* Add GitHub Actions audit job (actionlint + zizmor) to CI
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Configure dependabot for GitHub Actions, bundler, and Docker
Batches all action updates into a single weekly PR. Adds cooldown
periods to all ecosystems.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add local GitHub Actions linting (actionlint + zizmor) to bin/setup and bin/ci
Install actionlint, shellcheck, and zizmor in bin/setup. Run both
linters as CI steps in config/ci.rb alongside existing style checks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Pin all GitHub Actions to SHA hashes
Run pinact to pin action versions to specific commit SHAs,
preventing supply chain attacks from tag mutation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fix high severity zizmor findings
- Suppress unpinned-images for redis service containers (digest
pinning is nontrivial for service containers)
- Move workflow-level permissions to job-level in publish-image.yml
(build gets full set, manifest gets only what it needs)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fix medium severity zizmor findings
- Add persist-credentials: false to all checkout steps
- Add permissions: {} at workflow level in ci.yml
- Add job-level permissions (contents: read) to all CI jobs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fix informational template-injection findings in publish-image.yml
Move steps.meta.outputs.tags from inline ${{ }} expressions to env
vars in both the manifest creation and cosign signing steps.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Update brakeman to 8.0.4
bin/brakeman uses --ensure-latest which fails if not on the newest version.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Bump Ruby to 3.4.5
* Update dependencies
* Adjust for Rails 8 and Ruby 3.5 API changes
* Mark params strings as mutable in prepapration for frozen strings in Ruby 3.5
* Update test for HTML5 sanitizer
With Rails 7.1 the HTML5 sanitizer became the default, this breakts this test because the old sanitizer used to delete unpermitted nodes, while the new one returns their content
The final string is safe, but different then it used to be in Rails 7.0
* Remove direct Turbo tesh helpers require & parallelize tests
* Fix Zeitwerk issues with rails extensions
* Update Resque setup for Redis 5+
* Remove unused views
* Remove GID v1 handler
