chore: update dependency configurations and remove unused workflows

Author: Stensel8

.github/dependabot.yml

@@ -27,10 +27,3 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "chore"
-
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    commit-message:
-      prefix: "chore"

.github/renovate.json

@@ -1,5 +1,5 @@
 {
-  "extends": ["config:base"],
+  "extends": ["config:recommended"],
   "automerge": false,
   "timezone": "Europe/Amsterdam",
   "labels": ["dependencies"],
@@ -23,12 +23,6 @@
       "automerge": true,
       "automergeType": "minor",
       "schedule": ["before 3am on Monday"]
-    },
-    {
-      "managers": ["docker"],
-      "groupName": "docker images",
-      "schedule": ["before 3am on Monday"],
-      "automerge": false
     }
   ]
 }

.github/workflows/check-dependencies.yml

@@ -11,22 +11,30 @@ on:
 permissions:
   contents: read
   security-events: write
+  actions: read
 
 jobs:
   analyze:
-    name: Analyze (CodeQL)
+    name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ go, python ]
+
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
-          languages: go
+          languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/codeql-analysis.yml

@@ -25,20 +25,20 @@ jobs:
       HUGO_VERSION: 0.160.0
     steps:
       - name: Install Hugo CLI
-        uses: peaceiris/actions-hugo@v3.0.0
+        uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
           hugo-version: '0.160.1'
           extended: true
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: recursive
           fetch-depth: 0
 
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@v6
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6
 
       - name: Build with Hugo
         env:
@@ -52,7 +52,7 @@ jobs:
             --baseURL "${{ steps.pages.outputs.base_url }}/"
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4
         with:
           path: ./public
 
@@ -65,4 +65,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v5
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5

.github/workflows/hugo.yml

@@ -34,7 +34,7 @@ jobs:
     name: Markdown lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: DavidAnson/markdownlint-cli2-action@ce4853d43830c74c1753b39f3cf40f71c2031eb9 # v23.0.0
         with:
           globs: "content/**/*.md"
@@ -44,8 +44,8 @@ jobs:
     name: Python security (bandit)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.x"
       - run: pip install bandit
@@ -57,7 +57,7 @@ jobs:
     name: No PNG/JPG in static/images
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Find non-AVIF images
         id: check
@@ -78,7 +78,7 @@ jobs:
 
       - name: Post PR comment
         if: steps.check.outputs.found == 'true'
-        uses: actions/github-script@v9
+        uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
         env:
           FILES: ${{ steps.check.outputs.files }}
           ACTOR: ${{ github.event.pull_request.user.login }}
@@ -128,7 +128,7 @@ jobs:
     name: EN/NL file parity
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check every .md has a matching .nl.md
         run: |
           missing=""
@@ -154,7 +154,7 @@ jobs:
     env:
       HUGO_VERSION: 0.152.2
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: recursive
           fetch-depth: 0
@@ -170,7 +170,7 @@ jobs:
           TZ: Europe/Amsterdam
         run: hugo --gc --minify --baseURL "http://localhost/"
       - name: Upload built site
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: hugo-public
           path: public/
@@ -182,7 +182,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: hugo-build
     steps:
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: hugo-public
           path: public/
@@ -203,7 +203,7 @@ jobs:
     if: always()
     needs: [pr-title, bilingual, image-format, hugo-build, link-check]
     steps:
-      - uses: actions/github-script@v9
+      - uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
         env:
           RESULT_PR_TITLE:    ${{ needs.pr-title.result }}
           RESULT_BILINGUAL:   ${{ needs.bilingual.result }}

.github/workflows/pr-checks.yml

@@ -13,10 +13,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Python
-        uses: actions/setup-python@v6.2.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
 
@@ -29,4 +29,4 @@ jobs:
         run: flake8 static/scripts/saxion-eduroam.py --max-line-length=120
 
       - name: Security scan with bandit
-        run: bandit -r static/scripts/saxion-eduroam.py
+        run: bandit -r static/scripts/saxion-eduroam.py -ll

.github/workflows/python-checks.yml

@@ -5,14 +5,26 @@ on:
     - cron: '0 2 * * 0'
   workflow_dispatch:
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   trivy-scan:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
       - name: Run Trivy filesystem scan
-        uses: aquasecurity/trivy-action@v0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           scan-type: fs
           severity: CRITICAL,HIGH
-          format: table
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif

.github/workflows/trivy-scan.yml

@@ -59,13 +59,13 @@ A Python script automates the full `nmcli` connection setup for Saxion:
 curl -LO https://zephyrus-linux.stensel.nl/scripts/saxion-eduroam.py
 
 # 2. Verify checksum
-echo "c8d5eb6551807ae5e2b8b1b38e8edd02fc13f9c3c62edf5626f2f8845c916021  saxion-eduroam.py" | sha256sum -c
+echo "bb8c45e801fbd37bc7d8c12104ad3c525bc664571598344b90c5da0437631cf8  saxion-eduroam.py" | sha256sum -c
 
 # 3. Run
 python3 saxion-eduroam.py
 ```
 
-**SHA256:** `8dd2f2120ddebdfd9d764e04954322307dccb8c855c691de7600f2a8a71db42b`
+**SHA256:** `bb8c45e801fbd37bc7d8c12104ad3c525bc664571598344b90c5da0437631cf8`
 
 The script removes any existing eduroam profile, prompts for your **username** via a GUI dialog (zenity, kdialog, or yad) or terminal fallback, and activates the connection. Your password is never asked by the script; it is requested by your GNOME Keyring at connection time and stored securely, never in plaintext.
 

content/docs/networking/eduroam-network-installation.md

@@ -59,13 +59,13 @@ Een Python-script automatiseert de volledige `nmcli`-verbindingsconfiguratie voo
 curl -LO https://zephyrus-linux.stensel.nl/scripts/saxion-eduroam.py
 
 # 2. Controleer de checksum
-echo "c8d5eb6551807ae5e2b8b1b38e8edd02fc13f9c3c62edf5626f2f8845c916021  saxion-eduroam.py" | sha256sum -c
+echo "bb8c45e801fbd37bc7d8c12104ad3c525bc664571598344b90c5da0437631cf8  saxion-eduroam.py" | sha256sum -c
 
 # 3. Uitvoeren
 python3 saxion-eduroam.py
 ```
 
-**SHA256:** `8dd2f2120ddebdfd9d764e04954322307dccb8c855c691de7600f2a8a71db42b`
+**SHA256:** `bb8c45e801fbd37bc7d8c12104ad3c525bc664571598344b90c5da0437631cf8`
 
 Het script verwijdert een eventueel bestaand eduroam-profiel, vraagt je **gebruikersnaam** via een GUI-dialoog (zenity, kdialog of yad) of terminal-fallback, en activeert de verbinding. Je wachtwoord wordt nooit door het script gevraagd; dat wordt bij het verbinden opgevraagd door je GNOME Keyring en veilig opgeslagen, nooit in platte tekst.