* Add GitHub Actions audit job (actionlint + zizmor) to CI
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Configure dependabot for GitHub Actions, bundler, and Docker
Batches all action updates into a single weekly PR. Adds cooldown
periods to all ecosystems.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add local GitHub Actions linting (actionlint + zizmor) to bin/setup and bin/ci
Install actionlint, shellcheck, and zizmor in bin/setup. Run both
linters as CI steps in config/ci.rb alongside existing style checks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Pin all GitHub Actions to SHA hashes
Run pinact to pin action versions to specific commit SHAs,
preventing supply chain attacks from tag mutation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fix high severity zizmor findings
- Suppress unpinned-images for redis service containers (digest
pinning is nontrivial for service containers)
- Move workflow-level permissions to job-level in publish-image.yml
(build gets full set, manifest gets only what it needs)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fix medium severity zizmor findings
- Add persist-credentials: false to all checkout steps
- Add permissions: {} at workflow level in ci.yml
- Add job-level permissions (contents: read) to all CI jobs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fix informational template-injection findings in publish-image.yml
Move steps.meta.outputs.tags from inline ${{ }} expressions to env
vars in both the manifest creation and cosign signing steps.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Update brakeman to 8.0.4
bin/brakeman uses --ensure-latest which fails if not on the newest version.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds ipv4_mapped? and ipv4_compat? checks to PrivateNetworkGuard.private_ip?
to block SSRF bypass attempts using IPv6 address formats like:
- ::ffff:169.254.169.254 (IPv4-mapped)
- ::169.254.169.254 (IPv4-compatible)
These formats could previously bypass the link_local? check since Ruby
treats them as IPv6 addresses, not IPv4.
Ref: HackerOne #3481701
