Seagate · vonericsen · Apr 14, 2026 · Apr 10, 2026 · Apr 10, 2026 · Apr 14, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -13,3 +13,5 @@ updates:
     directory: "/.github/workflows"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
@@ -1,6 +1,8 @@
 # SPDX-License-Identifier: MPL-2.0
 name: C/C++ CI
 
+permissions: {}
+
 on:
   push:
     branches: [ develop, master, release/*, feature/*, hotfix/* ]
@@ -50,18 +52,23 @@ jobs:
       with:
         egress-policy: audit
 
-    - uses: actions/checkout@v6.0.2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       continue-on-error: true  # rsync code 24: harmless cleanup-phase race during VM setup
       with:
+        persist-credentials: false
         submodules: recursive
 
     - name: Escape backslash in branch name
       run: echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | tr / -)" >> $GITHUB_ENV
 
     - name: Set release name
+      id: release_vars
+      env:
+        RELEASE_NAME: ${{ matrix.config.release_name }}
       run: |
-        DESTDIR="openSeaChest-${BRANCH_NAME}-${{ matrix.config.release_name }}"
+        DESTDIR="openSeaChest-${BRANCH_NAME}-${RELEASE_NAME}"
         echo "DESTDIR=${DESTDIR}" >> $GITHUB_ENV
+        echo "destdir=${DESTDIR}" >> $GITHUB_OUTPUT
 
     - name: Add Mingw-w64 to path
       if: startsWith(matrix.config.name, 'Windows GCC')
@@ -73,22 +80,30 @@ jobs:
 
     - name: make
       working-directory: ${{ matrix.config.builddir }}
+      env:
+        MAKEFILE_NAME: ${{ matrix.config.makefile }}
       run: |
-        make release -f ${{ matrix.config.makefile }}
+        make release -f "$MAKEFILE_NAME"
 
     - name: Packing release
       env:
+        DESTDIR: ${{ steps.release_vars.outputs.destdir }}
         ARCHIVE_EXT: ${{ matrix.config.release_extension }}
+        RELEASE_BUILD_DIR: ${{ matrix.config.builddir }}
       run: |
         mkdir build
         cd build
-        ${{ matrix.config.archive_command }} "${DESTDIR}${ARCHIVE_EXT}" ../${{ matrix.config.builddir }}/openseachest_exes
+        if [[ "$ARCHIVE_EXT" == ".zip" ]]; then
+          7z a -tzip -mmt "${DESTDIR}${ARCHIVE_EXT}" "../${RELEASE_BUILD_DIR}/openseachest_exes"
+        else
+          tar cvfJ "${DESTDIR}${ARCHIVE_EXT}" "../${RELEASE_BUILD_DIR}/openseachest_exes"
+        fi
 
     - name: Uploading artifacts
-      uses: actions/upload-artifact@v7.0.0
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
-        name: ${{ format('{0}', env.DESTDIR) }}
-        path: ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }}
+        name: ${{ steps.release_vars.outputs.destdir }}
+        path: ${{ format('./build/{0}{1}', steps.release_vars.outputs.destdir, matrix.config.release_extension) }}
 
     # - name: Publish release
     #   if: ${{ startsWith(github.ref, 'refs/tags/v') && matrix.config.publish_release }}

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -6,6 +6,8 @@
 # or to provide custom queries or build logic.
 name: "CodeQL"
 
+permissions: {}
+
 on:
   push:
     branches: [develop, master]
@@ -24,9 +26,9 @@ jobs:
     name: Analyze
     runs-on: ${{ matrix.config.os }}
     permissions:
-      security-events: write
+      security-events: write # Upload CodeQL SARIF results to code scanning.
       contents: read
-      actions: read
+      actions: read # Allow CodeQL to inspect workflow and action metadata.
     strategy:
       fail-fast: false
       matrix:
@@ -76,17 +78,18 @@ jobs:
         egress-policy: audit
 
     - name: Checkout repository
-      uses: actions/checkout@v6.0.2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       continue-on-error: true  # rsync code 24: harmless cleanup-phase race during VM setup
       with:
+        persist-credentials: false
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
         submodules: recursive
 
     - name: Settings vars for MSVC
       if: startsWith(matrix.config.name, 'Windows MSVC')
-      uses: ilammy/msvc-dev-cmd@v1
+      uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
       with:
         arch: ${{ matrix.config.arch }}
 
@@ -97,7 +100,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -118,7 +121,7 @@ jobs:
     #    uses a compiled language
 
     - name: Setup pip cache
-      uses: actions/cache@v5.0.0
+      uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
       with:
         path: |
           ~/.cache/pip
@@ -134,10 +137,16 @@ jobs:
       env:
         CC: ${{ matrix.config.cc }}
         CXX: ${{ matrix.config.cxx }}
+        MESON_OPTS: ${{ matrix.config.meson_opts }}
       run: |
         pip install meson ninja
         $prefix = Join-Path $env:GITHUB_WORKSPACE 'install'
-        meson setup build --prefix "$prefix" -Dmandir=man -Dbindir=bin ${{ matrix.config.meson_opts }} --buildtype=release
+        $mesonArgs = @('setup', 'build', '--prefix', $prefix, '-Dmandir=man', '-Dbindir=bin')
+        if ($env:MESON_OPTS) {
+          $mesonArgs += ($env:MESON_OPTS -split ' ')
+        }
+        $mesonArgs += '--buildtype=release'
+        meson @mesonArgs
         meson install -C build
 
     - name: Install Meson and Ninja and Build (Github runners - non-MSVC)
@@ -146,10 +155,17 @@ jobs:
       env:
         CC: ${{ matrix.config.cc }}
         CXX: ${{ matrix.config.cxx }}
+        MESON_OPTS: ${{ matrix.config.meson_opts }}
       run: |
         pip install meson ninja
-        meson setup build --prefix "$GITHUB_WORKSPACE/install" -Dmandir=man -Dbindir=bin ${{ matrix.config.meson_opts }} --buildtype=release
+        meson_args=(setup build --prefix "$GITHUB_WORKSPACE/install" -Dmandir=man -Dbindir=bin)
+        if [[ -n "$MESON_OPTS" ]]; then
+          read -r -a extra_meson_args <<< "$MESON_OPTS"
+          meson_args+=("${extra_meson_args[@]}")
+        fi
+        meson_args+=(--buildtype=release)
+        meson "${meson_args[@]}"
         meson install -C build
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -1,28 +1,34 @@
 # SPDX-License-Identifier: MPL-2.0
 name: Dependency Review
 
+permissions: {}
+
 on:
   pull_request:
     branches: [ develop ]
 
-permissions:
-  contents: read
-  pull-requests: write
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
 
 jobs:
   dependency-review:
+    name: Dependency review
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.14.1
         with:
           egress-policy: audit
 
       - name: Checkout Repository
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
         with:
           fail-on-severity: high
           warn-on-openssf-scorecard-level: 3
diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml
@@ -5,6 +5,8 @@
 
 name: flawfinder
 
+permissions: {}
+
 on:
   push:
     branches: [ "develop", "master", "release/*" ]
@@ -14,22 +16,27 @@ on:
   schedule:
     - cron: '39 23 * * 1'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 jobs:
   flawfinder:
     name: Flawfinder
     runs-on: ubuntu-latest
     permissions:
-      actions: read
+      actions: read # Allow the workflow to inspect action metadata during analysis.
       contents: read
-      security-events: write
+      security-events: write # Upload flawfinder SARIF results to code scanning.
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.14.1
         with:
           egress-policy: audit
 
       - name: Checkout code
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: flawfinder_scan
         uses: david-a-wheeler/flawfinder@c57197cd6061453f10a496f30a732bc1905918d1
@@ -38,6 +45,6 @@ jobs:
           output: 'flawfinder_results.sarif'
 
       - name: Upload analysis results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: ${{github.workspace}}/flawfinder_results.sarif