- Remove unsupported `deprecated: true` from language-version-detect/action.yml
(deprecation already communicated via description field)
- Scope action-validator pre-commit hook to workflow and action.yml files only
- Make missing pre-commit a hard error in lint-actions target
Update uv-pre-commit 0.10.9→0.10.11 and checkov 3.2.508→3.2.510.
Normalize single quotes to double quotes in hook args.
Add action-validator v0.8.0 hook for GitHub Actions validation.
* fix(ci): use the latest openssf scorecard action
* fix(ci): replace scorecard workflow with upstream reference
Replace our custom scorecard workflow with the official ossf/scorecard
workflow template for better alignment with upstream recommendations.
* feat(security): add OpenSSF Scorecard workflow and maximize score
- Add scorecard.yml workflow (weekly + push to main) with SARIF upload
- Add CONTRIBUTING.md for contributor guidelines
- Add SLSA provenance attestation job to release workflow
- Add CycloneDX SBOM generation job to release workflow
- Pin Dockerfile base images to sha256 digests
- Enable Renovate pinDigests and platformAutomerge
- Add OpenSSF Scorecard badge to README
* fix(docs): address PR #498 review comments and remove .coderabbit.yaml
- Delete .coderabbit.yaml (falls back to shared org-level config)
- Add missing linter deps to CONTRIBUTING.md install step
- Separate make all and make test into distinct steps
- Fix line length note to match EditorConfig (200 chars, no MD override)
- Add yamllint/markdownlint to YAML/JSON/Markdown linter list
- Refine action references guidance
- Expand "Adding a New Action" section with action-docs and catalog info
* feat(pr-lint): consolidate dependency review into pr-lint action
Move dependency review from standalone workflow into the pr-lint
composite action. Adds repository visibility check via GitHub API
and runs dependency-review-action only on public repos during
pull_request events, before MegaLinter.
* fix(pr-lint): harden dependency review visibility check
Address PR review feedback from Copilot and CodeRabbit:
- Skip visibility check on non-PR events (if: pull_request)
- Add continue-on-error so API failures don't block MegaLinter
- Use curl --fail --show-error to surface HTTP errors in logs
- Use github.token directly instead of inputs.token fallback
- Add Accept header for GitHub API versioning
- Validate jq output type to fail closed on bad API responses
* fix(pr-lint): use event payload for visibility, unblock MegaLinter on dep review
Replace curl API call with local jq read from $GITHUB_EVENT_PATH for
the repository visibility check — simpler, faster, no auth needed.
Add continue-on-error to dependency review so MegaLinter always runs,
with a re-fail step after artifacts upload to preserve the failure signal.
* chore(claude): add hooks, skills, and agents for Claude Code
Add auto-formatting hooks (ruff, shfmt, prettier, actionlint),
rules.yml edit blocker, 5 skills (/release, /test-action,
/new-action, /validate, /check-pins), and 2 subagents
(action-validator, test-coverage-reviewer). Update CLAUDE.md
with hook documentation.
* fix(claude): add tool availability guards and fix skill docs
Add jq availability checks to hook scripts (block-rules-yml.sh,
post-edit-write.sh) and wrap actionlint call in command -v guard,
consistent with project rules #2 and #10. Fix validate skill to
reflect actual make all pipeline order and note that make test
runs separately.
* fix(claude): correct skill docs per PR review feedback
Fix validate skill description to say "precommit" instead of "test",
and fix check-pins SHA guidance to use origin/main instead of HEAD.
* feat(tools): add SHA-pinning enforcement to check-version-refs
The check-version-refs script previously only displayed existing
SHA-pinned refs but silently skipped non-SHA references. Add a
validation pass that detects and reports any ivuorinen/actions/*
references not using a 40-char hex SHA, exiting 1 on violations.
* fix(tools): fix temp file leak in check-version-refs.sh
Write find output directly to $violations_file instead of
$violations_file.all so the EXIT trap covers cleanup on all
exit paths, not just the happy path.
* fix(deps): replace step-security/retry with nick-fields/retry
* chore(deps): update github action sha pins via pinact
* refactor: remove common-retry references from tests and validators
* chore: simplify description fallback and update action count
* docs: remove hardcoded test counts from memory and docs
Replace exact "769 tests" references with qualitative language
so these files don't go stale as test count grows.
