We don't want to add more tools to this repo, as explained in the README under "This repository is minimal on purpose, for security reasons it contains only what is absolutely necessary. [...]". That includes no dependabot, no CodeQL, no zizmor, etc.
It'd be useful to expand a bit on that on how to use tools async (or possibly from another repo on a cron job) to perform regular maintenance and scanning for this repo. E.g.:
gha-update or similar to bump all pins of actions (or is there a newer tool for that now?)zizmor to scan for common issues in workflow files- probably a custom script or an AI tool to go through the repo to check for anything else that isn't pinned
- anything else?
We don't want to add more tools to this repo, as explained in the README under "This repository is minimal on purpose, for security reasons it contains only what is absolutely necessary. [...]". That includes no
dependabot, no CodeQL, nozizmor, etc.It'd be useful to expand a bit on that on how to use tools async (or possibly from another repo on a cron job) to perform regular maintenance and scanning for this repo. E.g.:
gha-updateor similar to bump all pins of actions (or is there a newer tool for that now?)zizmorto scan for common issues in workflow files