build(deps): Bump bitwise-media-group/github-workflows/.github/workflows/ci-actions.yaml from 1.1.0 to 2.0.0

[dependabot]

Bumps bitwise-media-group/github-workflows/.github/workflows/ci-actions.yaml from 1.1.0 to 2.0.0.

Release notes

Sourced from bitwise-media-group/github-workflows/.github/workflows/ci-actions.yaml's releases.

v2.0.0

2.0.0 (2026-06-21)

⚠ BREAKING CHANGES

• the reusable workflow moved from .github/workflows/codeql.yaml to .github/workflows/security.yaml. Consumers must update their caller's uses: from bitwise-media-group/github-workflows/.github/workflows/codeql.yaml@ to .../security.yaml@.
• auto-merge.yaml is removed; its behaviour now lives in merge.yaml (wire the four auto-merge triggers on the caller). merge.yaml no longer accepts a pr-number input (it resolves the PR from the event), and the auto-merge arming comment input is now 'arm-command' (was 'command'). Consumers pinned @v1 are unaffected until they move to @v2.
• the per-language workflow files are removed. Consumers must repoint uses: to ci.yaml/codeql.yaml/release.yaml@v2, provide the canonical Makefile targets (stubbing N/A ones as no-ops), and set vanity-tags: true to keep the floating major tag.

Features

• add a languages override and opt-in zizmor scan to the CodeQL workflow (ba40cbc)
• fold auto-merge into the merge workflow (6497957)
• generalize ci/codeql/release into language-agnostic workflows (bf13819)
• rename reusable codeql workflow to security, standardise names (75ae004)

Bug Fixes

• harden reusable workflow security posture (7f4724a)
• merge: do not cancel pending ff-merge events (048f8c2)
• merge: request workflows scope so ff-merge can push workflow-file changes (7ac5ca8)
• release-go: re-pin release-please-action to its current v5.0.0 commit (dfa6330)

Changelog

Sourced from bitwise-media-group/github-workflows/.github/workflows/ci-actions.yaml's changelog.

Changelog

4.0.3 (2026-06-29)

Bug Fixes

• make Dependabot auto-merge match modern gh and indirect deps (1e7e5d8)

4.0.2 (2026-06-29)

Bug Fixes

• merge: grant statuses:read for the legacy commit-status rollup (3bbf3b3)

4.0.1 (2026-06-29)

Bug Fixes

• merge: grant checks:read so ff-merge can read the check-run rollup (5a651ab)

4.0.0 (2026-06-29)

⚠ BREAKING CHANGES

• callers must now grant pages: write. GitHub resolves a reusable workflow's permissions as the union of every job and ignores if:, so the docs job's pages:write is required even on repos without a zensical.toml or the run fails at startup. Add pages: write to the caller's permissions block (see examples/release.yaml). Consuming repos should also delete their inline docs job and set Settings -> Pages -> Source -> GitHub Actions.

Features

• build and publish Zensical docs to Pages on release (c619e32)

3.2.1 (2026-06-29)

Bug Fixes

• ci: verify committed dist/ after build; drop redundant npm ci (aaa75ed)
• release: verify dist/ in CI, not after the release is cut (f68fb68)

3.2.0 (2026-06-28)

Features

• ci: set up uv when a pyproject.toml exists (53a25ac)
• release: expose release-please outputs to callers (e0317e4)

... (truncated)

Commits

• e37b7f6 chore(main): release 2.0.0
• 7ac5ca8 fix(merge): request workflows scope so ff-merge can push workflow-file changes
• bea060f docs: pin code-scanning Locations to permalinks at the detected commit
• 006a936 docs: correct goreleaser-permission guidance in the release example
• 4ae2ca3 ci: grant the goreleaser job's permissions in self-release
• 75ae004 feat!: rename reusable codeql workflow to security, standardise names
• d12674c ci: skip zizmor in the lint gate when it is not installed
• 4b359a9 ci: dogfood the reusable CodeQL workflow here
• 148b0c7 ci: add zizmor config requiring hash-pinned uses
• 2e50c9f docs(security): record code-injection findings #4 and #5 as remediated
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Note

Merging this PR: this repository merges by fast-forward so every
commit keeps its original signature. The GitHub merge button is not used.
Once this PR is approved and all checks pass, a maintainer merges it by
commenting /merge on the PR.

The branch must be up to date with main (rebased and re-signed) to
fast-forward. If /merge reports it is not fast-forwardable, rebase onto
main and comment /merge again.