From 3580818fa775ebfbcb8240105e8be59fbe872e72 Mon Sep 17 00:00:00 2001 From: DevForge Engineer Date: Tue, 19 May 2026 02:31:52 -0400 Subject: [PATCH] ci: harden pages.yml security, add dependabot.yml, add .gitattributes - Add persist-credentials: false to pages.yml checkout step (security: prevents token exfiltration in read-only workflow) - Add dependabot.yml for weekly pip + GitHub Actions updates - Add .gitattributes to enforce LF line endings across platforms --- .gitattributes | 7 +++++++ .github/dependabot.yml | 16 +++++++++++++--- .github/workflows/pages.yml | 2 ++ 3 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..edbb339 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,7 @@ +# Enforce consistent line endings across all platforms +* text=auto eol=lf + +# Windows shell scripts need CRLF +*.bat text eol=crlf +*.cmd text eol=crlf +*.ps1 text eol=crlf diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3c56f47..c4f654d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,12 +1,22 @@ version: 2 updates: - package-ecosystem: pip - directory: "/" + directory: / schedule: interval: weekly + day: monday open-pull-requests-limit: 5 + labels: + - dependencies + - automated + - package-ecosystem: github-actions - directory: "/" + directory: / schedule: interval: weekly - open-pull-requests-limit: 3 \ No newline at end of file + day: monday + open-pull-requests-limit: 5 + labels: + - dependencies + - ci + - automated diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 60ac1ff..24a44ed 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -19,6 +19,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + persist-credentials: false - name: Setup Pages uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b - name: Build with Jekyll