ci: revert SECURITY.md, docker dependabot, and zizmor comments

claude · claude · commit 340f3dba8416 · 2026-04-16T06:03:46.000Z
- Revert SECURITY.md to original (no new sections) - Remove docker package-ecosystem from Dependabot (nightly scheduled workflow already updates base images) - Remove added comments and Astral references from zizmor.yaml https://claude.ai/code/session_01YEC8c9bU4Mory8FFoiAS5T
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -37,21 +37,3 @@ updates:
           - "*"
     cooldown:
       default-days: 7
-  # Docker base images. Astral recommends keeping the supply chain
-  # under continuous review; Dependabot opens a PR whenever a new base
-  # image becomes available so we never silently fall behind security
-  # patches.
-  - package-ecosystem: docker
-    directories:
-      - /
-      - /caddy
-    schedule:
-      interval: weekly
-    commit-message:
-      prefix: chore(docker)
-    groups:
-      docker:
-        patterns:
-          - "*"
-    cooldown:
-      default-days: 7
diff --git a/SECURITY.md b/SECURITY.md
@@ -16,29 +16,3 @@ Please write a detailed vulnerability report and send it [through GitHub](https:
 
 Only vulnerabilities directly affecting FrankenPHP should be reported to this project.
 Flaws affecting components used by FrankenPHP (PHP, Caddy, Go...) or using FrankenPHP (Laravel Octane, PHP Runtime...) should be reported to the relevant projects.
-
-## Supply-chain hardening
-
-FrankenPHP follows the open-source security practices from
-[Astral's security guide](https://astral.sh/blog/open-source-security-at-astral):
-
-- **Workflow auditing** --
-  [Super Linter](https://github.com/super-linter/super-linter) runs
-  [zizmor](https://docs.zizmor.sh/) on every pull request.
-  The `unpinned-uses` rule in `zizmor.yaml` requires a tag pin on every action.
-- **Least-privilege permissions** --
-  Every workflow starts with `permissions: {}` and only grants access per job.
-- **Environment-scoped secrets** --
-  Secrets for publishing (Docker Hub, website deploy, translation API)
-  live in dedicated GitHub Environments (`dockerhub`, `website`, `translate`).
-- **Build provenance** --
-  Release binaries carry
-  [`attest-build-provenance`](https://github.com/actions/attest-build-provenance)
-  attestations.
-- **Dependency updates** --
-  Dependabot tracks Go modules, GitHub Actions, and Docker base images.
-- **Safe triggers** --
-  Workflows never use `pull_request_target`.
-- **No persisted credentials** --
-  All `actions/checkout` steps set `persist-credentials: false`
-  unless the job needs to push.
diff --git a/zizmor.yaml b/zizmor.yaml
@@ -1,16 +1,6 @@
 ---
-# zizmor static-analysis configuration.
-#
-# See https://docs.zizmor.sh/configuration/ for the full reference.
-#
-# Inspired by Astral's open-source security guidance:
-# https://astral.sh/blog/open-source-security-at-astral
 rules:
   unpinned-uses:
     config:
       policies:
-        # Every action must be pinned to at least a tag (`@v6`).
-        # Hash-pinning to a commit SHA is the long-term goal recommended
-        # by Astral; once the migration is complete, switch this policy
-        # to `hash-pin` so that mutable tags can no longer reach CI.
         "*": ref-pin
