jkroepke
diff --git a/‎.checkov.yml‎
Lines changed: 7 additions & 0 deletions b/‎.checkov.yml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎.editorconfig‎
Lines changed: 3 additions & 0 deletions b/‎.editorconfig‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/bug_report.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/ISSUE_TEMPLATE/bug_report.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 19 additions & 9 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 19 additions & 9 deletions
diff --git a/‎.github/workflows/pr.yaml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/pr.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/release-changelog.yaml‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/release-changelog.yaml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/renovate-custom-hooks.yaml‎
Lines changed: 8 additions & 3 deletions b/‎.github/workflows/renovate-custom-hooks.yaml‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎.github/workflows/update-major-tag.yaml‎
Lines changed: 7 additions & 3 deletions b/‎.github/workflows/update-major-tag.yaml‎
Lines changed: 7 additions & 3 deletions
@@ -0,0 +1,7 @@
+# See: https://www.checkov.io/1.Welcome/Quick%20Start.html
+
+compact: true
+quiet: true
+skip-path:
+  - coverage
+  - node_modules
@@ -8,3 +8,6 @@ insert_final_newline = true
 trim_trailing_whitespace = true
 end_of_line = lf
 max_line_length = 160
+
+[{README.md,.github/{workflows,ISSUE_TEMPLATE}/*.yaml}]
+max_line_length = 200
@@ -1,5 +1,5 @@
 name: 🐞 Bug
-description: Something is not working as indended.
+description: Something is not working as indented.
 labels: [🐞 bug]
 body:
   - type: markdown
 
@@ -14,6 +14,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: 'false'
       - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version-file: package.json
@@ -33,6 +35,8 @@ jobs:
       RUNNER_DEBUG: 1
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: 'false'
       - uses: ./
         with:
           version: 'latest'
@@ -59,23 +63,28 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: 'false'
 
       - name: Lint Code Base
         uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ENABLE_GITHUB_ACTIONS_STEP_SUMMARY: true
+          ENABLE_GITHUB_PULL_REQUEST_SUMMARY_COMMENT: false
+          SAVE_SUPER_LINTER_SUMMARY: true
           MULTI_STATUS: false
           LINTER_RULES_PATH: .
+          CHECKOV_FILE_NAME: .checkov.yml
+          DEFAULT_BRANCH: main
+          FILTER_REGEX_EXCLUDE: dist/**/*
           VALIDATE_ALL_CODEBASE: true
-          VALIDATE_BASH: true
-          VALIDATE_BASH_EXEC: true
-          VALIDATE_ENV: true
-          VALIDATE_GITHUB_ACTIONS: true
-          VALIDATE_HTML: true
-          VALIDATE_NATURAL_LANGUAGE: true
-          VALIDATE_SHELL_SHFMT: true
-          VALIDATE_XML: true
-          VALIDATE_YAML: true
+          VALIDATE_BIOME_FORMAT: false
+          VALIDATE_BIOME_LINT: false
+          VALIDATE_JAVASCRIPT_ES: false
+          VALIDATE_JSCPD: false
+          VALIDATE_TYPESCRIPT_ES: false
+          VALIDATE_JSON: false
+          VALIDATE_MARKDOWN: false
 
   release:
     if: github.repository_owner == 'jkroepke' && github.ref_name == 'main'
@@ -97,6 +106,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: 'false'
       - name: Setup Node.js
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
 
@@ -49,6 +49,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: 'false'
       - name: check
         run: |
           PR_TITLE_PREFIX=$(echo "$PR_TITLE" | cut -d':' -f1)
 
@@ -14,13 +14,13 @@ jobs:
       contents: write
     steps:
       - name: Update notes
+        #language=bash
         run: |
-          TAG="${{ github.ref_name }}"
+          TAG="${GITHUB_REF_NAME}"
           if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            NEW_NOTES=$(gh api --method POST -H "Accept: application/vnd.github+json" /repos/${{ github.repository }}/releases/generate-notes  -f tag_name=${{ github.ref_name }} | jq -r '.body')
-            RELEASE_ID=$(gh api -H "Accept: application/vnd.github+json" /repos/${{ github.repository }}/releases/tags/${{ github.ref_name }} | jq -r '.id')
-            gh api --method PATCH -H "Accept: application/vnd.github+json" "/repos/${{ github.repository }}/releases/$RELEASE_ID" -f "body=$NEW_NOTES"
+            NEW_NOTES=$(gh api --method POST -H "Accept: application/vnd.github+json" "/repos/${{ github.repository }}/releases/generate-notes" -f "tag_name=${GITHUB_REF_NAME}" | jq -r '.body')
+            RELEASE_ID=$(gh api -H "Accept: application/vnd.github+json" "/repos/${{ github.repository }}/releases/tags/${GITHUB_REF_NAME}" | jq -r '.id')
+            gh api --method PATCH -H "Accept: application/vnd.github+json" "/repos/${{ github.repository }}/releases/${RELEASE_ID}" -f "body=$NEW_NOTES"
           fi
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          RELEASE_TAG: ${{ github.event.release.tag_name }}
@@ -1,5 +1,7 @@
 name: renovate hooks
 
+permissions: {}
+
 on:
   pull_request:
     branches:
@@ -13,11 +15,14 @@ jobs:
   renovate-post-run:
     name: Renovate Post Upgrade Hook
     runs-on: ubuntu-latest
-    if: github.repository_owner == 'jkroepke' && (github.actor == 'renovate[bot]' || github.actor == 'mend[bot]')
+    permissions:
+      contents: read
+    if: github.repository_owner == 'jkroepke' && github.event.pull_request.user.login == 'renovate[bot]'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       # Using a GitHub App token, because GitHub Actions doesn't run on commits from github-actions bot
       # Used App:
@@ -104,8 +109,8 @@ jobs:
 
           # Call GitHub API
           curl https://api.github.com/graphql -f \
-               -sSf -H "Authorization: Bearer $GITHUB_TOKEN" \
-               --data "@$JSON_PAYLOAD_FILE"
+            -sSf -H "Authorization: Bearer $GITHUB_TOKEN" \
+            --data "@$JSON_PAYLOAD_FILE"
 
           # Clean up temporary files
           rm "$FILE_CHANGES_JSON_FILE" "$JSON_PAYLOAD_FILE"
@@ -13,10 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - run: |
-          TAG="${{ github.ref_name }}"
+        with:
+          persist-credentials: 'false'
+
+      - name: Push major tag
+        #language=bash
+        run: |
+          TAG="${GITHUB_REF_NAME}"
           if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            TAG="${{ github.ref_name }}"
             TAG="${TAG%%.*}"
             git tag -f "${TAG}"
             git push --tags --force