From de183ce78c1ef7b91dc2a3fb730bb68bbc60ee74 Mon Sep 17 00:00:00 2001
From: James Crocker <87319125+jamesc-grafana@users.noreply.github.com>
Date: Wed, 30 Apr 2025 10:58:19 +0100
Subject: [PATCH 1/4] zizmor security actions

---
 .github/workflows/dependabot-automerge.yaml |  5 +++--
 .github/workflows/self-zizmor.yaml          | 19 +++++++++++++++++++
 .github/workflows/snyk_monitor.yml          | 16 +++++-----------
 trivy/action.yml                            |  8 +++++---
 4 files changed, 32 insertions(+), 16 deletions(-)
 create mode 100644 .github/workflows/self-zizmor.yaml

diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml
index 8596fe7..26c631f 100644
--- a/.github/workflows/dependabot-automerge.yaml
+++ b/.github/workflows/dependabot-automerge.yaml
@@ -31,7 +31,7 @@ jobs:
     steps:
       - name: Generate token
         id: generate-token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # v1
         continue-on-error: true
         with:
           app_id: ${{ secrets.DEPENDABOTREVIEWER_ID }}
@@ -40,9 +40,10 @@ jobs:
         id: dependabot-metadata
         uses: dependabot/fetch-metadata@v1.5.1
       - name: Enable auto-merge for Dependabot PRs
-        run: gh pr merge --auto --${{ inputs.repository-merge-method }} "$PR_URL"
+        run: gh pr merge --auto --${MERGE_METHOD} "$PR_URL"
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token || secrets.envPAT || secrets.GITHUB_TOKEN}}
+          MERGE_METHOD: ${{ inputs.repository-merge-method }}
       - name: Approve patch updates
         if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' }}
         run: gh pr review $PR_URL --approve -b "**Approving** patch update"
diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml
new file mode 100644
index 0000000..46c3020
--- /dev/null
+++ b/.github/workflows/self-zizmor.yaml
@@ -0,0 +1,19 @@
+name: zizmor GitHub Actions static analysis
+on:
+  push:
+  pull_request:
+
+jobs:
+  zizmor:
+    name: Run zizmor from current branch (self test)
+
+    permissions:
+      actions: read
+      contents: read
+
+      pull-requests: write
+      security-events: write
+
+    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@5946b80e86f32bb4d208c2483c58345bbeef03d2
+    with:
+      codeql-enabled: false
diff --git a/.github/workflows/snyk_monitor.yml b/.github/workflows/snyk_monitor.yml
index 19e96ed..e632e05 100644
--- a/.github/workflows/snyk_monitor.yml
+++ b/.github/workflows/snyk_monitor.yml
@@ -7,23 +7,17 @@ on:
         required: true
 jobs:
   snyk_scans:
-
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        with:
+          persist-credentials: false
       - name: Run Snyk to import ${{ github.event.repository.name }} to Snyk
         continue-on-error: true
-        uses: snyk/actions/golang@master
+        uses: snyk/actions/golang@4a528b5c534bb771b6e3772656a8e0e9dc902f8b # master
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           command: monitor
-          args:  --strict-out-of-sync=false --all-projects --exclude=devenv --tags=repo=${{ github.event.repository.name }}
-
-
-
-
-
-
-
+          args: --strict-out-of-sync=false --all-projects --exclude=devenv --tags=repo=${{ github.event.repository.name }}
diff --git a/trivy/action.yml b/trivy/action.yml
index f1e568b..2295785 100644
--- a/trivy/action.yml
+++ b/trivy/action.yml
@@ -69,14 +69,16 @@ runs:
     - name: "Comment the Trivy diff"
       env:
         GITHUB_TOKEN: ${{ inputs.github-token }}
-        BRANCH_NAME: ${{ github.head_ref || github.ref_name }} 
+        BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+        BASE_REF: ${{ github.base_ref }}
       run: |
         output=$(cat output.txt)
         if [ "$output" == "No new vulnerabilities found." ]; then
           echo "No new vulnerabilities found."
           exit 0
         else
-          comment=$(echo -e "### New vulnerabilities introduced in branch $BRANCH_NAME compared to ${{ github.base_ref }}\n\n" ; jq -r '.[] | "* \(.VulnerabilityID), Severity: \(.Severity), Package: \(.PkgName), Installed: \(.InstalledVersion), Fixed: \(.FixedVersion // "N/A")"' output.txt)
-          gh pr comment ${{ github.event.pull_request.number }} --body "$comment"
+          comment=$(echo -e "### New vulnerabilities introduced in branch $BRANCH_NAME compared to $BASE_REF\n\n" ; jq -r '.[] | "* \(.VulnerabilityID), Severity: \(.Severity), Package: \(.PkgName), Installed: \(.InstalledVersion), Fixed: \(.FixedVersion // "N/A")"' output.txt)
+          gh pr comment $PR_NUMBER --body "$comment"
         fi
       shell: bash

From 0825d66930a3b65b52d3a66da7d41edae1188b3d Mon Sep 17 00:00:00 2001
From: James Crocker <87319125+jamesc-grafana@users.noreply.github.com>
Date: Wed, 30 Apr 2025 11:44:42 +0100
Subject: [PATCH 2/4] update where zizmor runs depending on visibility

---
 .github/workflows/self-zizmor.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml
index 46c3020..78ca8a8 100644
--- a/.github/workflows/self-zizmor.yaml
+++ b/.github/workflows/self-zizmor.yaml
@@ -16,4 +16,4 @@ jobs:
 
     uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@5946b80e86f32bb4d208c2483c58345bbeef03d2
     with:
-      codeql-enabled: false
+      runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }}

From 2644061ef4f5ba16ab8ff0fdcb9e0c5b38574304 Mon Sep 17 00:00:00 2001
From: James Crocker <87319125+jamesc-grafana@users.noreply.github.com>
Date: Wed, 30 Apr 2025 13:01:24 +0100
Subject: [PATCH 3/4] bump version

---
 .github/workflows/self-zizmor.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml
index 78ca8a8..9580101 100644
--- a/.github/workflows/self-zizmor.yaml
+++ b/.github/workflows/self-zizmor.yaml
@@ -14,6 +14,6 @@ jobs:
       pull-requests: write
       security-events: write
 
-    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@5946b80e86f32bb4d208c2483c58345bbeef03d2
+    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@8fa210559ab2cc62e7b12d3bb9cba19dbc862c11
     with:
       runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }}

From 7bbbbb7884be3fb58e7e0973899c93eced59700e Mon Sep 17 00:00:00 2001
From: James Crocker <87319125+jamesc-grafana@users.noreply.github.com>
Date: Wed, 30 Apr 2025 13:06:00 +0100
Subject: [PATCH 4/4] fix zizmor issue

---
 .github/workflows/dependabot-automerge.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml
index 26c631f..34f83d3 100644
--- a/.github/workflows/dependabot-automerge.yaml
+++ b/.github/workflows/dependabot-automerge.yaml
@@ -38,7 +38,7 @@ jobs:
           private_key: ${{ secrets.DEPENDABOTREVIEWER_PEM }}
       - name: Dependabot metadata
         id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v1.5.1
+        uses: dependabot/fetch-metadata@cd6e996708b8cfe0b639401134a3b9a3177be7b2 # v1.5.1
       - name: Enable auto-merge for Dependabot PRs
         run: gh pr merge --auto --${MERGE_METHOD} "$PR_URL"
         env: