6 +95,8 @@ jobs:
     steps:
       - name: Arrange - Checkout sources
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Arrange - Configure Node.js version
         run: echo "lts/*" > .nvmrc

diff --git a/.github/workflows/__test-action-setup-node.yml b/.github/workflows/__test-action-setup-node.yml
@@ -28,6 +28,8 @@ jobs:
     steps:
       - name: Arrange - Checkout sources
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Arrange - Configure Node.js version
         run: echo "lts/*" > .nvmrc

diff --git a/.github/workflows/__test-workflow-continuous-integration.yml b/.github/workflows/__test-workflow-continuous-integration.yml
@@ -28,6 +28,8 @@ jobs:
     needs: act-without-container
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           artifact-ids: ${{ needs.act-without-container.outputs.build-artifact-id }}
@@ -62,7 +64,7 @@ jobs:
       issues: read
       packages: write
       pull-requests: read
-    uses: hoverkraft-tech/ci-github-container/.github/workflows/docker-build-images.yml@77f98ab8773b824eca7ed3f94e3e9c8b8af5875c # 0.36.1
+    uses: hoverkraft-tech/ci-github-container/.github/workflows/docker-build-images.yml@5396e1258d209f9af18e55da8692361508e3338c # 0.36.2
     with:
       sign: false
       images: |
@@ -103,6 +105,8 @@ jobs:
     needs: act-with-container
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           artifact-ids: ${{ needs.act-with-container.outputs.build-artifact-id }}
@@ -150,6 +154,8 @@ jobs:
     needs: act-with-container-advanced
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           artifact-ids: ${{ needs.act-with-container-advanced.outputs.build-artifact-id }}