1.3.1: Dependency update

Signed-off-by: Austin Ziegler <[email protected]>

.github/dependabot.yml

@@ -4,8 +4,6 @@ updates:
     directory: /
     schedule:
       interval: monthly
-      time: '10:00'
-      timezone: 'America/Toronto'
     commit-message:
       prefix: chore
     ignore:
@@ -16,7 +14,5 @@ updates:
     directory: /
     schedule:
       interval: monthly
-      time: '10:00'
-      timezone: 'America/Toronto'
     commit-message:
       prefix: chore

.github/workflows/check-dist.yml

@@ -25,6 +25,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: pnpm/action-setup@v4
 
@@ -51,7 +53,7 @@ jobs:
       # If `dist/` was different than expected, and this was not a Dependabot
       # PR, upload the expected version as a workflow artifact.
       - uses: actions/upload-artifact@v4
-        if: ${{ steps.diff.outcome == 'failure' }}
+        if: ${{ failure() && steps.diff.outcome == 'failure' }}
         with:
           name: dist
           path: dist/

.github/workflows/codeql.yml

@@ -49,6 +49,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/dco.yml

@@ -9,6 +9,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: ./
         with:

.github/workflows/dependabot-automerge.yml

@@ -3,14 +3,14 @@ name: Dependabot auto-merge
 on:
   pull_request:
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   dependabot-automerge:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      pull-requests: write
+
     steps:
       - uses: KineticCafe/actions/[email protected]
         with:

.github/workflows/zizmor.yml

@@ -0,0 +1,34 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+
+jobs:
+  zizmor:
+    name: zizmor latest via Cargo
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required for workflows in private repositories
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+      - name: Get zizmor
+        run: cargo install zizmor
+      - name: Run zizmor
+        run: zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor

Changelog.md

@@ -1,12 +1,20 @@
 # KineticCafe/actions-dco Changelog
 
+## 1.3.1 / 2024-11-01
+
+- Upgrade dependencies.
+
+- Add CodeQL configuration.
+
+- Switch to Mise for local dependency management instead of NVM with direnv.
+
 ## 1.3 / 2024-02-28
 
 - Upgrade dependencies.
 
 - Improved governance documentation, mostly by adding it.
 
-- Switched from eslint/prettier to Biome.
+- Switched from ESLint & prettier to Biome.
 
 - Included action / version in the output.
 
@@ -23,5 +31,5 @@
 
 ## 1.0 / 2023-06-12
 
-- Initial release. This is a Typescript port of tisonkun/actions-dco set
-  to use Node v16.
+- Initial release. This is a Typescript port of tisonkun/actions-dco set to use
+  Node v16.