Update GitHub Actions, add zizmor security linter, and configure Dependabot (#16)

* Update GitHub Actions to latest major versions

- actions/checkout v4 → v6
- slackapi/slack-github-action v1 → v3 (migrate to new input API)
- actions/stale v9 → v10

* Add zizmor GitHub Actions security linter

- Add zizmor workflow as a PR check
- Add persist-credentials: false to all checkout steps
- Add .zizmor.yml config to disable unpinned-uses and secrets-outside-env
  (intentional for reusable workflows)
- Add inline ignores for template-injection on trusted workflow_call inputs
  and step outputs

* Fix zizmor-action version to v0.5.3

No v0 major version tag exists; pin to latest point release.

* Add Dependabot config for GitHub Actions updates

* Pass .zizmor.yml config to zizmor-action

Without this, the action runs with default settings and reports
unpinned-uses findings that we've intentionally disabled.

* Pin all actions to SHA hashes and remove blanket zizmor disables

Replace tag references with SHA-pinned references for all actions.
Replace blanket unpinned-uses and secrets-outside-env disables with
targeted inline ignores where appropriate. Remove .zizmor.yml since
no global rule overrides are needed.

* Clean up zizmor workflow style to match other workflows

* Expand README with workflow documentation and usage examples

Author: dduugg

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    cooldown:
+      default-days: 7

.github/workflows/cd.yml

@@ -3,35 +3,35 @@ name: CD
 on:
   workflow_call:
 jobs:
-  deploy:
+  deploy: # zizmor: ignore[secrets-outside-env] reusable workflow; environments are managed by callers
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Tag and Push Gem
         id: tag-and-push-gem
-        uses: discourse/publish-rubygems-action@v3
+        uses: discourse/publish-rubygems-action@4bd305c65315cb691bad1e8de97a87aaf29a0a85 # v3
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
           GIT_EMAIL: ${{secrets.GUSTO_GIT_EMAIL}}
           GIT_NAME: ${{secrets.GUSTO_GIT_NAME}}
           RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}
       - name: Create GitHub Release
+        # zizmor: ignore[template-injection] gem_version comes from a trusted prior step
         run: gh release create v${{steps.tag-and-push-gem.outputs.gem_version}} --generate-notes
         if: ${{ steps.tag-and-push-gem.outputs.new_version == 'true' }}
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  notify_on_failure:
+  notify_on_failure: # zizmor: ignore[secrets-outside-env] reusable workflow; environments are managed by callers
     runs-on: ubuntu-latest
     needs: [deploy]
     if: ${{ failure() && github.ref == 'refs/heads/main' }}
-    env:
-      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
     steps:
-      - uses: slackapi/slack-github-action@v1.25.0
+      - uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3
         with:
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
           payload: |
-            {
-              "text": "${{ github.repository }}/${{ github.ref }}: FAILED\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-            }
+            text: "${{ github.repository }}/${{ github.ref }}: FAILED\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"

.github/workflows/ci.yml

@@ -27,23 +27,28 @@ jobs:
       BUNDLE_GEMFILE: Gemfile
     name: "Run tests: Ruby ${{ matrix.ruby }}"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Install ripgrep
         run: sudo apt-get install -y ripgrep
       - name: Set up Ruby ${{ matrix.ruby }}
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # v1
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby }}
       - name: Run tests
+        # zizmor: ignore[template-injection] workflow_call inputs are controlled by the caller
         run: ${{ inputs.test-command }}
   static_type_check:
     name: "Type Check"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # v1
         with:
           bundler-cache: true
           ruby-version: 3.4
@@ -53,25 +58,25 @@ jobs:
     runs-on: ubuntu-latest
     name: "Linter"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # v1
         with:
           bundler-cache: true
           ruby-version: 3.4
       - name: Run linter
+        # zizmor: ignore[template-injection] workflow_call inputs are controlled by the caller
         run: ${{ inputs.linter-command }}
-  notify_on_failure:
+  notify_on_failure: # zizmor: ignore[secrets-outside-env] reusable workflow; environments are managed by callers
     runs-on: ubuntu-latest
     needs: [run_tests, static_type_check, run_linter]
     if: ${{ failure() && github.ref == 'refs/heads/main' }}
-    env:
-      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
     steps:
-      - uses: slackapi/slack-github-action@v1.25.0
+      - uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3
         with:
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
           payload: |
-            {
-              "text": "${{ github.repository }}/${{ github.ref }}: FAILED\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-            }
+            text: "${{ github.repository }}/${{ github.ref }}: FAILED\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"

.github/workflows/stale.yml

@@ -6,7 +6,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
         with:
           stale-issue-message: 'This issue has been marked stale because it has been open for six months with no activity. To prevent this issue from automatically being closed in one week, update it or remove the stale label.'
           stale-pr-message: 'This PR has been marked stale because it has been open for six months with no activity. To prevent this PR from automatically being closed in one week, update it or remove the stale label.'

.github/workflows/zizmor.yml

@@ -0,0 +1,23 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3

README.md

@@ -1 +1,61 @@
-# shared-config
+# shared-config
+
+Shared reusable GitHub Actions workflows for [rubyatscale](https://github.com/rubyatscale) gems.
+
+## Workflows
+
+### Reusable workflows (`workflow_call`)
+
+These workflows are called from individual gem repos via `uses: rubyatscale/shared-config/.github/workflows/<name>.yml@main`.
+
+| Workflow | Description |
+|----------|-------------|
+| **CI** (`ci.yml`) | Runs tests across Ruby 3.2–4.0, Sorbet type checking, and linting (RuboCop). Test and linter commands are configurable via inputs. |
+| **CD** (`cd.yml`) | Publishes the gem to RubyGems and creates a GitHub Release on successful main builds. |
+| **Stale** (`stale.yml`) | Marks issues and PRs as stale after 180 days of inactivity, then closes them after 7 more days. |
+| **Triage** (`triage.yml`) | Labels new issues with `triage`. |
+
+### Repository workflows
+
+| Workflow | Description |
+|----------|-------------|
+| **zizmor** (`zizmor.yml`) | Runs the [zizmor](https://github.com/zizmorcore/zizmor) security linter against all workflow files on every push and PR. |
+
+## Usage
+
+In a gem repo, create a workflow that calls the shared workflow:
+
+```yaml
+# .github/workflows/ci.yml
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  ci:
+    uses: rubyatscale/shared-config/.github/workflows/ci.yml@main
+```
+
+### CI inputs
+
+| Input | Default | Description |
+|-------|---------|-------------|
+| `test-command` | `bundle exec rspec` | Command to run tests |
+| `linter-command` | `bundle exec rubocop` | Command to run the linter |
+
+### Required secrets
+
+The **CD** workflow requires the following secrets in the calling repo:
+
+- `GUSTO_GIT_EMAIL` / `GUSTO_GIT_NAME` — Git identity for tagging
+- `RUBYGEMS_API_KEY` — API key for publishing to RubyGems
+- `SLACK_WEBHOOK_URL` — Incoming webhook URL for failure notifications (used by both CI and CD)
+
+## Security
+
+- All action references are pinned to SHA hashes
+- [zizmor](https://github.com/zizmorcore/zizmor) runs on every PR to lint workflows for security issues
+- [Dependabot](https://docs.github.com/en/code-security/dependabot) is configured for monthly GitHub Actions updates