From 30f21eeab86eda18f814e5bb42ec435afa35b7f7 Mon Sep 17 00:00:00 2001
From: Pepijn van der Stap <x-stp@users.noreply.github.com>
Date: Thu, 2 Apr 2026 12:59:40 +0200
Subject: [PATCH 1/3] test

---
 .pre-commit-config.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 .pre-commit-config.yaml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..192ab0b
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,8 @@
+repos:
+  # zizmor - Security linter for GitHub Actions
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    # pinned to last version [ea2eb407b4cbce87cf0d502f36578950494f5ac9]
+    rev: ea2eb407b4cbce87cf0d502f36578950494f5ac9
+    hooks:
+      - id: zizmor
+        # zizmor finds security issues in GitHub Actions workflows

From 5e709d4a5636b8d4fecda41f5d305cdd6dba2f1d Mon Sep 17 00:00:00 2001
From: Pepijn van der Stap <x-stp@users.noreply.github.com>
Date: Thu, 2 Apr 2026 12:59:57 +0200
Subject: [PATCH 2/3] test

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index 2d4913a..bb6ecce 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,7 @@
                     GNU AFFERO GENERAL PUBLIC LICENSE
                        Version 3, 19 November 2007
 
+
  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.

From a1f9d4aa46c37513397099ccbe354b6460308fcc Mon Sep 17 00:00:00 2001
From: Pepijn van der Stap <x-stp@users.noreply.github.com>
Date: Thu, 2 Apr 2026 18:13:18 +0200
Subject: [PATCH 3/3] ci: harden GitHub Actions workflows and update Go version

- Pin all GitHub Actions to commit hashes
- Add persist-credentials: false to checkout actions
- Add environment declarations for release/codacy jobs
- Use go-version-file: go.mod instead of hardcoded versions
- Update Go version to 1.26
- Fix malformed SHA for docker/setup-qemu-action
- Disable caching in release workflow to prevent cache poisoning

Fixes security issues flagged by zizmor pre-commit hook.
---
 .github/workflows/codacy.yml                |  7 ++++--
 .github/workflows/codeql.yml                |  8 ++++---
 .github/workflows/go-ossf-slsa3-publish.yml |  4 ++--
 .github/workflows/power-ci.yaml             |  8 ++++---
 .github/workflows/release.yml               | 19 +++++++++-------
 go.mod                                      | 24 ++++++++++-----------
 6 files changed, 40 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml
index d0c67af..3d1532e 100644
--- a/.github/workflows/codacy.yml
+++ b/.github/workflows/codacy.yml
@@ -27,6 +27,7 @@ permissions:
 
 jobs:
   codacy-security-scan:
+    environment: codacy
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
@@ -36,7 +37,9 @@ jobs:
     steps:
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
       - name: Run Codacy Analysis CLI
@@ -56,6 +59,6 @@ jobs:
 
       # Upload the SARIF file generated in the previous step
       - name: Upload SARIF results file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4fa3e5e9f2c3aa23d97360b89423bb24f8e2c578 # v3
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 50f87ff..2cdd05a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -57,7 +57,9 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      with:
+        persist-credentials: false
 
     # Add any setup steps before running the `github/codeql-action/init` action.
     # This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -67,7 +69,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@4fa3e5e9f2c3aa23d97360b89423bb24f8e2c578 # v3
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -95,6 +97,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@4fa3e5e9f2c3aa23d97360b89423bb24f8e2c578 # v3
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml
index 1509e32..8cf907a 100644
--- a/.github/workflows/go-ossf-slsa3-publish.yml
+++ b/.github/workflows/go-ossf-slsa3-publish.yml
@@ -29,9 +29,9 @@ jobs:
       id-token: write # To sign.
       contents: write # To upload release assets.
       actions: read   # To read workflow path.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@c027e128eb4df2eff6924c51b481c4e460a77b98 # v1.4.0
     with:
-      go-version: 1.24
+      go-version: 1.26
       # =============================================================================================================
       #     Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects
       # =============================================================================================================
diff --git a/.github/workflows/power-ci.yaml b/.github/workflows/power-ci.yaml
index 91f232a..a31eaf9 100644
--- a/.github/workflows/power-ci.yaml
+++ b/.github/workflows/power-ci.yaml
@@ -15,12 +15,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@41dfa10ca2ca416f9bf1cf0b1e92d381cdfe9d0c # v4
         with:
-          go-version: 1.22
+          go-version-file: go.mod
 
       - name: Install QEMU
         run: sudo apt-get install -y qemu-user-static
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 772528c..17f97fc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,32 +13,35 @@ permissions:
 jobs:
   release:
     runs-on: ubuntu-latest
+    environment: release
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@41dfa10ca2ca416f9bf1cf0b1e92d381cdfe9d0c # v5
         with:
-          go-version: '1.24'
-      
+          go-version-file: go.mod
+          cache: false
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@aa996a7d1628d12b2b5113c9e758b29c16ceb4e7 # v3
       
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@e92390c5fb421da1463c202d5462070b0807fba9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@9ed3f94e3ebe6a567a665a8183f81b141d833663 # v6
         with:
           version: latest
           args: release --clean
diff --git a/go.mod b/go.mod
index da1f365..9b19152 100644
--- a/go.mod
+++ b/go.mod
@@ -1,24 +1,24 @@
 module github.com/x-stp/rxtls
 
-go 1.24.2
+go 1.26
 
 require (
-	github.com/prometheus/client_golang v1.22.0
-	github.com/spf13/cobra v1.9.1
-	github.com/zeebo/xxh3 v1.0.2
-	golang.org/x/sys v0.33.0
-	golang.org/x/time v0.11.0
+	github.com/prometheus/client_golang v1.23.2
+	github.com/spf13/cobra v1.10.2
+	github.com/zeebo/xxh3 v1.1.0
+	golang.org/x/sys v0.42.0
+	golang.org/x/time v0.15.0
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.0.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 )