From d31509377644fdc01d66a634c804087cb3b9c449 Mon Sep 17 00:00:00 2001
From: "supply-chain-sentinel[bot]"
 <supply-chain-sentinel[bot]@users.noreply.github.com>
Date: Fri, 15 May 2026 20:55:52 +0000
Subject: [PATCH] Add supply-chain security baseline

---
 .github/dependabot.yml                  |  56 ++++++++++
 .github/workflows/security-baseline.yml | 130 ++++++++++++++++++++++++
 2 files changed, 186 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/security-baseline.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..4209966
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,56 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "05:10"
+      timezone: "Etc/UTC"
+    cooldown:
+      default-days: 7
+    labels:
+      - dependencies
+      - github-actions
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+      github-actions-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "05:10"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 0
+    labels:
+      - dependencies
+      - npm
+    groups:
+      npm-security-updates:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "wednesday"
+      time: "05:10"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 0
+    labels:
+      - dependencies
+      - python
+    groups:
+      pip-security-updates:
+        applies-to: security-updates
+        patterns:
+          - "*"
diff --git a/.github/workflows/security-baseline.yml b/.github/workflows/security-baseline.yml
new file mode 100644
index 0000000..6246428
--- /dev/null
+++ b/.github/workflows/security-baseline.yml
@@ -0,0 +1,130 @@
+name: Security Baseline
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: "37 3 * * 1"
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+
+concurrency:
+  group: security-baseline-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  osv:
+    name: OSV vulnerability scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run OSV-Scanner
+        uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
+        with:
+          scan-args: |-
+            --recursive
+            ./
+
+  secrets:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Run TruffleHog
+        uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab # v3.95.3
+        with:
+          extra_args: --results=verified,unknown
+          path: ./
+          version: 3.95.3
+
+  workflow-lint:
+    name: GitHub Actions lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          cache: false
+          go-version: stable
+
+      - name: Run actionlint
+        run: |
+          if [ -d .github/workflows ]; then
+            go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.12 \
+              -ignore 'unknown permission scope "vulnerability-alerts"'
+          fi
+
+  workflow-security:
+    name: GitHub Actions security lint
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: false
+
+      - name: Run zizmor
+        run: |
+          for attempt in 1 2 3; do
+            set +e
+            uvx --from zizmor==1.24.1 zizmor \
+              --persona=auditor \
+              --format=github \
+              --min-severity=high \
+              --min-confidence=medium \
+              --color=always \
+              -- ./
+            status="$?"
+            set -e
+
+            if [ "$status" -eq 0 ]; then
+              exit 0
+            fi
+
+            if [ "$status" -eq 3 ]; then
+              echo "::warning::No inputs were collected by zizmor"
+              exit 0
+            fi
+
+            if [ "$status" -ge 11 ]; then
+              exit "$status"
+            fi
+
+            if [ "$attempt" -lt 3 ]; then
+              sleep "$((attempt * 15))"
+              continue
+            fi
+
+            exit "$status"
+          done
+        env:
+          GH_TOKEN: ${{ github.token }}