From 4061140171506a3406b4bcf62bc34176b019f69a Mon Sep 17 00:00:00 2001
From: Christian Oliff <christian_oliff@trimble.com>
Date: Mon, 8 Sep 2025 23:29:54 +0900
Subject: [PATCH 1/3] Update GitHub Actions workflows and pin action versions

Standardized YAML quoting style, added 'persist-credentials: false' to checkout steps, pinned actions/checkout and other actions to specific commit SHAs for improved security, and fixed a typo in the super-linter workflow. These changes enhance workflow reliability and security.
---
 .github/workflows/codeql-analysis.yml | 10 ++++++----
 .github/workflows/spellcheck.yml      |  9 ++++++---
 .github/workflows/super-linter.yml    |  7 ++++---
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 830341d..8eae2f7 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,14 +1,14 @@
-name: "CodeQL"
+name: 'CodeQL'
 
 on:
   push:
     branches:
       - main
-      - "!dependabot/**"
+      - '!dependabot/**'
   pull_request:
     branches:
       - main
-      - "!dependabot/**"
+      - '!dependabot/**'
   workflow_dispatch:
 
 jobs:
@@ -23,11 +23,13 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
-          languages: "javascript"
+          languages: 'javascript'
           queries: +security-and-quality
 
       - name: Perform CodeQL Analysis
diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index c4de0e4..fa574fc 100644
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -1,4 +1,4 @@
-name: "Check spelling"
+name: 'Check spelling'
 on:
   push:
     branches: [main]
@@ -13,8 +13,11 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
-      - uses: actions/checkout@v5
-      - uses: streetsidesoftware/cspell-action@v7
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - uses: streetsidesoftware/cspell-action@dcd03dc3e8a59ec2e360d0c62db517baa0b4bb6d # v7.2.0
         with:
           check_dot_files: false
           incremental_files_only: true
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index dbd209d..6940c18 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -24,12 +24,13 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Super-linter
-        uses: super-linter/super-linter/slim@v8
+        uses: super-linter/super-linter/slim@6916783267451c87693968017594a67447945328 # v8.11.1
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: '/test/'
@@ -49,4 +50,4 @@ jobs:
           VALIDATE_JSON_PRETTIER: false
           VALIDATE_JSCPD: false
           VALIDATE_NATURAL_LANGUAGE: false
-          VALIDTAE_YAML_PRETTIER: false
+          VALIDATE_YAML_PRETTIER: false

From 36104cf0526bef985b45fc7f5a22aff1c0c81f0c Mon Sep 17 00:00:00 2001
From: Christian Oliff <christian_oliff@trimble.com>
Date: Mon, 8 Sep 2025 23:32:30 +0900
Subject: [PATCH 2/3] Update

---
 .cspell.json                       | 3 ++-
 .github/workflows/super-linter.yml | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.cspell.json b/.cspell.json
index 94163fa..feb4217 100644
--- a/.cspell.json
+++ b/.cspell.json
@@ -5,7 +5,8 @@
     "fediverse",
     "Merbivore",
     "Monokai",
-    "SARIF"
+    "SARIF",
+    "ZIZMOR"
   ],
   "allowCompoundWords": true,
   "language": "en,en-US",
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index 6940c18..830a9c4 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -30,7 +30,7 @@ jobs:
           persist-credentials: false
 
       - name: Super-linter
-        uses: super-linter/super-linter/slim@6916783267451c87693968017594a67447945328 # v8.11.1
+        uses: super-linter/super-linter/slim@v8.1.0
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: '/test/'
@@ -45,6 +45,7 @@ jobs:
           VALIDATE_CSS: false
           VALIDATE_EDITORCONFIG: false
           VALIDATE_GIT_COMMITLINT: false
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_HTML_PRETTIER: false
           VALIDATE_JAVASCRIPT_PRETTIER: false
           VALIDATE_JSON_PRETTIER: false

From ad2b4987034058a05518ed6fde46a81fae60ec81 Mon Sep 17 00:00:00 2001
From: Christian Oliff <christianoliff@pm.me>
Date: Mon, 8 Sep 2025 23:34:10 +0900
Subject: [PATCH 3/3] Apply suggestion from @Copilot

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/codeql-analysis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8eae2f7..6cab30d 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false