From 33c534a29d1d7e0c8bc3250ecdc4ed7151210d7e Mon Sep 17 00:00:00 2001
From: Connor Shea <2977353+connorshea@users.noreply.github.com>
Date: Sat, 23 May 2026 11:21:48 -0600
Subject: [PATCH 1/4] Pin GitHub Actions to specific SHA hashes to prevent
 supply chain attacks.

This also updates the actions to their latest versions.

I think this is especially important to do given that pushing to master on this repo would result in anyone running `bundler-audit update` on their machine getting potentially malicious code. Though I admittedly don't think that's particularly likely to lead to much (bundler-audit just parses YAML files), I'd rather be careful.

Generally speaking I'd recommend pinning these to SHA hashes yourselves to make sure I can't supply a malicious SHA hash here, and you can use zizmor or pinact if you want to do it yourself instead and close this PR.
---
 .github/workflows/ruby.yml    | 8 +++++---
 .github/workflows/website.yml | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml
index fefbc9432e..a123ec4871 100644
--- a/.github/workflows/ruby.yml
+++ b/.github/workflows/ruby.yml
@@ -11,9 +11,11 @@ jobs:
     runs-on: ubuntu-latest
     name: Linter
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: 3.8
       - name: Install yamllint
@@ -23,7 +25,7 @@ jobs:
       - name: Lint YAML files
         run: yamllint gems rubies
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
         with:
           ruby-version: 3.4
       - name: Install ruby dependencies
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
index a0d869f3fb..9a3748f9a4 100644
--- a/.github/workflows/website.yml
+++ b/.github/workflows/website.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Send Repository Dispatch event
-        uses: peter-evans/repository-dispatch@v1
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:
           token: ${{ secrets.REPO_ACCESS_TOKEN }}
           repository: rubysec/rubysec.github.io

From bf18155dcf1b98f4708b0fb53ea0d78bae158597 Mon Sep 17 00:00:00 2001
From: Connor Shea <2977353+connorshea@users.noreply.github.com>
Date: Sat, 23 May 2026 11:24:13 -0600
Subject: [PATCH 2/4] Restrict both actions files to have zero permissions.

Neither of them need anything, so we can safely remove all permissions.
---
 .github/workflows/ruby.yml    | 2 ++
 .github/workflows/website.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml
index a123ec4871..e2a0e6c584 100644
--- a/.github/workflows/ruby.yml
+++ b/.github/workflows/ruby.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ['**']
 
+permissions: {}
+
 jobs:
   tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
index 9a3748f9a4..447d597784 100644
--- a/.github/workflows/website.yml
+++ b/.github/workflows/website.yml
@@ -4,6 +4,8 @@ on:
   push:
     branches: [ master ]
 
+permissions: {}
+
 jobs:
   notify:
     if: github.repository_owner == 'rubysec'

From 6ab2c6ba7003ae2ca02bd9e02c265285c113eb9d Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike@37signals.com>
Date: Sat, 23 May 2026 16:22:50 -0400
Subject: [PATCH 3/4] Add zizmor + actionlint CI job to audit GitHub Actions
 workflows.

---
 .github/workflows/ruby.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml
index e2a0e6c584..c645e7013f 100644
--- a/.github/workflows/ruby.yml
+++ b/.github/workflows/ruby.yml
@@ -9,6 +9,23 @@ on:
 permissions: {}
 
 jobs:
+  lint-actions:
+    name: GitHub Actions audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run actionlint
+        uses: rhysd/actionlint@393031adb9afb225ee52ae2ccd7a5af5525e03e8 # v1.7.11
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false
+
   tests:
     runs-on: ubuntu-latest
     name: Linter

From 3ce9602205515943903ed1222b7999e60d4a3b34 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike@37signals.com>
Date: Sat, 23 May 2026 16:22:53 -0400
Subject: [PATCH 4/4] Configure Dependabot to batch GitHub Actions updates
 weekly.

---
 .github/dependabot.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..066427b9d7
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7