From 8271c9f12dfd8a4c9258745298dc678452bf19e2 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Feb 2026 08:00:00 +0000
Subject: [PATCH 01/10] CI: remove clang10 job

Since the default clang version in ubuntu-latest image is not clang10,
and none of availabe ubuntu images provide clang10, remove the clang10 job.

Fixes: fb9b49c4e73d ("github: switch most of ubuntu-20.04 jobs to ubuntu-latest")
---
 .github/workflows/ci.yml | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2bd16c5206..da43eece37 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -299,15 +299,3 @@ jobs:
       run: .ci/install-dependencies.sh
     - name: build check
       run: .ci/run-build-and-tests.sh
-
-  clang10-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: clang
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh

From ce3ee018a0dbdb2a542699b299a9d14ee04103b0 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Feb 2026 08:00:00 +0000
Subject: [PATCH 02/10] CI: Switch ubuntu-24.04 jobs to ubuntu-latest for
 consistency

Given that ubuntu-latest points to ubuntu-24.04 for quite a while,
the configuration when those jobs that use newer compiler versions
are pinned to ubuntu-24.04 while other jobs already use ubuntu-latest,
just creates inconsistency.

When ubuntu-latest switches from ubuntu-24.04 to ubuntu-26.04, those
of ubuntu-latest jobs for which the build image wouldn't provide the
compiler would have to be pinned to ubuntu-24.04.
---
 .github/workflows/ci.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index da43eece37..2b0434a5c2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -109,7 +109,7 @@ jobs:
       run: .ci/run-build-and-tests.sh --enable-asan --enable-simd=avx2
 
   gcc14-x86-without-openssl:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     env:
       CC: gcc-14
       TARGET: x86
@@ -121,7 +121,7 @@ jobs:
       run: .ci/run-build-and-tests.sh --without-openssl
 
   gcc14-x86-disable-all:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     env:
       CC: gcc-14
       TARGET: x86
@@ -133,7 +133,7 @@ jobs:
       run: .ci/run-build-and-tests.sh --disable-openmp --disable-simd --without-openssl
 
   gcc14-x86_64:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     env:
       CC: gcc-14
       TARGET: x86_64
@@ -205,7 +205,7 @@ jobs:
       run: .ci/run-build-and-tests.sh
 
   clang18-x86_64:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     env:
       CC: clang-18
       TARGET: x86_64
@@ -217,7 +217,7 @@ jobs:
       run: .ci/run-build-and-tests.sh
 
   clang17-x86_64:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     env:
       CC: clang-17
       TARGET: x86_64
@@ -229,7 +229,7 @@ jobs:
       run: .ci/run-build-and-tests.sh
 
   clang16-x86_64:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     env:
       CC: clang-16
       TARGET: x86_64

From e82a78dd522851272b6f557fc649024415f4d493 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Feb 2026 08:00:00 +0000
Subject: [PATCH 03/10] CI: use matrix strategy to avoid code duplication

---
 .github/workflows/ci.yml | 353 ++++++++-------------------------------
 1 file changed, 66 insertions(+), 287 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2b0434a5c2..e9f0968bdb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,290 +12,69 @@ jobs:
     - name: check
       run: git diff-index --check --cached b1b622f691d40196815939e4736a5da71befd206
 
-  asan:
-    runs-on: ubuntu-22.04
-    env:
-      CC: gcc
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh --enable-fuzz --enable-asan
-
-  asan-disable-all:
-    runs-on: ubuntu-22.04
-    env:
-      CC: gcc
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh --enable-asan --disable-openmp --disable-simd --without-openssl
-
-  asan-disable-openmp:
-    runs-on: ubuntu-22.04
-    env:
-      CC: gcc
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh --enable-asan --disable-openmp
-
-  asan-without-openssl:
-    runs-on: ubuntu-22.04
-    env:
-      CC: gcc
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh --enable-asan --without-openssl
-
-  asan-disable-simd:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh --enable-asan --disable-simd
-
-  asan-sse2:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh --enable-asan --enable-simd=sse2
-
-  asan-avx:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh --enable-asan --enable-simd=avx
-
-  asan-avx2:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh --enable-asan --enable-simd=avx2
-
-  gcc14-x86-without-openssl:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc-14
-      TARGET: x86
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh --without-openssl
-
-  gcc14-x86-disable-all:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc-14
-      TARGET: x86
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh --disable-openmp --disable-simd --without-openssl
-
-  gcc14-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc-14
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  gcc13-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc-13
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  gcc12-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc-12
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  gcc11-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc-11
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  gcc10-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc-10
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  gcc9-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: gcc-9
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  clang18-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: clang-18
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  clang17-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: clang-17
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  clang16-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: clang-16
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  clang15-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: clang-15
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  clang14-x86_64:
-    runs-on: ubuntu-latest
-    env:
-      CC: clang-14
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  clang13-x86_64:
-    runs-on: ubuntu-22.04
-    env:
-      CC: clang-13
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  clang12-x86_64:
-    runs-on: ubuntu-22.04
-    env:
-      CC: clang-12
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
-
-  clang11-x86_64:
-    runs-on: ubuntu-22.04
-    env:
-      CC: clang-11
-      TARGET: x86_64
-    steps:
-    - uses: actions/checkout@v6
-    - name: install dependencies
-      run: .ci/install-dependencies.sh
-    - name: build check
-      run: .ci/run-build-and-tests.sh
+  build-check:
+    runs-on: ${{ matrix.runs_on }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # ASAN variants (gcc, x86_64)
+          - { cc: gcc, runs_on: ubuntu-22.04, target: x86_64, variant: asan }
+          - { cc: gcc, runs_on: ubuntu-22.04, target: x86_64, variant: asan-disable-all }
+          - { cc: gcc, runs_on: ubuntu-22.04, target: x86_64, variant: asan-disable-openmp }
+          - { cc: gcc, runs_on: ubuntu-22.04, target: x86_64, variant: asan-without-openssl }
+          - { cc: gcc, runs_on: ubuntu-latest, target: x86_64, variant: asan-disable-simd }
+          - { cc: gcc, runs_on: ubuntu-latest, target: x86_64, variant: asan-sse2 }
+          - { cc: gcc, runs_on: ubuntu-latest, target: x86_64, variant: asan-avx }
+          - { cc: gcc, runs_on: ubuntu-latest, target: x86_64, variant: asan-avx2 }
+          # GCC 9–14 (ubuntu-latest)
+          - { cc: gcc-14, runs_on: ubuntu-latest, target: x86_64, variant: base }
+          - { cc: gcc-14, runs_on: ubuntu-latest, target: x86, variant: without-openssl }
+          - { cc: gcc-14, runs_on: ubuntu-latest, target: x86, variant: disable-all }
+          - { cc: gcc-13, runs_on: ubuntu-latest, target: x86_64, variant: base }
+          - { cc: gcc-12, runs_on: ubuntu-latest, target: x86_64, variant: base }
+          - { cc: gcc-11, runs_on: ubuntu-latest, target: x86_64, variant: base }
+          - { cc: gcc-10, runs_on: ubuntu-latest, target: x86_64, variant: base }
+          - { cc: gcc-9, runs_on: ubuntu-latest, target: x86_64, variant: base }
+          # Clang 14–18 (ubuntu-latest)
+          - { cc: clang-18, runs_on: ubuntu-latest, target: x86_64, variant: base }
+          - { cc: clang-17, runs_on: ubuntu-latest, target: x86_64, variant: base }
+          - { cc: clang-16, runs_on: ubuntu-latest, target: x86_64, variant: base }
+          - { cc: clang-15, runs_on: ubuntu-latest, target: x86_64, variant: base }
+          - { cc: clang-14, runs_on: ubuntu-latest, target: x86_64, variant: base }
+          # Clang 11–13 (ubuntu-22.04)
+          - { cc: clang-13, runs_on: ubuntu-22.04, target: x86_64, variant: base }
+          - { cc: clang-12, runs_on: ubuntu-22.04, target: x86_64, variant: base }
+          - { cc: clang-11, runs_on: ubuntu-22.04, target: x86_64, variant: base }
+    name: Build ${{ matrix.cc }}-${{ matrix.target }}-${{ matrix.variant }}
+    env:
+      CC: ${{ matrix.cc }}
+      TARGET: ${{ matrix.target }}
+    steps:
+    - uses: actions/checkout@v6
+
+    - name: Set build arguments
+      env:
+        VARIANT: ${{ matrix.variant }}
+      run: |
+        case "$VARIANT" in
+          base) BUILD_ARGS="" ;;
+          without-openssl) BUILD_ARGS="--without-openssl" ;;
+          disable-all) BUILD_ARGS="--disable-openmp --disable-simd --without-openssl" ;;
+          asan) BUILD_ARGS="--enable-fuzz --enable-asan" ;;
+          asan-disable-all) BUILD_ARGS="--enable-asan --disable-openmp --disable-simd --without-openssl" ;;
+          asan-disable-openmp) BUILD_ARGS="--enable-asan --disable-openmp" ;;
+          asan-without-openssl) BUILD_ARGS="--enable-asan --without-openssl" ;;
+          asan-disable-simd) BUILD_ARGS="--enable-asan --disable-simd" ;;
+          asan-sse2) BUILD_ARGS="--enable-asan --enable-simd=sse2" ;;
+          asan-avx) BUILD_ARGS="--enable-asan --enable-simd=avx" ;;
+          asan-avx2) BUILD_ARGS="--enable-asan --enable-simd=avx2" ;;
+          *) echo "Unknown variant: $VARIANT"; exit 1 ;;
+        esac
+        echo "BUILD_ARGS=$BUILD_ARGS" >> "$GITHUB_ENV"
+
+    - name: install dependencies
+      run: .ci/install-dependencies.sh
+
+    - name: build check
+      run: .ci/run-build-and-tests.sh $BUILD_ARGS

From cc7c2cd00737b7e85cc87f56255cfb87d9217e62 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Feb 2026 08:00:00 +0000
Subject: [PATCH 04/10] CI: add clang-19 jobs to the build matrix

---
 .github/workflows/ci.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e9f0968bdb..381e70dc1b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -36,7 +36,8 @@ jobs:
           - { cc: gcc-11, runs_on: ubuntu-latest, target: x86_64, variant: base }
           - { cc: gcc-10, runs_on: ubuntu-latest, target: x86_64, variant: base }
           - { cc: gcc-9, runs_on: ubuntu-latest, target: x86_64, variant: base }
-          # Clang 14–18 (ubuntu-latest)
+          # Clang 14–19 (ubuntu-latest)
+          - { cc: clang-19, runs_on: ubuntu-latest, target: x86_64, variant: base }
           - { cc: clang-18, runs_on: ubuntu-latest, target: x86_64, variant: base }
           - { cc: clang-17, runs_on: ubuntu-latest, target: x86_64, variant: base }
           - { cc: clang-16, runs_on: ubuntu-latest, target: x86_64, variant: base }

From 0da9855bdeb3faea36fa2f18d9ef283cbde49446 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Feb 2026 08:00:00 +0000
Subject: [PATCH 05/10] CI: disable persisting credentials for actions/checkout

Set `persist-credentials: false` for actions/checkout.

Link: https://docs.zizmor.sh/audits/#artipacked
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 381e70dc1b..d668a71231 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,7 @@ jobs:
     - uses: actions/checkout@v6
       with:
         fetch-depth: 0
+        persist-credentials: false
     - name: check
       run: git diff-index --check --cached b1b622f691d40196815939e4736a5da71befd206
 
@@ -53,6 +54,8 @@ jobs:
       TARGET: ${{ matrix.target }}
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Set build arguments
       env:

From ffd92dbc30adcced3b445e2af56128485a42c361 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Feb 2026 08:00:00 +0000
Subject: [PATCH 06/10] CI: remove excessive permissions

Set `permissions: {}` at the workflow level to prevent unnecessarily
granting overly broad default permissions to jobs.

Link: https://docs.zizmor.sh/audits/#excessive-permissions
---
 .github/workflows/ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d668a71231..14bf6f0a58 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,8 @@ name: CI
 
 on: [push, pull_request]
 
+permissions: {}
+
 jobs:
   whitespace-errors:
     runs-on: ubuntu-latest

From 1d70bdae70a03b404e5c5b7a1d5f5d4930fb9311 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Feb 2026 08:00:00 +0000
Subject: [PATCH 07/10] CI: set concurrency limits

When a new CI run is started, any in-progress CI runs for the same PR,
branch, or tag are cancelled.

Link: https://docs.zizmor.sh/audits/#concurrency-limits
---
 .github/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 14bf6f0a58..8bfff46cb9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,10 @@ on: [push, pull_request]
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   whitespace-errors:
     runs-on: ubuntu-latest

From 26632e5d5be9218a65cc81163a63d66e0a6866d4 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Feb 2026 08:00:00 +0000
Subject: [PATCH 08/10] CI: add job names

When "name:" is omitted, the workflow or action is rendered anonymously in the
GitHub Actions UI, making it harder to understand which definition is running.

Link: https://docs.zizmor.sh/audits/#anonymous-definition
---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8bfff46cb9..a44f3b637a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,6 +10,7 @@ concurrency:
 
 jobs:
   whitespace-errors:
+    name: Check for whitespace errors
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6

From da3bb6fe039318cb9a1d95b4eb0dcedb6fbb6c70 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Feb 2026 08:00:00 +0000
Subject: [PATCH 09/10] CI: pin latest versions by their commit hash

This is a recommended security practice because commit hashes are immutable,
which prevents tag renaming attacks.

Dependabot can detect newer versions even if the current version is pinned to
a specific commit hash.  For GitHub Actions, it is common practice to append
a version tag name as a comment text to the commit hash, and Dependabot
automatically updates this comment when it bumps the commit hash.

Link: https://docs.zizmor.sh/audits/#unpinned-uses
---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a44f3b637a..c5fa453455 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,7 +13,7 @@ jobs:
     name: Check for whitespace errors
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
         persist-credentials: false
@@ -60,7 +60,7 @@ jobs:
       CC: ${{ matrix.cc }}
       TARGET: ${{ matrix.target }}
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
 

From 821e6963d85209c1c240abcfab896c9f56d67d0d Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Feb 2026 08:00:00 +0000
Subject: [PATCH 10/10] .github/dependabot.yml: set cooldown period

By default, Dependabot does not perform any cooldown on dependency updates.
In other words, a regularly scheduled Dependabot run may perform an update
on a dependency that was just released moments before the run began.
This presents both stability and supply-chain security risks.
To mitigate these risks, explicitly set Dependabot cooldown period to 7 days.

Link: https://docs.zizmor.sh/audits/#dependabot-cooldown
---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index bfe0902d88..f46cfb0b04 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,4 +4,6 @@ updates:
     directory: /
     schedule:
       interval: monthly
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2