From 16a75d497cd01de39310e0f1e9f92eb9f7f71eed Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 20:57:50 -0400
Subject: [PATCH 1/4] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/workflows/gh-pages.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
index 48c9f92..bb1466b 100644
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Setup Hugo
-        uses: peaceiris/actions-hugo@v2
+        uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d # v2
         with:
           hugo-version: '0.62.2'
 
@@ -22,7 +22,7 @@ jobs:
         run: hugo --minify
 
       - name: Deploy
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./public

From 62ee5aacf0db18c6e77939f5fcaad99befb75552 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:06:36 -0400
Subject: [PATCH 2/4] CI: auto-fix via zizmor

May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
---
 .github/workflows/gh-pages.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
index bb1466b..a75c6b8 100644
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@@ -12,6 +12,8 @@ jobs:
     runs-on: ubuntu-18.04
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d # v2

From a1b5d3f487b2c1ae6782642e366d57241daf9ebd Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Thu, 17 Jul 2025 23:22:04 -0400
Subject: [PATCH 3/4] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/workflows/gh-pages.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
index a75c6b8..aff3e17 100644
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@@ -1,4 +1,6 @@
 name: GitHub Pages
+permissions:
+  contents: read
 
 on:
   push:

From ebf4cbb3903fd35b5b9c69025a2046e0c1ad3a61 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@gmail.com>
Date: Fri, 18 Jul 2025 11:31:40 -0400
Subject: [PATCH 4/4] CI: add dependabot config file for GHA

---
 .github/dependabot.yml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..fc9f855
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"      # Location of your workflow files
+    schedule:
+      interval: "weekly"  # Options: daily, weekly, monthly