Skip to content

Commit 230c7f6

Browse files
Stensel8renovate[bot]claude
authored
chore: overhaul CI/CD security scanning and harden workflows (#50)
## Summary Volledige herziening van de CI/CD workflows, dependency scanning en security setup. Alle GitHub Actions zijn SHA-gepind, CodeQL is geüpgraded naar v4, Trivy uploadt nu naar de Security tab, en de Python security-fixes zijn afgerond. ## Type of change - [x] `chore` — maintenance (dependencies, config, CI/CD) - [x] `fix` — bug fix (broken link, incorrect command, layout issue) ## What changed **Security scanning** - CodeQL geüpgraded van `v2` → `v4`; conflicterende Default Setup vervangen door advanced config - CodeQL scant nu alleen Python (geen Go — er zijn geen `.go` bronbestanden) - Trivy scan output gewijzigd van table naar SARIF + upload naar GitHub Security tab - Resterende CodeQL-alert gefixt: terminal-fallback in `show_message()` logde gevoelige info zonder sanitatie **Workflows** - Alle `uses:` SHA-gepind (`@SHA # vX.Y.Z`) in alle workflow-bestanden - `check-dependencies.yml` verwijderd — Renovate doet dit natiever - `python-checks.yml`: bandit op `-ll` (gelijk aan `pr-checks.yml`) - SHA-pins in `pr-checks.yml`, `hugo.yml`, `python-checks.yml`, `trivy-scan.yml` bijgewerkt **Dependency scanning** - `dependabot.yml`: `docker` ecosystem verwijderd (geen Dockerfiles) - `renovate.json`: `config:base` → `config:recommended`; `docker` rule verwijderd **saxion-eduroam.py** - 9 flake8-fouten opgelost (E302, E305, W291, W293, E501) - SHA256 checksum bijgewerkt in EN en NL docs ## Checklist - [x] PR title follows the commit convention (e.g. `fix: correct nmcli command in eduroam guide`) - [x] Both EN and NL versions updated (if applicable) - [x] Media is in AVIF format (not PNG/JPG) - [x] No broken image references (`/images/*.avif` all exist in `static/images/`) - [x] Tested locally with `hugo server` 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 9e322a4 commit 230c7f6

21 files changed

Lines changed: 318 additions & 51 deletions

.github/dependabot.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,3 +13,17 @@ updates:
1313
interval: "weekly"
1414
commit-message:
1515
prefix: "chore"
16+
17+
- package-ecosystem: "gomod"
18+
directory: "/"
19+
schedule:
20+
interval: "weekly"
21+
commit-message:
22+
prefix: "chore"
23+
24+
- package-ecosystem: "pip"
25+
directory: "/"
26+
schedule:
27+
interval: "weekly"
28+
commit-message:
29+
prefix: "chore"

.github/renovate.json

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
{
2+
"extends": ["config:recommended"],
3+
"automerge": false,
4+
"timezone": "Europe/Amsterdam",
5+
"labels": ["dependencies"],
6+
"schedule": ["before 3am on Monday"],
7+
"prHourlyLimit": 2,
8+
"prConcurrentLimit": 5,
9+
"packageRules": [
10+
{
11+
"managers": ["gomod"],
12+
"groupName": "go modules",
13+
"schedule": ["before 3am on Monday"]
14+
},
15+
{
16+
"managers": ["pip"],
17+
"groupName": "python packages",
18+
"schedule": ["before 3am on Monday"]
19+
},
20+
{
21+
"managers": ["github-actions"],
22+
"groupName": "github actions",
23+
"automerge": true,
24+
"automergeType": "minor",
25+
"schedule": ["before 3am on Monday"]
26+
}
27+
]
28+
}

.github/workflows/codeql-analysis.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
name: "CodeQL Analysis"
2+
3+
on:
4+
push:
5+
branches: [ main, development ]
6+
pull_request:
7+
branches: [ main, development ]
8+
schedule:
9+
- cron: '0 3 * * 0'
10+
11+
permissions:
12+
contents: read
13+
security-events: write
14+
actions: read
15+
16+
jobs:
17+
analyze:
18+
name: Analyze (python)
19+
runs-on: ubuntu-latest
20+
21+
steps:
22+
- name: Checkout repository
23+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
24+
25+
- name: Initialize CodeQL
26+
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
27+
with:
28+
languages: python
29+
30+
- name: Autobuild
31+
uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
32+
33+
- name: Perform CodeQL Analysis
34+
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
35+
with:
36+
category: "/language:python"

.github/workflows/hugo.yml

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -22,22 +22,23 @@ jobs:
2222
build:
2323
runs-on: ubuntu-latest
2424
env:
25-
HUGO_VERSION: 0.152.2
25+
HUGO_VERSION: 0.160.0
2626
steps:
2727
- name: Install Hugo CLI
28-
run: |
29-
wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
30-
&& sudo dpkg -i ${{ runner.temp }}/hugo.deb
28+
uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
29+
with:
30+
hugo-version: '0.160.1'
31+
extended: true
3132

3233
- name: Checkout
33-
uses: actions/checkout@v6
34+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3435
with:
3536
submodules: recursive
3637
fetch-depth: 0
3738

3839
- name: Setup Pages
3940
id: pages
40-
uses: actions/configure-pages@v6
41+
uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6
4142

4243
- name: Build with Hugo
4344
env:
@@ -51,7 +52,7 @@ jobs:
5152
--baseURL "${{ steps.pages.outputs.base_url }}/"
5253
5354
- name: Upload artifact
54-
uses: actions/upload-pages-artifact@v4
55+
uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4
5556
with:
5657
path: ./public
5758

@@ -64,4 +65,4 @@ jobs:
6465
steps:
6566
- name: Deploy to GitHub Pages
6667
id: deployment
67-
uses: actions/deploy-pages@v5
68+
uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5

.github/workflows/pr-checks.yml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
name: Markdown lint
3535
runs-on: ubuntu-latest
3636
steps:
37-
- uses: actions/checkout@v6
37+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3838
- uses: DavidAnson/markdownlint-cli2-action@ce4853d43830c74c1753b39f3cf40f71c2031eb9 # v23.0.0
3939
with:
4040
globs: "content/**/*.md"
@@ -44,8 +44,8 @@ jobs:
4444
name: Python security (bandit)
4545
runs-on: ubuntu-latest
4646
steps:
47-
- uses: actions/checkout@v6
48-
- uses: actions/setup-python@v6
47+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
48+
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
4949
with:
5050
python-version: "3.x"
5151
- run: pip install bandit
@@ -57,7 +57,7 @@ jobs:
5757
name: No PNG/JPG in static/images
5858
runs-on: ubuntu-latest
5959
steps:
60-
- uses: actions/checkout@v6
60+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
6161

6262
- name: Find non-AVIF images
6363
id: check
@@ -78,7 +78,7 @@ jobs:
7878
7979
- name: Post PR comment
8080
if: steps.check.outputs.found == 'true'
81-
uses: actions/github-script@v8
81+
uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
8282
env:
8383
FILES: ${{ steps.check.outputs.files }}
8484
ACTOR: ${{ github.event.pull_request.user.login }}
@@ -128,7 +128,7 @@ jobs:
128128
name: EN/NL file parity
129129
runs-on: ubuntu-latest
130130
steps:
131-
- uses: actions/checkout@v6
131+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
132132
- name: Check every .md has a matching .nl.md
133133
run: |
134134
missing=""
@@ -154,7 +154,7 @@ jobs:
154154
env:
155155
HUGO_VERSION: 0.152.2
156156
steps:
157-
- uses: actions/checkout@v6
157+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
158158
with:
159159
submodules: recursive
160160
fetch-depth: 0
@@ -170,7 +170,7 @@ jobs:
170170
TZ: Europe/Amsterdam
171171
run: hugo --gc --minify --baseURL "http://localhost/"
172172
- name: Upload built site
173-
uses: actions/upload-artifact@v7
173+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
174174
with:
175175
name: hugo-public
176176
path: public/
@@ -182,7 +182,7 @@ jobs:
182182
runs-on: ubuntu-latest
183183
needs: hugo-build
184184
steps:
185-
- uses: actions/download-artifact@v8
185+
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
186186
with:
187187
name: hugo-public
188188
path: public/
@@ -203,7 +203,7 @@ jobs:
203203
if: always()
204204
needs: [pr-title, bilingual, image-format, hugo-build, link-check]
205205
steps:
206-
- uses: actions/github-script@v8
206+
- uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
207207
env:
208208
RESULT_PR_TITLE: ${{ needs.pr-title.result }}
209209
RESULT_BILINGUAL: ${{ needs.bilingual.result }}

.github/workflows/python-checks.yml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
name: Python Checks
2+
3+
on:
4+
push:
5+
branches: [ main, development ]
6+
pull_request:
7+
branches: [ main, development ]
8+
schedule:
9+
- cron: '0 5 * * 0'
10+
workflow_dispatch:
11+
12+
jobs:
13+
lint:
14+
runs-on: ubuntu-latest
15+
steps:
16+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
17+
18+
- name: Set up Python
19+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
20+
with:
21+
python-version: '3.14'
22+
23+
- name: Install dependencies
24+
run: |
25+
python -m pip install --upgrade pip
26+
pip install flake8 bandit
27+
28+
- name: Lint with flake8
29+
run: flake8 static/scripts/saxion-eduroam.py --max-line-length=120
30+
31+
- name: Security scan with bandit
32+
run: bandit -r static/scripts/saxion-eduroam.py -ll

.github/workflows/trivy-scan.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
name: "Trivy filesystem scan"
2+
3+
on:
4+
schedule:
5+
- cron: '0 2 * * 0'
6+
workflow_dispatch:
7+
8+
permissions:
9+
contents: read
10+
security-events: write
11+
12+
jobs:
13+
trivy-scan:
14+
runs-on: ubuntu-latest
15+
steps:
16+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
17+
18+
- name: Run Trivy filesystem scan
19+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
20+
with:
21+
scan-type: fs
22+
severity: CRITICAL,HIGH
23+
format: sarif
24+
output: trivy-results.sarif
25+
26+
- name: Upload Trivy results to GitHub Security tab
27+
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
28+
if: always()
29+
with:
30+
sarif_file: trivy-results.sarif

README.md

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,45 @@ CachyOS on the ASUS ROG Zephyrus G16 GA605WV (2024). My personal setup log: docu
77
**Browse the full documentation site: [zephyrus-linux.stensel.nl](https://zephyrus-linux.stensel.nl/)**
88

99

10+
## System information
11+
12+
```
13+
❯ fish
14+
.-------------------------: sten@Sten-Laptop
15+
.+=========================. ----------------
16+
:++===++==================- :++- OS: CachyOS x86_64
17+
:*++====+++++=============- .==: Host: ROG Zephyrus G16 GA605WV_GA605WV (1.0)
18+
-*+++=====+***++==========: Kernel: Linux 6.19.11-1-cachyos
19+
=*++++========------------: Uptime: 3 hours, 49 mins
20+
=*+++++=====- ... Packages: 1695 (pacman), 22 (flatpak)
21+
.+*+++++=-===: .=+++=: Shell: fish 4.6.0
22+
:++++=====-==: -*****+ Display (LQ160R1JW02): 2560x1600 @ 1.33x in 16", 240 Hz [Built-in]
23+
:++========-=. .=+**+. DE: GNOME 50.0
24+
.+==========-. . WM: Mutter (Wayland)
25+
:+++++++====- .--==-. WM Theme: Adwaita
26+
:++==========. :+++++++: Theme: Adwaita [GTK2/3/4]
27+
.-===========. =*****+*+ Icons: Adwaita [GTK2/3/4]
28+
.-===========: .+*****+: Font: Adwaita Sans (11pt) [GTK2/3/4]
29+
-=======++++:::::::::::::::::::::::::-: .---: Cursor: Adwaita (24px)
30+
:======++++====+++******************=. Terminal: GNOME Console 50.0
31+
:=====+++==========++++++++++++++*- Terminal Font: Adwaita Mono (11pt)
32+
.====++==============++++++++++*- CPU: AMD Ryzen AI 9 HX 370 (24) @ 5.16 GHz
33+
.===+==================+++++++: GPU 1: AMD Radeon 890M Graphics [Integrated]
34+
.-=======================+++: GPU 2: NVIDIA GeForce RTX 4060 Max-Q / Mobile [Discrete]
35+
.......................... Memory: 10.24 GiB / 28.98 GiB (35%)
36+
Swap: 1.28 MiB / 28.98 GiB (0%)
37+
Disk (/): 270.70 GiB / 951.85 GiB (28%) - btrfs
38+
Local IP (wlan0): 192.168.0.72/24
39+
Battery (A32-K55): 100% [AC Connected]
40+
Locale: en_US.UTF-8
41+
42+
43+
44+
~
45+
46+
```
47+
48+
1049
## About this project
1150

1251
This is my personal setup log for running CachyOS on this laptop. I'm not a software engineer or developer: just someone who switched to Linux and ran into a lot of things that didn't work out of the box. I figured I'd write it all down so others don't have to go through the same trial and error I did.

README.nl.md

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,45 @@ CachyOS op de ASUS ROG Zephyrus G16 GA605WV (2024). Mijn persoonlijke setup-log:
77
**Bekijk de volledige documentatiesite: [zephyrus-linux.stensel.nl](https://zephyrus-linux.stensel.nl/nl/)**
88

99

10+
## Systeeminformatie
11+
12+
```
13+
❯ fish
14+
.-------------------------: sten@Sten-Laptop
15+
.+=========================. ----------------
16+
:++===++==================- :++- OS: CachyOS x86_64
17+
:*++====+++++=============- .==: Host: ROG Zephyrus G16 GA605WV_GA605WV (1.0)
18+
-*+++=====+***++==========: Kernel: Linux 6.19.11-1-cachyos
19+
=*++++========------------: Uptime: 3 hours, 49 mins
20+
=*+++++=====- ... Packages: 1695 (pacman), 22 (flatpak)
21+
.+*+++++=-===: .=+++=: Shell: fish 4.6.0
22+
:++++=====-==: -*****+ Display (LQ160R1JW02): 2560x1600 @ 1.33x in 16", 240 Hz [Built-in]
23+
:++========-=. .=+**+. DE: GNOME 50.0
24+
.+==========-. . WM: Mutter (Wayland)
25+
:+++++++====- .--==-. WM Theme: Adwaita
26+
:++==========. :+++++++: Theme: Adwaita [GTK2/3/4]
27+
.-===========. =*****+*+ Icons: Adwaita [GTK2/3/4]
28+
.-===========: .+*****+: Font: Adwaita Sans (11pt) [GTK2/3/4]
29+
-=======++++:::::::::::::::::::::::::-: .---: Cursor: Adwaita (24px)
30+
:======++++====+++******************=. Terminal: GNOME Console 50.0
31+
:=====+++==========++++++++++++++*- Terminal Font: Adwaita Mono (11pt)
32+
.====++==============++++++++++*- CPU: AMD Ryzen AI 9 HX 370 (24) @ 5.16 GHz
33+
.===+==================+++++++: GPU 1: AMD Radeon 890M Graphics [Integrated]
34+
.-=======================+++: GPU 2: NVIDIA GeForce RTX 4060 Max-Q / Mobile [Discrete]
35+
.......................... Memory: 10.24 GiB / 28.98 GiB (35%)
36+
Swap: 1.28 MiB / 28.98 GiB (0%)
37+
Disk (/): 270.70 GiB / 951.85 GiB (28%) - btrfs
38+
Local IP (wlan0): 192.168.0.72/24
39+
Battery (A32-K55): 100% [AC Connected]
40+
Locale: en_US.UTF-8
41+
42+
43+
44+
~
45+
46+
```
47+
48+
1049
## Over dit project
1150

1251
Dit is mijn persoonlijke setup-log voor CachyOS op deze laptop. Ik ben geen software-engineer of developer: gewoon iemand die naar Linux is overgestapt en daarna tegen van alles aanliep wat niet meteen werkte. Ik heb alles opgeschreven zodat anderen niet hetzelfde hoeven uitzoeken als ik.

content/_index.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,8 @@ toc: false
3838
| **iGPU** | AMD Radeon 890M |
3939
| **dGPU** | NVIDIA GeForce RTX 4060 Laptop (Max-Q) |
4040
| **OS** | CachyOS (Arch) |
41-
| **Kernel** | 6.19.8-1-cachyos |
42-
| **Display Server** | Wayland (GNOME 49) |
41+
| **Kernel** | 6.19.11-1-cachyos |
42+
| **Display Server** | Wayland (GNOME 50) |
4343
| **CPU Scheduler** | scx_lavd (sched_ext) |
4444
| **Secure Boot** | Enabled |
4545

0 commit comments

Comments
 (0)