fix: update Dependabot labels

.github/dependabot.yml

@@ -7,6 +7,7 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "chore(deps)"
+    labels: ["python", "dependencies"]
     groups:
       dependencies:
         applies-to: version-updates
@@ -19,6 +20,7 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "chore(deps)"
+    labels: ["github_actions", "dependencies"]
     groups:
       dependencies:
         applies-to: version-updates
@@ -31,6 +33,7 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "chore(deps)"
+    labels: ["docker", "dependencies"]
     groups:
       dependencies:
         applies-to: version-updates

.github/linters/trivy.yaml

@@ -0,0 +1,3 @@
+scan:
+  skip-dirs:
+    - .mypy_cache

.github/linters/zizmor.yaml

@@ -0,0 +1,6 @@
+rules:
+  dangerous-triggers: # to allow pull_request_target for auto-labelling fork pull requests
+    ignore:
+      - auto-labeler.yml
+      - pr-title.yml
+      - release.yml

.github/workflows/docker-image.yml

@@ -15,5 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
       - name: Build the Docker image
         run: docker build . --file Dockerfile --platform linux/amd64 --tag measure-innersource:"$(date +%s)"

.github/workflows/linter.yaml

@@ -23,14 +23,15 @@ jobs:
           # Full git history is needed to get a proper
           # list of changed files within `super-linter`
           fetch-depth: 0
-      - uses: actions/setup-python@v5.6.0
+          persist-credentials: false
+      - uses: actions/setup-python@v6.0.0
         with:
           python-version: "3.12"
       - name: Install dependencies
         run: |
           pip install -r requirements.txt -r requirements-test.txt
       - name: Lint Code Base
-        uses: super-linter/super-linter@5119dcd8011e92182ce8219d9e9efc82f16fddb6 # v8.0.0
+        uses: super-linter/super-linter@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0
         env:
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/python-package.yml

@@ -22,8 +22,10 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5.6.0
+        uses: actions/setup-python@v6.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies

Dockerfile

@@ -17,8 +17,18 @@ COPY requirements.txt *.py /action/workspace/
 
 RUN python3 -m pip install --no-cache-dir -r requirements.txt \
     && apt-get -y update \
-    && apt-get -y install --no-install-recommends git=1:2.47.2-0.2 \
-    && rm -rf /var/lib/apt/lists/*
+    && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \
+    && rm -rf /var/lib/apt/lists/* \
+    && addgroup --system appuser \
+    && adduser --system --ingroup appuser --home /action/workspace --disabled-login appuser \
+    && chown -R appuser:appuser /action/workspace
+
+# Run the action as a non-root user
+USER appuser
+
+# Add a simple healthcheck to satisfy container scanners
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+  CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/measure_innersource.py') else 1)"
 
 CMD ["/action/workspace/measure_innersource.py"]
 ENTRYPOINT ["python3", "-u"]