From 35adcd8cac3697e22efb93e234941b00a2eb35c7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 May 2026 20:03:50 +0000 Subject: [PATCH 1/8] Initial plan Signed-off-by: Jan Kowalleck From f4af9d497011c5936201a8299892160390c1f3e6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 May 2026 20:11:59 +0000 Subject: [PATCH 2/8] chore(workflows): add zizmor scan and harden checkout credential handling Agent-Logs-Url: https://github.com/CycloneDX/specification/sessions/38b5a4c8-2b6c-4a65-96d2-3c720709ae36 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> Signed-off-by: Jan Kowalleck --- .github/workflows/build_docs.yml | 6 +++++ .github/workflows/bundle_2.0_schemas.yml | 6 +++-- .github/workflows/test_java.yml | 2 ++ .github/workflows/test_js.yml | 2 ++ .github/workflows/test_php.yml | 2 ++ .github/workflows/test_proto.yml | 2 ++ .github/workflows/update_spdx_licenses.yml | 6 ++++- .github/workflows/zizmor.yml | 30 ++++++++++++++++++++++ 8 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/build_docs.yml b/.github/workflows/build_docs.yml index 70d1fbcc..e1072e81 100644 --- a/.github/workflows/build_docs.yml +++ b/.github/workflows/build_docs.yml @@ -22,6 +22,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up JDK # see https://github.com/actions/setup-java uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 @@ -47,6 +49,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -71,6 +75,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Generate Schema documentation run: ./gen.sh - name: Archive Schema documentation diff --git a/.github/workflows/bundle_2.0_schemas.yml b/.github/workflows/bundle_2.0_schemas.yml index adff66f9..e2673afd 100644 --- a/.github/workflows/bundle_2.0_schemas.yml +++ b/.github/workflows/bundle_2.0_schemas.yml @@ -21,7 +21,7 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - token: ${{ secrets.GITHUB_TOKEN }} + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 @@ -40,6 +40,8 @@ jobs: ../../../../schema/2.0/cyclonedx-2.0.schema.json - name: Check for changes and commit + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | BUNDLED_FILE="schema/2.0/cyclonedx-2.0-bundled.schema.json" @@ -54,5 +56,5 @@ jobs: git config --local user.email "github-actions[bot]@users.noreply.github.com" git config --local user.name "github-actions[bot]" git commit -m "chore: update bundled schema [skip ci]" - git push + git push "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" fi diff --git a/.github/workflows/test_java.yml b/.github/workflows/test_java.yml index 8c0cbabb..5935a22c 100644 --- a/.github/workflows/test_java.yml +++ b/.github/workflows/test_java.yml @@ -24,6 +24,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up JDK # see https://github.com/actions/setup-java uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 diff --git a/.github/workflows/test_js.yml b/.github/workflows/test_js.yml index f983c0c2..03c3ac3d 100644 --- a/.github/workflows/test_js.yml +++ b/.github/workflows/test_js.yml @@ -27,6 +27,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Node.js # see https://github.com/actions/setup-node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 diff --git a/.github/workflows/test_php.yml b/.github/workflows/test_php.yml index 6fbcaf28..e6259aa2 100644 --- a/.github/workflows/test_php.yml +++ b/.github/workflows/test_php.yml @@ -27,6 +27,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup PHP # see https://github.com/shivammathur/setup-php uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 diff --git a/.github/workflows/test_proto.yml b/.github/workflows/test_proto.yml index 4d8b68b4..65847aff 100644 --- a/.github/workflows/test_proto.yml +++ b/.github/workflows/test_proto.yml @@ -27,5 +27,7 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Run test run: ./test.sh diff --git a/.github/workflows/update_spdx_licenses.yml b/.github/workflows/update_spdx_licenses.yml index 4ca16001..7d4512a6 100644 --- a/.github/workflows/update_spdx_licenses.yml +++ b/.github/workflows/update_spdx_licenses.yml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: ref: ${{ github.ref_name }} + persist-credentials: false - name: Set up JDK # see https://github.com/actions/setup-java uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 @@ -77,6 +78,7 @@ jobs: uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: ref: ${{ github.ref_name }} + persist-credentials: false - name: Switch branch id: branch run: | @@ -98,6 +100,8 @@ jobs: name: schema-spdx path: schema - name: Commit and push + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -eux if git diff --quiet -- 'schema/spdx.*' @@ -109,7 +113,7 @@ jobs: git config user.email 'spdx-license-bumper@bot.local' git add -A schema git commit -s -m "feat: bump SPDX licenses $SB_VERSION" - git push origin "$SB_BRANCH" + git push "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "$SB_BRANCH" - name: Pull request if: ${{ steps.branch.outputs.existed == 'false' }} run: > diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..58a611bd --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,30 @@ +name: Zizmor + +on: + pull_request: + branches: ['master', 'main'] + paths: + - '.github/workflows/**' + schedule: + - cron: '0 0 * * 6' + +permissions: + contents: read + +jobs: + zizmor: + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout + # see https://github.com/actions/checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - name: Run zizmor + # see https://github.com/zizmorcore/zizmor-action + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true + inputs: .github/workflows From 4e8d3672a2ee14949a2cfa4224d45fbe7ed2fad1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 May 2026 20:18:00 +0000 Subject: [PATCH 3/8] fix: update setup-node pin to v6.4.0 to fix zizmor version comment mismatch Agent-Logs-Url: https://github.com/CycloneDX/specification/sessions/449f5c2b-6293-4a7e-a300-f7d30dd5a303 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> Signed-off-by: Jan Kowalleck --- .github/workflows/bundle_2.0_schemas.yml | 2 +- .github/workflows/test_js.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bundle_2.0_schemas.yml b/.github/workflows/bundle_2.0_schemas.yml index e2673afd..18f80e54 100644 --- a/.github/workflows/bundle_2.0_schemas.yml +++ b/.github/workflows/bundle_2.0_schemas.yml @@ -24,7 +24,7 @@ jobs: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v6.4.0 with: node-version: '20' diff --git a/.github/workflows/test_js.yml b/.github/workflows/test_js.yml index 03c3ac3d..4f6e50f1 100644 --- a/.github/workflows/test_js.yml +++ b/.github/workflows/test_js.yml @@ -31,7 +31,7 @@ jobs: persist-credentials: false - name: Setup Node.js # see https://github.com/actions/setup-node - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v6.4.0 with: node-version: '24.x' package-manager-cache: false From 4115e52ac843109ef14796a519fe928afd73b807 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 May 2026 20:22:35 +0000 Subject: [PATCH 4/8] chore: pin setup-node to current v6 hash with v6 comment Agent-Logs-Url: https://github.com/CycloneDX/specification/sessions/f4ade45e-a969-4f0a-b34b-705045e3e794 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> Signed-off-by: Jan Kowalleck --- .github/workflows/bundle_2.0_schemas.yml | 2 +- .github/workflows/test_js.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bundle_2.0_schemas.yml b/.github/workflows/bundle_2.0_schemas.yml index 18f80e54..1fa6790f 100644 --- a/.github/workflows/bundle_2.0_schemas.yml +++ b/.github/workflows/bundle_2.0_schemas.yml @@ -24,7 +24,7 @@ jobs: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v6.4.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' diff --git a/.github/workflows/test_js.yml b/.github/workflows/test_js.yml index 4f6e50f1..ee3db0f0 100644 --- a/.github/workflows/test_js.yml +++ b/.github/workflows/test_js.yml @@ -31,7 +31,7 @@ jobs: persist-credentials: false - name: Setup Node.js # see https://github.com/actions/setup-node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v6.4.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '24.x' package-manager-cache: false From 2b0df0936d7c0cc926dd5f732717a0e769a41601 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 May 2026 20:27:58 +0000 Subject: [PATCH 5/8] ci: run zizmor on dependabot config and push changes Agent-Logs-Url: https://github.com/CycloneDX/specification/sessions/51987f49-67bc-464a-ba7a-48d317615575 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 58a611bd..0708fb7e 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -5,6 +5,12 @@ on: branches: ['master', 'main'] paths: - '.github/workflows/**' + - '.github/dependabot.yml' + push: + branches: ['master', 'main'] + paths: + - '.github/workflows/**' + - '.github/dependabot.yml' schedule: - cron: '0 0 * * 6' From f8452437f2bff7dde1968d4bc44cdc932d9c2de2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 May 2026 20:32:33 +0000 Subject: [PATCH 6/8] ci: remove explicit inputs from zizmor action call Agent-Logs-Url: https://github.com/CycloneDX/specification/sessions/df0ae69f-bafe-4e0d-9ba7-bf53e93e15a4 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 0708fb7e..e460d210 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -33,4 +33,3 @@ jobs: with: advanced-security: false annotations: true - inputs: .github/workflows From 7ae948f635e4b5b480035ebccf43a1d961b50b07 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 May 2026 20:35:17 +0000 Subject: [PATCH 7/8] chore(dependabot): add cooldown to update blocks Agent-Logs-Url: https://github.com/CycloneDX/specification/sessions/4b35c3ac-f459-4465-9a06-eb69dea79412 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> Signed-off-by: Jan Kowalleck --- .github/dependabot.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 55172b32..0c2cf933 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,6 +6,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 @@ -16,6 +18,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 @@ -26,6 +30,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 @@ -36,6 +42,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 @@ -46,6 +54,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 @@ -56,6 +66,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 From 784751cc0b86ce703deedbb16df2f56c487b72ce Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 8 May 2026 22:37:31 +0200 Subject: [PATCH 8/8] Apply suggestions from code review Co-authored-by: Jan Kowalleck Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index e460d210..1e00042b 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -2,12 +2,10 @@ name: Zizmor on: pull_request: - branches: ['master', 'main'] paths: - '.github/workflows/**' - '.github/dependabot.yml' push: - branches: ['master', 'main'] paths: - '.github/workflows/**' - '.github/dependabot.yml'