pull from dev (#50)

<!-- markdownlint-disable first-line-h1 no-inline-html -->

<!-- Hidden Markdown: Do Not Update this Area.

In order to have the best experience with our community, we recommend
that you read the code of conduct and contributing guidelines before
submitting a pull request.

By submitting this pull request, you confirm that you have read,
understood, and agreed to the project's code of conduct and contributing
guidelines.

Please use conventional commits to format the title of the pull request
and the commit messages.

For more information, please refer to
https://www.conventionalcommits.org.

-->.

### Summary

<!-- Hidden Markdown: Do Not Update this Area.

     Please provide a clear and concise description of the pull request.

-->.

### Type

<!-- Hidden Markdown: Do Not Update this Area.

Please check the one(s) that applies to this pull request using "x".

-->

- [ ] Bugfix
- [ ] Enhancement or Feature
- [ ] Code Style or Formatting
- [ ] Documentation
- [ ] Refactoring
- [ ] Chore
- [ ] Other
        Please describe:.

### Breaking Changes?

<!-- Hidden Markdown: Do Not Update this Area.

     Please check the one that applies to this pull request using "x".


If this pull request contains a breaking change, please describe the
impact and mitigation path.
-->

- [ ] Yes, there are breaking changes.
- [ ] No, there are no breaking changes..

### Test and Documentation

<!-- Hidden Markdown: Do Not Update this Area.

Please check the one(s) that applies to this pull request using "x".

For bug fixes and enhancements/features, please ensure that tests and
documentation have been completed and provide details.

-->

- [ ] Tests have been completed.
- [ ] Documentation has been added or updated.

<!-- Hidden Markdown: Do Not Update this Area.

Please describe the tests that have been completed and/or the
documentation that has been added/updated.

-->.

### Issue References

<!-- Hidden Markdown: Do Not Update this Area.

Is this related to any GitHub issue(s)? If so, please provide the issue
number(s) that are closed or resolved by this pull request.

For bug fixes and enhancements/features, please ensure that a GitHub
issue has been created and provide the issue number(s) here.

Please use the 'Closes' keyword followed by the a hash and issue number.
This will link the pull request to the issue(s) and automatically close
them when the pull request is merged.

     Example:

     Closes #000
     Closes #1

-->.

### Additional Information

<!-- Hidden Markdown: Do Not Update this Area.

     Please provide any additional information that may be helpful.

-->

Author: nathanthaler

.github/workflows/clone.yml

@@ -2,25 +2,41 @@ name: GitHub Clone Count Update Everyday
 
 on:
   schedule:
-    - cron: "0 0 * * *"
+    - cron: 0 0 * * *
   workflow_dispatch:
 
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
+      # Required to commit CLONE.md file to repository
+      # Note: contents: write is the minimal permission needed for this workflow
+      # trunk-ignore(checkov): contents: write is required to commit files to repository
       contents: write
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+          token: ${{ secrets.SECRET_TOKEN }}
 
       - name: gh login
         run: echo "${{ secrets.SECRET_TOKEN }}" | gh auth login --with-token
 
       - name: parse latest clone count
+        env:
+          GITHUB_TOKEN: ${{ secrets.SECRET_TOKEN }}
         run: |
           set -euo pipefail
-          if ! curl -f --user "${{ github.actor }}:${{ secrets.SECRET_TOKEN }}" \
+          # SECRET_TOKEN is required because:
+          # 1. The traffic/clones endpoint requires "Administration" (read) permissions
+          # 2. GITHUB_TOKEN typically doesn't have access to traffic data
+          # 3. A Personal Access Token (PAT) with repo scope is needed
+          # Using environment variable to avoid exposing secret in process list
+          # Note: Secret is passed via env var, not command line, for security
+          # trunk-ignore(trufflehog): Secret properly handled via environment variable, not command line
+          if ! curl -f --user "${{ github.actor }}:$GITHUB_TOKEN" \
             -H "Accept: application/vnd.github.v3+json" \
             "https://api.github.com/repos/${{ github.repository }}/traffic/clones" \
             > clone.json; then
@@ -110,12 +126,15 @@ jobs:
               json.dump(latest, fh, ensure_ascii=False, indent=4)
           EOF
       - name: Update gist with latest count
+        env:
+          GITHUB_TOKEN: ${{ secrets.SECRET_TOKEN }}
         run: |
           set -euo pipefail
+          # Using environment variable to avoid exposing secret in process list
           content=$(sed -e 's/\\/\\\\/g' -e 's/\t/\\t/g' -e 's/\"/\\"/g' -e 's/\r//g' "clone.json" | sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g')
           echo '{"description": "${{ github.repository }} clone statistics", "files": {"clone.json": {"content": "'"$content"'"}}}' > post_clone.json
           if ! curl -f -s -X PATCH \
-            --user "${{ github.actor }}:${{ secrets.SECRET_TOKEN }}" \
+            --user "${{ github.actor }}:$GITHUB_TOKEN" \
             -H "Content-Type: application/json" \
             -d @post_clone.json "https://api.github.com/gists/${{ steps.set_id.outputs.GIST }}" > /dev/null; then
             echo "Error: Failed to update gist"
@@ -139,5 +158,7 @@ jobs:
       - name: Push
         uses: ad-m/github-push-action@master
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ secrets.SECRET_TOKEN }}
+          branch: "gh-actions"
+          force_with_lease: true
 

CLONE.md

@@ -0,0 +1,5 @@
+
+**Markdown**
+```markdown
+[![GitHub Clones](https://img.shields.io/badge/dynamic/json?color=success&label=Clone&query=count&url=https://gist.githubusercontent.com/nathanthaler/7879c8fd9af27b17da21abe20eedee1d/raw/clone.json&logo=github)](https://gist.githubusercontent.com/nathanthaler/7879c8fd9af27b17da21abe20eedee1d/raw/clone.json)
+```