From 2d7859e03e2affa8a66017803ee605e1b0c2046a Mon Sep 17 00:00:00 2001
From: Ryan Eberhardt <reberhardt7@gmail.com>
Date: Tue, 24 Mar 2026 22:31:05 -0700
Subject: [PATCH 1/2] fix: harden GitHub Actions workflows (zizmor)

- Add `permissions: {}` to test workflow to fix excessive-permissions
- Upgrade actions/checkout to v6.0.2 and add persist-credentials: false
- Remove npm cache from publish workflow to prevent cache-poisoning
- Add dependabot cooldown configuration (auto-fix)
- Disable secrets-outside-env rule via .github/zizmor.yml

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml           | 4 ++++
 .github/workflows/provenance.yml | 5 +++--
 .github/workflows/test.yml       | 6 +++++-
 .github/zizmor.yml               | 3 +++
 4 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 .github/zizmor.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7e365f9..df54fbf 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,7 +5,11 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index d5b40b3..63e4f49 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -22,12 +22,13 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f #v6.1.0
         with:
           node-version: '22'
           registry-url: 'https://registry.npmjs.org'
-          cache: npm
           scope: '@socketregistry'
       - run: npm install -g npm@latest
       - run: npm ci
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 448fe15..13b1b8d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -3,6 +3,8 @@ name: tests
 
 on: [pull_request, push]
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
@@ -17,7 +19,9 @@ jobs:
         node: ['lts/*']
 
     steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Use Node.js ${{ matrix.node }}
       uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f #v6.1.0
       with:
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..39d1b18
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,3 @@
+rules:
+  secrets-outside-env:
+    disable: true

From 261812598dbd53216007d17edf8bb7e6f9b216f7 Mon Sep 17 00:00:00 2001
From: Alexandros Kapravelos <alexandros@socket.dev>
Date: Wed, 25 Mar 2026 11:50:16 -0400
Subject: [PATCH 2/2] fix(ci): satisfy zizmor on publish workflow - Disable
 setup-node package-manager cache in release workflow (cache-poisoning) -
 Replace archived create-release/upload-release-asset with gh release create
 (archived-uses, superfluous-actions)

---
 .github/workflows/provenance.yml | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 63e4f49..5e4fed5 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -30,6 +30,7 @@ jobs:
           node-version: '22'
           registry-url: 'https://registry.npmjs.org'
           scope: '@socketregistry'
+          package-manager-cache: false
       - run: npm install -g npm@latest
       - run: npm ci
       - name: Build package
@@ -42,25 +43,13 @@ jobs:
         env:
           SOCKET_CLI_DEBUG: ${{ inputs.debug }}
       - name: Create GitHub Release
-        id: create_release
-        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: v${{ steps.package-version.outputs.version }}
-          release_name: Release v${{ steps.package-version.outputs.version }}
-          body: |
-            Release of @socketsecurity/mcp v${{ steps.package-version.outputs.version }}
-
-            This release has been published to npm with provenance.
-          draft: false
-          prerelease: false
-      - name: Upload Package to Release
-        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./socketsecurity-mcp-${{ steps.package-version.outputs.version }}.tgz
-          asset_name: socketsecurity-mcp-${{ steps.package-version.outputs.version }}.tgz
-          asset_content_type: application/gzip
+          VERSION: ${{ steps.package-version.outputs.version }}
+        run: |
+          notes=$(printf '%s\n\n%s' \
+            "Release of @socketsecurity/mcp v${VERSION}" \
+            "This release has been published to npm with provenance.")
+          gh release create "v${VERSION}" "socketsecurity-mcp-${VERSION}.tgz" \
+            --title "Release v${VERSION}" \
+            --notes "$notes"