From d2ab1e7804847b95bc31e99f0899f6d52dab3a9f Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Fri, 27 Mar 2026 21:26:55 +0100
Subject: [PATCH 1/2] zizmor workflow

---
 .github/workflows/zizmor.yml | 27 +++++++++++++++++++++++++++
 .github/zizmor.yml           |  4 ++++
 2 files changed, 31 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml
 create mode 100644 .github/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..f9ad275
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,27 @@
+name: zizmor
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+  pull_request:
+
+jobs:
+  run:
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@bbd31df64ee0f097a02f12495f541f9236f18c46 # v1.2.0
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      min-severity: medium
+      min-confidence: medium
+      persona: pedantic
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..6aee3c5
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,4 @@
+# https://docs.zizmor.sh/configuration/
+rules:
+  secrets-outside-env:
+    disable: true

From 5f23b4ca48efc5e40aadbe2c4a8f50bbe81da03b Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Fri, 27 Mar 2026 21:27:02 +0100
Subject: [PATCH 2/2] fix zizmor findings

---
 .github/dependabot.yml         |  4 ++++
 .github/workflows/ci.yml       |  9 ++++-----
 .github/workflows/labels.yml   | 11 ++++-------
 .github/workflows/validate.yml |  7 +++----
 4 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7d74ef6..0438412 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 2
     labels:
       - "kind/dependencies"
       - "bot"
@@ -11,6 +13,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 2
     versioning-strategy: "increase"
     allow:
       - dependency-type: "production"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 37a1618..b8c5541 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,7 +4,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: read
 
@@ -24,7 +23,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Env before
         run: |
@@ -42,7 +41,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Expose GitHub Runtime
         uses: ./
@@ -52,13 +51,13 @@ jobs:
           env|sort
       -
         name: Checkout go-actions-cache
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: tonistiigi/go-actions-cache
           path: go-actions-cache
       -
         name: Setup go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       -
         name: Test
         run: |
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 00c6675..0af5535 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -4,7 +4,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: read
 
@@ -24,16 +23,14 @@ jobs:
   labeler:
     runs-on: ubuntu-latest
     permissions:
-      # same as global permissions
-      contents: read
-      # required to update labels
-      issues: write
+      contents: read # same as global permissions
+      issues: write # required to update labels
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Run Labeler
-        uses: crazy-max/ghaction-github-labeler@v5
+        uses: crazy-max/ghaction-github-labeler@24d110aa46a59976b8a7f35518cb7f14f434c916 # v5.3.0
         with:
           dry-run: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 8c31ac8..38058b6 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -4,7 +4,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: read
 
@@ -23,11 +22,11 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: List targets
         id: generate
-        uses: docker/bake-action/subaction/list-targets@v6
+        uses: docker/bake-action/subaction/list-targets@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
         with:
           target: validate
 
@@ -42,6 +41,6 @@ jobs:
     steps:
       -
         name: Validate
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
         with:
           targets: ${{ matrix.target }}