·
26 commits
to main
since this release
07788e9
This commit was signed with the committer’s verified signature.
marcus-hooper
Marcus Hooper
Added
- CI workflow with CHANGELOG validation and actionlint (includes YAML and ShellCheck)
- CodeQL workflow for static application security testing (SAST)
- OSSF Scorecard workflow for supply chain security analysis
- Dependabot auto-merge workflow for patch and minor updates
- Release workflow with major version tag updates, SBOM generation, and attestation
- Scheduled health check workflow with automatic issue creation on failure
- Security workflow with Gitleaks secret scanning and unsafe pattern detection
- Label sync workflow for automatic repository label management
- Dependency review configuration with license allow-list
- Issue templates converted to YAML form-based format
- Pull request template with checklist and structured sections
- Repository labels configuration file with type, priority, status, and area labels
Changed
- Expanded Dependabot configuration with grouped updates, timezone, and rebase strategy
Security
- Fix token permissions and prevent code injection vulnerability in
get-commit-messagesworkflow - Pin all GitHub Actions to commit SHAs for supply chain security
- Add step-security/harden-runner with egress blocking to all workflows
- Network egress restricted to only required endpoints per workflow
- All workflow checkout actions use
persist-credentials: false