From 4d89580a44dc1afe2df5bd12f25cdb6b8a4128d8 Mon Sep 17 00:00:00 2001
From: Dave Fisher <dave2wave@comcast.net>
Date: Mon, 3 Nov 2025 15:13:25 -0800
Subject: [PATCH 1/6] Add pre-commit hooks for large files and workflows

Added new pre-commit hooks for large file checks and GitHub workflows.
---
 .pre-commit-config.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d324a3d..e277dfd 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -17,6 +17,7 @@ repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:
+      - id: check-added-large-files
       - id: check-ast
       - id: check-case-conflict
       - id: check-executables-have-shebangs
@@ -71,3 +72,11 @@ repos:
     rev: v1.7.7
     hooks:
       - id: actionlint
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.30.0
+    hooks:
+      - id: check-github-workflows
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.16.0
+    hooks:
+      - id: zizmor

From ef17a63ff8ce66f44217273b14b57e8b11f71b0b Mon Sep 17 00:00:00 2001
From: Dave Fisher <dave2wave@comcast.net>
Date: Mon, 3 Nov 2025 15:30:26 -0800
Subject: [PATCH 2/6] Update GitHub Actions workflow for Pelican build (#51)
 (#52)

---
 .github/workflows/build-pelican.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-pelican.yml b/.github/workflows/build-pelican.yml
index 212260d..453f87c 100644
--- a/.github/workflows/build-pelican.yml
+++ b/.github/workflows/build-pelican.yml
@@ -13,12 +13,15 @@ on:
 jobs:
   build-pelican:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write   # because we push to asf-site
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           # This must equal the push/branches list above, and be appropriate for the destination below
           ref: 'main'
-      - uses: apache/infrastructure-actions/pelican@main
+      - uses: apache/infrastructure-actions/pelican@ed044141796eb8ad67581cf5f4210656ffa77daa
         with:
           # This must be appropriate for the branch being built
           destination: 'asf-site'

From 94b7b24d69cf85fc612d269f94d9333a79ccb72c Mon Sep 17 00:00:00 2001
From: Dave Fisher <dave2wave@comcast.net>
Date: Mon, 3 Nov 2025 15:32:07 -0800
Subject: [PATCH 3/6] Enable credential persistence in build workflow

---
 .github/workflows/build-pelican.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-pelican.yml b/.github/workflows/build-pelican.yml
index 453f87c..f96b88f 100644
--- a/.github/workflows/build-pelican.yml
+++ b/.github/workflows/build-pelican.yml
@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          persist-credentials: false
+          persist-credentials: true
           # This must equal the push/branches list above, and be appropriate for the destination below
           ref: 'main'
       - uses: apache/infrastructure-actions/pelican@ed044141796eb8ad67581cf5f4210656ffa77daa

From a5a23c7eb452672c3c1f9d847f983e085bfaabf0 Mon Sep 17 00:00:00 2001
From: Dave Fisher <dave2wave@comcast.net>
Date: Mon, 3 Nov 2025 15:35:36 -0800
Subject: [PATCH 4/6] Change persist-credentials to false in workflow

---
 .github/workflows/build-pelican.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-pelican.yml b/.github/workflows/build-pelican.yml
index f96b88f..453f87c 100644
--- a/.github/workflows/build-pelican.yml
+++ b/.github/workflows/build-pelican.yml
@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          persist-credentials: true
+          persist-credentials: false
           # This must equal the push/branches list above, and be appropriate for the destination below
           ref: 'main'
       - uses: apache/infrastructure-actions/pelican@ed044141796eb8ad67581cf5f4210656ffa77daa

From 2cf1d500eaebf101243d960c0b657630eb3e9b1f Mon Sep 17 00:00:00 2001
From: Dave Fisher <dave2wave@comcast.net>
Date: Mon, 3 Nov 2025 15:36:46 -0800
Subject: [PATCH 5/6] Disable credential persistence in pre-commit workflow

---
 .github/workflows/pre-commit.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index dd6e295..4b5e7ac 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -13,6 +13,7 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        persist-credentials: false
       - name: Install
         run: |
           python -m pip install --upgrade pip

From e751474f6251cef1923fcee6c6fb32e7fef8f199 Mon Sep 17 00:00:00 2001
From: Dave Fisher <dave2wave@comcast.net>
Date: Mon, 3 Nov 2025 15:40:27 -0800
Subject: [PATCH 6/6] Fix indentation in pre-commit.yml

---
 .github/workflows/pre-commit.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 4b5e7ac..96a66b4 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -13,7 +13,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        persist-credentials: false
+        with:
+          persist-credentials: false
       - name: Install
         run: |
           python -m pip install --upgrade pip