add some ci

westonsteimel · westonsteimel · commit fb82f6f2dda7 · 2026-02-18T11:42:49.000Z
Signed-off-by: Weston Steimel &lt;author@code.w.steimel.me.uk&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,26 @@
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    open-pull-requests-limit: 10
+    directory: "/.github/actions/bootstrap"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: "github-actions"
+    open-pull-requests-limit: 10
+    directory: "/.github/workflows"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: "uv"
+    directory: "/"
+    open-pull-requests-limit: 10
+    schedule:
+      interval: daily
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/validate-github-actions.yaml b/.github/workflows/validate-github-actions.yaml
@@ -0,0 +1,36 @@
+name: "Validate GitHub Actions"
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    name: "Lint"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write  # for uploading SARIF results
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: "Run zizmor"
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
+        with:
+          config: .github/zizmor.yml
+          # Disable SARIF upload so the step is a simple pass/fail gate
+          advanced-security: false
+          inputs: .github
diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml
@@ -0,0 +1,29 @@
+name: "Validations"
+on:
+  # needed for publishing commit images on the main branch
+  push:
+    branches:
+      - main
+
+  # needed when running from forks
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    name: "Validate"
+    runs-on: ubuntu-latest
+    container:
+      image: python:3.13-alpine
+    permissions:
+      contents: read
+    steps:
+      - name: Install OS dependencies
+        run: apk add --no-cache uv
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+      - name: ruff check
+        run: uv run ruff check
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # anchore/workflows is an internal repository; using @main is acceptable
+        anchore/*: any
