From 3e456c78a129b164a728061cfdf9755120a20830 Mon Sep 17 00:00:00 2001
From: Christopher Horrell <christopher@horrell.ca>
Date: Mon, 25 May 2026 22:18:46 -0400
Subject: [PATCH] security: resolve zizmor findings in CI workflows

- Add cooldown (default-days: 7) to dependabot ecosystems
- Add permissions: contents: read to all workflows
- Fix template injection in dockerimage and update-current-image workflows
---
 .github/dependabot.yml                     | 4 ++++
 .github/workflows/dockerimage.yml          | 5 ++++-
 .github/workflows/linting.yml              | 3 +++
 .github/workflows/update-current-image.yml | 5 ++++-
 4 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 2845746..6593ffa 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,6 +12,8 @@ updates:
     commit-message:
       prefix: "ci"
       include: "scope"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "pre-commit"
     directory: "/"
     schedule:
@@ -24,4 +26,6 @@ updates:
     commit-message:
       prefix: "chore"
       include: "scope"
+    cooldown:
+      default-days: 7
 
diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
index 78a9a7c..974164b 100644
--- a/.github/workflows/dockerimage.yml
+++ b/.github/workflows/dockerimage.yml
@@ -10,6 +10,9 @@ on:
 env:
   IMAGE_NAME: node-minimal
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -76,4 +79,4 @@ jobs:
           tags: ${{ env.IMAGE_NAME }}-${{ env.LATEST_VERSION }}
 
       - name: Test Image
-        run: docker run --rm ${{ env.IMAGE_NAME }}-${{ env.LATEST_VERSION }} -e "console.log('Hello from Node.js ' + process.version)"
+        run: docker run --rm "${IMAGE_NAME}-${LATEST_VERSION}" -e "console.log('Hello from Node.js ' + process.version)"
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index 6b72b73..9f706ce 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -3,6 +3,9 @@ name: Linting
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   shfmt:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-current-image.yml b/.github/workflows/update-current-image.yml
index f6ab3e9..5f89587 100644
--- a/.github/workflows/update-current-image.yml
+++ b/.github/workflows/update-current-image.yml
@@ -13,6 +13,9 @@ on:
 env:
   IMAGE_NAME: node-minimal
 
+permissions:
+  contents: read
+
 jobs:
   check_version:
     runs-on: ubuntu-latest
@@ -130,7 +133,7 @@ jobs:
           tags: ${{ env.IMAGE_NAME }}-${{ needs.check_version.outputs.NODE_VERSION }}
 
       - name: Test Image
-        run: docker run --rm ${{ env.IMAGE_NAME }}-${{ needs.check_version.outputs.NODE_VERSION }} -e "console.log('Hello from Node.js ' + process.version)"
+        run: docker run --rm "${IMAGE_NAME}-${NODE_VERSION}" -e "console.log('Hello from Node.js ' + process.version)"
 
       - name: Docker meta
         id: meta