From 22a740ac7e9f5bf5d0af79b00ac618fc3346f9b0 Mon Sep 17 00:00:00 2001
From: Davidnbr <davidnbr_98@hotmail.com>
Date: Fri, 15 May 2026 12:01:12 -0500
Subject: [PATCH 1/3] ci: use pinned sha for actions and refine permissions

---
 .github/workflows/build.yml   | 21 ++++++++++++---------
 .github/workflows/publish.yml | 14 +++++++++-----
 .github/workflows/release.yml | 13 +++++++++----
 .github/workflows/update.yml  | 21 ++++++++++++++-------
 4 files changed, 44 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4756f814..3344cbea 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,17 +10,20 @@ concurrency:
   group: build-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Nix
-        uses: cachix/install-nix-action@v31
+        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
       - name: Setup Cachix
-        uses: cachix/cachix-action@v17
+        uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
         with:
           name: devenv
       - name: Install devenv
@@ -42,11 +45,11 @@ jobs:
     needs: [check]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Nix
-        uses: cachix/install-nix-action@v31
+        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
       - name: Setup Cachix
-        uses: cachix/cachix-action@v17
+        uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
         with:
           name: nixpkgs-terraform
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
@@ -68,11 +71,11 @@ jobs:
           - terranix
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Nix
-        uses: cachix/install-nix-action@v31
+        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
       - name: Setup Cachix
-        uses: cachix/cachix-action@v17
+        uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
         with:
           name: nixpkgs-terraform
           extraPullNames: devenv
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 7c9437f8..9dcad11b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,23 +15,27 @@ permissions:
 jobs:
   flakehub:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: ${{ github.ref_name }}
+          ref: ${{ github.sha }}
       - name: Install Nix
-        uses: cachix/install-nix-action@v31
+        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
       - name: Publish flake
-        uses: DeterminateSystems/flakehub-push@v6
+        uses: DeterminateSystems/flakehub-push@71f57208810a5d299fc6545350981de98fdbc860 # v6
         with:
           tag: ${{ github.ref_name }}
           visibility: public
 
   flakestry:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - name: Publish flake
-        uses: flakestry/flakestry-publish@main
+        uses: flakestry/flakestry-publish@08cfeb3dc22bf4e2df64ba84e8dae19918e44e0b # main 2026-01-10
         with:
           version: ${{ github.ref_name }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4f43693e..82092a9b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,26 +10,31 @@ concurrency:
   group: release
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   release:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     permissions:
       contents: write
       id-token: write
     steps:
       - name: Create GH App token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         id: app-token
         with:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
       - name: Install Nix
-        uses: cachix/install-nix-action@v31
+        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
       - name: Setup Cachix
-        uses: cachix/cachix-action@v17
+        uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
         with:
           name: devenv
       - name: Install devenv
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index 2e0fa255..db454581 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -10,28 +10,30 @@ concurrency:
   group: update
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   update:
     runs-on: macos-latest
+    timeout-minutes: 30
     permissions:
       contents: write
-      id-token: write
       pull-requests: write
     steps:
       - name: Create GH App token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         id: app-token
         with:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: main
       - name: Install Nix
-        uses: cachix/install-nix-action@v31
+        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
       - name: Install devenv
-        run: nix profile add --accept-flake-config github:cachix/devenv/latest
+        run: nix profile add --accept-flake-config github:cachix/devenv/v1.8
       - name: Compile cli
         run: devenv shell -- go build .
         working-directory: cli
@@ -39,12 +41,16 @@ jobs:
         id: update
         run: |
           commit_message=$(cli/cli update)
+          if [[ -n "$commit_message" ]] && ! [[ "$commit_message" =~ ^chore: ]]; then
+            echo "Unexpected commit message format from cli/cli update; aborting"
+            exit 1
+          fi
           echo "commit_message=$commit_message" >> "$GITHUB_OUTPUT"
         env:
           CLI_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
       - name: Create pull request
         if: ${{ steps.update.outputs.commit_message }}
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           commit-message: ${{ steps.update.outputs.commit_message }}
           title: ${{ steps.update.outputs.commit_message }}
@@ -68,9 +74,10 @@ jobs:
   notify:
     if: failure()
     runs-on: ubuntu-latest
+    timeout-minutes: 2
     needs: [update]
     steps:
-      - uses: slackapi/slack-github-action@v2
+      - uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
           webhook-type: webhook-trigger

From 0ea2c9a9dd1c05e2a7748321b2e536d77051b353 Mon Sep 17 00:00:00 2001
From: Davidnbr <davidnbr_98@hotmail.com>
Date: Fri, 15 May 2026 12:01:30 -0500
Subject: [PATCH 2/3] chore: add gomod on dependabot

---
 .github/dependabot.yml        | 4 ++++
 .github/workflows/publish.yml | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ca79ca5b..a20a6b8c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,3 +4,7 @@ updates:
     directory: /
     schedule:
       interval: weekly
+  - package-ecosystem: gomod
+    directory: /cli
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 9dcad11b..85e3275d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: ${{ github.sha }}
+          ref: ${{ github.ref_name }}
       - name: Install Nix
         uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
       - name: Publish flake

From 4739c5c2c28f81d0e6d4f2afeae08e660fad9291 Mon Sep 17 00:00:00 2001
From: Davidnbr <davidnbr_98@hotmail.com>
Date: Fri, 15 May 2026 12:07:14 -0500
Subject: [PATCH 3/3] ci: use feat as the gate for commit message on update

---
 .github/workflows/update.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index db454581..1d96c7b9 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -41,7 +41,7 @@ jobs:
         id: update
         run: |
           commit_message=$(cli/cli update)
-          if [[ -n "$commit_message" ]] && ! [[ "$commit_message" =~ ^chore: ]]; then
+          if [[ -n "$commit_message" ]] && ! [[ "$commit_message" =~ ^feat: ]]; then
             echo "Unexpected commit message format from cli/cli update; aborting"
             exit 1
           fi