From c2f57cefc2e1003c20e8caa44ec59de0b488f88b Mon Sep 17 00:00:00 2001
From: Omar <47008591+6f6d6172@users.noreply.github.com>
Date: Tue, 26 Aug 2025 12:48:44 -0400
Subject: [PATCH 1/3] bump claws version number + enable the new rule

---
 .github/workflows/claws.yml | 2 +-
 claws/config.yml            | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/claws.yml b/.github/workflows/claws.yml
index 999da86..cd5265d 100644
--- a/.github/workflows/claws.yml
+++ b/.github/workflows/claws.yml
@@ -84,7 +84,7 @@ jobs:
           fetch-depth: 0
       - name: Set Up Claws
         run: |
-          gem install claws-scan -v 0.7.3
+          gem install claws-scan -v 0.9.0
       - name: Analyze New/Changed Workflows
         env:
           CHANGED_FILES: ${{ needs.changed_workflows.outputs.files }}
diff --git a/claws/config.yml b/claws/config.yml
index 2106453..a36d9ba 100644
--- a/claws/config.yml
+++ b/claws/config.yml
@@ -15,3 +15,4 @@ Enabled:
   BulkPermissions:
   Shellcheck:
     shellcheck_bin: "/usr/bin/shellcheck"
+  CheckoutWithStaticCredentials:

From 8571e0a26f77885b7169ee9a2495a9f255faa766 Mon Sep 17 00:00:00 2001
From: Omar <47008591+6f6d6172@users.noreply.github.com>
Date: Tue, 26 Aug 2025 16:01:35 -0400
Subject: [PATCH 2/3] we need a more modern version of ruby here

---
 .github/workflows/claws.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/claws.yml b/.github/workflows/claws.yml
index cd5265d..6a261df 100644
--- a/.github/workflows/claws.yml
+++ b/.github/workflows/claws.yml
@@ -63,7 +63,7 @@ jobs:
       - name: Set Up Ruby
         uses: ruby/setup-ruby@d8d83c3960843afb664e821fed6be52f37da5267 # v1.231.0
         with:
-          ruby-version: '3.0'
+          ruby-version: '3.2.3'
       - name: Get Claws Config
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:

From 56833cd6ffaefa07430d161cadb8eb48804c7c9a Mon Sep 17 00:00:00 2001
From: Omar <47008591+6f6d6172@users.noreply.github.com>
Date: Tue, 2 Sep 2025 10:20:29 -0400
Subject: [PATCH 3/3] this should always be checking out main since if we open
 a PR it will check out the PR version instead... annoying!

---
 .github/workflows/claws.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/claws.yml b/.github/workflows/claws.yml
index 6a261df..7bc6330 100644
--- a/.github/workflows/claws.yml
+++ b/.github/workflows/claws.yml
@@ -69,6 +69,7 @@ jobs:
         with:
           repository: betterment/security-configs
           path: security-configs/
+          ref: main
       # We have to do this `mv` ourselves because for some reason, actions/checkout
       # doesn't support absolute paths OR relative paths that point outside of the
       # working directory. Absolutely bonkers.