From 965ddbcf9f00d4269dba63c3da6d7ba698ffc1ef Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 May 2026 19:29:12 +0000 Subject: [PATCH 1/3] chore: apply supply chain security defaults --- .github/dependabot.yml | 11 ++++++++++- .github/workflows/release.yml | 3 +++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 73f11c1..a3b18b9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,4 +5,13 @@ updates: directory: "/" schedule: # Check for updates to GitHub Actions every week - interval: "weekly" \ No newline at end of file + interval: "weekly" + cooldown: + default-days: 3 + + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 3 \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 39158ef..c85e4f5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: - main permissions: + # TODO(supply-chain): Review broad permissions. `contents: write` is needed to push tags; + # `id-token: write` and `attestations: write` are needed for build attestations via + # cli/gh-extension-precompile. Scope these down if attestation generation is removed. contents: write id-token: write attestations: write From f6e1ab53ff3ea5d5bbe30144f258a48b75e2494f Mon Sep 17 00:00:00 2001 From: Greg Mohler <110078080+CallMeGreg@users.noreply.github.com> Date: Wed, 20 May 2026 15:37:41 -0400 Subject: [PATCH 2/3] Update release.yml --- .github/workflows/release.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c85e4f5..f536c25 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,9 +6,6 @@ on: - main permissions: - # TODO(supply-chain): Review broad permissions. `contents: write` is needed to push tags; - # `id-token: write` and `attestations: write` are needed for build attestations via - # cli/gh-extension-precompile. Scope these down if attestation generation is removed. contents: write id-token: write attestations: write @@ -112,4 +109,4 @@ jobs: - uses: cli/gh-extension-precompile@9e2237c30f869ad3bcaed6a4be2cd43564dd421b # v2.1.0 with: go_version_file: go.mod - generate_attestations: true \ No newline at end of file + generate_attestations: true From f6d0d27a93473c894793bd0d861494e3ef454005 Mon Sep 17 00:00:00 2001 From: Greg Mohler <110078080+CallMeGreg@users.noreply.github.com> Date: Wed, 20 May 2026 15:39:37 -0400 Subject: [PATCH 3/3] Update dependabot.yml to remove gomod settings Removed gomod package ecosystem configuration. --- .github/dependabot.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a3b18b9..8693daa 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,10 +8,3 @@ updates: interval: "weekly" cooldown: default-days: 3 - - - package-ecosystem: "gomod" - directory: "/" - schedule: - interval: "weekly" - cooldown: - default-days: 3 \ No newline at end of file