From 33d64f56b650351646ef1fac194138db1a7dec4b Mon Sep 17 00:00:00 2001
From: Christian Oliff <christian_oliff@trimble.com>
Date: Mon, 8 Sep 2025 18:05:17 +0900
Subject: [PATCH 1/2] Update GitHub Actions

---
 .cspell.json                                  |  1 +
 .cursor/rules/general.mdc                     |  3 ++-
 .github/CODEOWNERS                            |  3 +++
 .github/workflows/codeql-analysis.yml         | 10 ++++++----
 .github/workflows/{pubish.yml => publish.yml} | 10 ++++++++--
 .github/workflows/spellcheck.yml              |  7 +++++--
 .github/workflows/super-linter.yml            |  3 ++-
 .github/workflows/test.yml                    |  4 ++--
 8 files changed, 29 insertions(+), 12 deletions(-)
 create mode 100644 .github/CODEOWNERS
 rename .github/workflows/{pubish.yml => publish.yml} (70%)

diff --git a/.cspell.json b/.cspell.json
index 96eabed..8dc53ce 100644
--- a/.cspell.json
+++ b/.cspell.json
@@ -12,6 +12,7 @@
     "nvmrc",
     "rollup",
     "ruleset",
+    "sarif",
     "tagname",
     "vite",
     "VSIX"
diff --git a/.cursor/rules/general.mdc b/.cursor/rules/general.mdc
index ae692e6..80a5af7 100644
--- a/.cursor/rules/general.mdc
+++ b/.cursor/rules/general.mdc
@@ -3,8 +3,9 @@ description:
 globs:
 alwaysApply: true
 ---
+
 - Before declaring a task is complete, compile the extension to ensure it completes with no errors.
 - Never downgrade dependencies
 - Always run commands using PowerShell on Windows
 - Newly added version/features for the Extension Changelog go at the top.
-- As a general rule: rules, attributes, lists shoud be alphabetical order.
+- As a general rule: some rules, attributes, lists should be in alphabetical order.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..6b4c901
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,3 @@
+# About CODEOWNERS - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+* @coliff
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8672dc7..78acbf8 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -27,10 +27,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
@@ -39,9 +41,9 @@ jobs:
               - test/*
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/pubish.yml b/.github/workflows/publish.yml
similarity index 70%
rename from .github/workflows/pubish.yml
rename to .github/workflows/publish.yml
index 1ea17ae..9e4b12a 100644
--- a/.github/workflows/pubish.yml
+++ b/.github/workflows/publish.yml
@@ -5,13 +5,19 @@ on:
   workflow_dispatch:
 
 name: Deploy Extension
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
 
diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index 551b93e..47ce2c7 100644
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -13,8 +13,11 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: streetsidesoftware/cspell-action@v7
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          
+      - uses: streetsidesoftware/cspell-action@dcd03dc3e8a59ec2e360d0c62db517baa0b4bb6d # v7.2.0
         with:
           check_dot_files: false
           incremental_files_only: true
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index c99d0de..e7d2ff3 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -19,9 +19,10 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Lint Code Base
         uses: super-linter/super-linter/slim@v8
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9e05c36..77cc491 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -27,12 +27,12 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ matrix.node }}
           cache: npm

From 5e52e2db01d4bc5c409b0c6bc0c5494f011d728f Mon Sep 17 00:00:00 2001
From: Christian Oliff <christian_oliff@trimble.com>
Date: Mon, 8 Sep 2025 18:11:33 +0900
Subject: [PATCH 2/2] Fixes

---
 .cspell.json                       | 3 ++-
 .github/workflows/spellcheck.yml   | 2 +-
 .github/workflows/super-linter.yml | 1 +
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.cspell.json b/.cspell.json
index 8dc53ce..64ab47b 100644
--- a/.cspell.json
+++ b/.cspell.json
@@ -15,7 +15,8 @@
     "sarif",
     "tagname",
     "vite",
-    "VSIX"
+    "VSIX",
+    "ZIZMOR"
   ],
   "flagWords": [
     "hte"
diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index 47ce2c7..09d1be5 100644
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-          
+
       - uses: streetsidesoftware/cspell-action@dcd03dc3e8a59ec2e360d0c62db517baa0b4bb6d # v7.2.0
         with:
           check_dot_files: false
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index e7d2ff3..21bca17 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -36,6 +36,7 @@ jobs:
           SUPPRESS_POSSUM: true
           VALIDATE_ALL_CODEBASE: false
           VALIDATE_EDITORCONFIG: false
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_HTML: false
           VALIDATE_HTML_PRETTIER: false
           VALIDATE_JSCPD: false