ci: zizmor (#758)

* ci: zizmor

* docs: improve workflow-templates

* docs: README point to templates as examples

* ci: dependabot schedule changes

* chore: devcontainer extension updates

* feat: devcontainer version everything

* ci: dependabot update docker image

* fix: dependabot

* ci: zizmor enable annotations

* ci: disable

Author: andykenward

.devcontainer/devcontainer-lock.json

@@ -1,31 +1,31 @@
 {
   "features": {
-    "ghcr.io/anthropics/devcontainer-features/claude-code:1.0": {
+    "ghcr.io/anthropics/devcontainer-features/claude-code:1.0.5": {
       "version": "1.0.5",
       "resolved": "ghcr.io/anthropics/devcontainer-features/claude-code@sha256:cfc2e7d3e9fd3b9b01f8d5cb158508a884c8c0ede2e23ed10f32dea5d4ffe69a",
       "integrity": "sha256:cfc2e7d3e9fd3b9b01f8d5cb158508a884c8c0ede2e23ed10f32dea5d4ffe69a"
     },
-    "ghcr.io/devcontainers-extra/features/act:1": {
+    "ghcr.io/devcontainers-extra/features/act:1.0.15": {
       "version": "1.0.15",
       "resolved": "ghcr.io/devcontainers-extra/features/act@sha256:db4a2194930d1f7ec62822d4f600dd2fa4aff3c33b98cdb0b578b64ffb10924c",
       "integrity": "sha256:db4a2194930d1f7ec62822d4f600dd2fa4aff3c33b98cdb0b578b64ffb10924c"
     },
-    "ghcr.io/devcontainers-extra/features/pre-commit:2": {
+    "ghcr.io/devcontainers-extra/features/pre-commit:2.0.18": {
       "version": "2.0.18",
       "resolved": "ghcr.io/devcontainers-extra/features/pre-commit@sha256:6e0bb2ce80caca1d94f44dab5d0653d88a1c00984e590adb7c6bce012d0ade6e",
       "integrity": "sha256:6e0bb2ce80caca1d94f44dab5d0653d88a1c00984e590adb7c6bce012d0ade6e"
     },
-    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
-      "version": "1.9.1",
-      "resolved": "ghcr.io/devcontainers/features/docker-outside-of-docker@sha256:dc89605f01ff2f24252c61f7c8ba2a58ccdbc14f2ebf87a7952d9e2b89834850",
-      "integrity": "sha256:dc89605f01ff2f24252c61f7c8ba2a58ccdbc14f2ebf87a7952d9e2b89834850"
+    "ghcr.io/devcontainers/features/docker-outside-of-docker:1.10.0": {
+      "version": "1.10.0",
+      "resolved": "ghcr.io/devcontainers/features/docker-outside-of-docker@sha256:c2c2cf829505ead8e4892c88c31b6594ae94a2bbb209e16e1fac456c1a3a624e",
+      "integrity": "sha256:c2c2cf829505ead8e4892c88c31b6594ae94a2bbb209e16e1fac456c1a3a624e"
     },
-    "ghcr.io/devcontainers/features/github-cli:1": {
+    "ghcr.io/devcontainers/features/github-cli:1.1.0": {
       "version": "1.1.0",
       "resolved": "ghcr.io/devcontainers/features/github-cli@sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671",
       "integrity": "sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671"
     },
-    "ghcr.io/devcontainers/features/node:2": {
+    "ghcr.io/devcontainers/features/node:2.0.0": {
       "version": "2.0.0",
       "resolved": "ghcr.io/devcontainers/features/node@sha256:fedd4c11f7adfb64283b578dddc7da906728daa25fa293351c9d913231acf12f",
       "integrity": "sha256:fedd4c11f7adfb64283b578dddc7da906728daa25fa293351c9d913231acf12f"

.devcontainer/devcontainer.json

@@ -1,34 +1,39 @@
 // For format details, see https://aka.ms/devcontainer.json. For config options, see the
 {
   "name": "Container - Cloudflare Pages Action",
-  "image": "mcr.microsoft.com/devcontainers/base:jammy",
+  // mcr.microsoft.com/devcontainers/base:jammy
+  "image": "mcr.microsoft.com/devcontainers/base:jammy@sha256:f2d74267998cfe76acefa5cc8d19ccc86bb2ba4520a5ad2b218def9566dc04cd",
   "customizations": {
     "vscode": {
       "extensions": [
-        "eamodio.gitlens",
-        "oxc.oxc-vscode",
-        "github.vscode-github-actions",
-        "yoavbls.pretty-ts-errors",
-        "redhat.vscode-yaml",
-        "GraphQL.vscode-graphql",
-        "GraphQL.vscode-graphql-syntax",
-        "vitest.explorer",
-        "webpro.vscode-knip"
-      ]
+        "eamodio.gitlens@2026.5.230538",
+        "github.vscode-github-actions@0.31.5",
+        "GraphQL.vscode-graphql-syntax@1.3.10",
+        "GraphQL.vscode-graphql@0.13.4",
+        "oxc.oxc-vscode@1.56.0",
+        "redhat.vscode-yaml@1.24.2026052209",
+        "vitest.explorer@1.50.4",
+        "webpro.vscode-knip@2.1.5",
+        "yoavbls.pretty-ts-errors@0.8.7"
+      ],
+      "settings": {
+        "extensions.autoUpdate": false,
+        "extensions.autoCheckUpdates": true
+      }
     }
   },
   "postCreateCommand": "sed -i '/^ZSH_THEME/c\\ZSH_THEME=\"bira\"' ~/.zshrc && pnpm i && pre-commit install",
   "updateContentCommand": "rm -rf .cache && pnpm i && pre-commit install",
   "features": {
-    "ghcr.io/devcontainers-extra/features/act:1": {},
-    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {},
-    "ghcr.io/devcontainers/features/node:2": {
+    "ghcr.io/devcontainers-extra/features/act:1.0.15": {},
+    "ghcr.io/devcontainers/features/docker-outside-of-docker:1.10.0": {},
+    "ghcr.io/devcontainers/features/node:2.0.0": {
       "version": "24.7.0",
       "pnpmVersion": "11.0.8"
     },
-    "ghcr.io/devcontainers/features/github-cli:1": {},
-    "ghcr.io/devcontainers-extra/features/pre-commit:2": {},
-    "ghcr.io/anthropics/devcontainer-features/claude-code:1.0": {}
+    "ghcr.io/devcontainers/features/github-cli:1.1.0": {},
+    "ghcr.io/devcontainers-extra/features/pre-commit:2.0.18": {},
+    "ghcr.io/anthropics/devcontainer-features/claude-code:1.0.5": {}
   },
   "containerEnv": {
     "CLAUDE_CONFIG_DIR": "/home/vscode/.claude"

.github/dependabot.yml

@@ -6,24 +6,27 @@ updates:
     directory: /
     schedule:
       interval: weekly
-      day: sunday
+    cooldown:
+      default-days: 7
+  - package-ecosystem: docker
+    directory: /.devcontainer
+    schedule:
+      interval: weekly
     cooldown:
       default-days: 7
   - package-ecosystem: 'devcontainers'
     directory: '/'
     schedule:
       interval: weekly
-      day: sunday
     cooldown:
       default-days: 7
   - package-ecosystem: npm
     directory: /
     schedule:
       interval: weekly
-      day: sunday
     cooldown:
       default-days: 7
-      semver-major-days: 30
+      semver-major-days: 14
       semver-minor-days: 7
       semver-patch-days: 3
     groups:

.github/workflow-templates/delete.yml

@@ -8,8 +8,15 @@ on:
       - closed
     branches:
       - $default-branch
+
+concurrency:
+  group: deploy-delete-${{ github.head_ref || github.run_id }}
+
+# Deny all permissions by default; grant only what's needed per job
+permissions: {}
+
 jobs:
-  deploy:
+  delete:
     permissions:
       actions: read # Only required for private GitHub Repo
       contents: read
@@ -20,6 +27,8 @@ jobs:
     steps:
       - name: 'Checkout Github Action'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
       - name: 'Deploy deletion from Cloudflare Pages'
         uses: andykenward/github-actions-cloudflare-pages/delete@1f45924c4dd0c6d746a7edfaa4e1dea8958806a6 #v3.4.0
         with:

.github/workflow-templates/deploy.yml

@@ -9,6 +9,13 @@ on:
   pull_request:
     branches:
       - $default-branch
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+
+# Deny all permissions by default; grant only what's needed per job
+permissions: {}
+
 jobs:
   deploy:
     permissions:
@@ -21,6 +28,8 @@ jobs:
     steps:
       - name: 'Checkout Github Action'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
       - name: 'Deploy to Cloudflare Pages'
         uses: andykenward/github-actions-cloudflare-pages@1f45924c4dd0c6d746a7edfaa4e1dea8958806a6 #v3.4.0
         with:

.github/workflows/zizmor.yml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ['**']
+
+# Deny all permissions by default; grant only what's needed per job
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # upload SARIF to GitHub code scanning
+      contents: read # only needed for private or internal repos
+      actions: read # only needed for private or internal repos
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6

README.md

@@ -94,48 +94,10 @@ wrangler:
 
 ## Examples
 
-See the GitHub Workflow examples below or [.github/workflow-templates/deploy.yml](.github/workflow-templates/deploy.yml)
+See the GitHub Workflow Templates [.github/workflow-templates/](.github/workflow-templates/)
 
-### `push` & `pull_request`
-
-```yaml
-# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-name: 'Deployment'
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-
-jobs:
-  deploy:
-    permissions:
-      actions: read # Only required for private GitHub Repo
-      contents: read
-      deployments: write
-      pull-requests: write
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node_version: 20
-      - run: npm ci
-        run: npm run build
-      - name: Deploy to Cloudflare Pages
-        uses: andykenward/github-actions-cloudflare-pages@1f45924c4dd0c6d746a7edfaa4e1dea8958806a6 #v3.4.0
-        id: pages
-        with:
-          cloudflare-api-token: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          cloudflare-account-id: ${{ vars.CLOUDFLARE_ACCOUNT_ID }}
-          cloudflare-project-name: ${{ vars.CLOUDFLARE_PROJECT_NAME }}
-          directory: dist
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          github-environment: ${{ vars.CLOUDFLARE_PROJECT_NAME }} ${{ (github.ref == 'refs/heads/main' && '(Production)') || '(Preview)' }}
-```
+- [.github/workflow-templates/delete.yml](.github/workflow-templates/delete.yml)
+- [.github/workflow-templates/deploy.yml](.github/workflow-templates/deploy.yml)
 
 ### Fork pull requests with `workflow_run`