From e56bfb784db222a7ee4246ce4f4f274374f55cfe Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Fri, 1 Aug 2025 09:36:22 -0400
Subject: [PATCH 1/3] Add autoversioning workflow ala node-build

---
 .github/workflows/version.yml | 40 +++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .github/workflows/version.yml

diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
new file mode 100644
index 00000000..70f90516
--- /dev/null
+++ b/.github/workflows/version.yml
@@ -0,0 +1,40 @@
+name: Version Bump
+on:
+  push: { branches: main, paths: "share/node-build/**" }
+  schedule: [{ cron: "0 10 * * SAT" }] # weekly: https://crontab.guru/#0_10_*_*_SAT
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "An explicit version (or major|minor|patch) to tag."
+        default: ""
+        required: false
+        type: string
+
+permissions: { contents: read }
+jobs:
+  bump:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with: { egress-policy: audit }
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.BOT_TOKEN }}
+
+      - if: ${{ !inputs.version }}
+        run: |-
+          npm run preversion --silent -- -o -v -- share/node-build || status=$?
+          case "${status:-0}" in
+            0) echo "bump=patch" >> "$GITHUB_ENV";;
+            1) exit 0;; # exit successfully to mask error, but don't release
+            *) exit "$status" ;; # all other error codes are true failures
+          esac
+
+      - if: ${{ inputs.version || env.bump }}
+        run: npm version ${{ inputs.version || env.bump }}
+        env:
+          GIT_AUTHOR_NAME: ${{ vars.NODENV_BOT_NAME }}
+          GIT_AUTHOR_EMAIL: ${{ vars.NODENV_BOT_EMAIL }}
+          GIT_COMMITTER_NAME: ${{ vars.GHA_BOT_NAME }}
+          GIT_COMMITTER_EMAIL: ${{ vars.GHA_BOT_EMAIL }}

From 8f9574b72d1894a7676345ad08820f28afa8efa2 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Fri, 1 Aug 2025 09:46:36 -0400
Subject: [PATCH 2/3] CKV_GHA_7 rule is dumb

workflow_dispatch is now allowed to accept parameters? What is even the
point?

https://github.com/bridgecrewio/checkov/issues/3839
---
 .github/linters/.checkov.yaml | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .github/linters/.checkov.yaml

diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml
new file mode 100644
index 00000000..f825a452
--- /dev/null
+++ b/.github/linters/.checkov.yaml
@@ -0,0 +1,3 @@
+# https://github.com/bridgecrewio/checkov#configuration-using-a-config-file
+skip-check:
+  - CKV_GHA_7

From f0269071a1648136936bafad9c345d081aad7972 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Fri, 1 Aug 2025 09:53:19 -0400
Subject: [PATCH 3/3] Disable CKV_GHA_7 via inline exception

---
 .github/linters/.checkov.yaml | 3 ---
 .github/workflows/version.yml | 2 +-
 2 files changed, 1 insertion(+), 4 deletions(-)
 delete mode 100644 .github/linters/.checkov.yaml

diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml
deleted file mode 100644
index f825a452..00000000
--- a/.github/linters/.checkov.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-# https://github.com/bridgecrewio/checkov#configuration-using-a-config-file
-skip-check:
-  - CKV_GHA_7
diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
index 70f90516..138f5b98 100644
--- a/.github/workflows/version.yml
+++ b/.github/workflows/version.yml
@@ -4,7 +4,7 @@ on:
   schedule: [{ cron: "0 10 * * SAT" }] # weekly: https://crontab.guru/#0_10_*_*_SAT
   workflow_dispatch:
     inputs:
-      version:
+      version: # checkov:skip=CKV_GHA_7
         description: "An explicit version (or major|minor|patch) to tag."
         default: ""
         required: false