From e7bba3352c5eb700238fb5a348340484ab326df0 Mon Sep 17 00:00:00 2001
From: Dmitrii Creed <creeed22@gmail.com>
Date: Thu, 7 May 2026 16:16:02 +0400
Subject: [PATCH 1/4] ci: add security-scan + semgrep + dependabot

Wires this repo to the org-wide reusable workflows in simple-container-com/actions:
- security-scan: TruffleHog (secrets) + Syft/CycloneDX SBOM + Trivy + Grype, sticky PR comment, status gate
- semgrep: SC custom ruleset + optional consumer rules / registry packs, sticky PR comment, status gate

Both follow the GitHub Security Lab 'preventing pwn requests' split: scan jobs run in pull_request context (read-only token, no secrets, fork-PR safe); comment posting lives in a workflow_run-triggered job that never reads PR code.

Adds .github/dependabot.yml tracking the github-actions ecosystem only (forge-action has no language-specific dependencies yet).
---
 .github/dependabot.yml                      | 21 +++++++++++++++++++++
 .github/workflows/security-scan-comment.yml | 15 +++++++++++++++
 .github/workflows/security-scan.yml         | 14 ++++++++++++++
 .github/workflows/semgrep-comment.yml       | 15 +++++++++++++++
 .github/workflows/semgrep.yml               | 14 ++++++++++++++
 5 files changed, 79 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/security-scan-comment.yml
 create mode 100644 .github/workflows/security-scan.yml
 create mode 100644 .github/workflows/semgrep-comment.yml
 create mode 100644 .github/workflows/semgrep.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..6d4b4e6
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - github-actions
+    commit-message:
+      prefix: deps
+      include: scope
+    groups:
+      actions-minor-and-patch:
+        applies-to: version-updates
+        update-types:
+          - minor
+          - patch
diff --git a/.github/workflows/security-scan-comment.yml b/.github/workflows/security-scan-comment.yml
new file mode 100644
index 0000000..ddcf092
--- /dev/null
+++ b/.github/workflows/security-scan-comment.yml
@@ -0,0 +1,15 @@
+name: Security Scan Comment
+on:
+  workflow_run:
+    workflows: ["Security Scan"]
+    types: [completed]
+permissions:
+  pull-requests: write
+  actions: read
+jobs:
+  comment:
+    if: github.event.workflow_run.event == 'pull_request'
+    uses: simple-container-com/actions/.github/workflows/security-scan-comment.yml@main
+    permissions:
+      pull-requests: write
+      actions: read
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
new file mode 100644
index 0000000..9db9d6b
--- /dev/null
+++ b/.github/workflows/security-scan.yml
@@ -0,0 +1,14 @@
+name: Security Scan
+on:
+  push:
+    branches: [v1]
+  pull_request:
+    branches: [v1]
+  workflow_dispatch:
+permissions:
+  contents: read
+jobs:
+  security:
+    uses: simple-container-com/actions/.github/workflows/security-scan.yml@main
+    permissions:
+      contents: read
diff --git a/.github/workflows/semgrep-comment.yml b/.github/workflows/semgrep-comment.yml
new file mode 100644
index 0000000..9b524ad
--- /dev/null
+++ b/.github/workflows/semgrep-comment.yml
@@ -0,0 +1,15 @@
+name: Semgrep Comment
+on:
+  workflow_run:
+    workflows: ["Semgrep"]
+    types: [completed]
+permissions:
+  pull-requests: write
+  actions: read
+jobs:
+  comment:
+    if: github.event.workflow_run.event == 'pull_request'
+    uses: simple-container-com/actions/.github/workflows/semgrep-comment.yml@main
+    permissions:
+      pull-requests: write
+      actions: read
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 0000000..38f190e
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,14 @@
+name: Semgrep
+on:
+  push:
+    branches: [v1]
+  pull_request:
+    branches: [v1]
+  workflow_dispatch:
+permissions:
+  contents: read
+jobs:
+  semgrep:
+    uses: simple-container-com/actions/.github/workflows/semgrep.yml@main
+    permissions:
+      contents: read

From 0eabf76a5d491c83bb2b280a88e34f43779561b2 Mon Sep 17 00:00:00 2001
From: Dmitrii Creed <creeed22@gmail.com>
Date: Thu, 7 May 2026 16:23:09 +0400
Subject: [PATCH 2/4] ci: retrigger after org-access enabled


From b4f218279c6e62649d6f2936794e790e35d3e7f4 Mon Sep 17 00:00:00 2001
From: Dmitrii Creed <creeed22@gmail.com>
Date: Thu, 7 May 2026 16:54:12 +0400
Subject: [PATCH 3/4] ci: retrigger after actions repo set public

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>

From e644123c074b193edf96545ef8728b4a64498084 Mon Sep 17 00:00:00 2001
From: Dmitrii Creed <creeed22@gmail.com>
Date: Thu, 7 May 2026 17:09:52 +0400
Subject: [PATCH 4/4] fix(security): close script-injection vector in
 dockerless action
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two ERROR-severity findings from gha-script-injection-via-attacker-controlled-context (Semgrep, on this PR's first scan):

1. .github/actions/dockerless/action.yml:90 — script_version interpolated as a positional arg to acquire-scripts.sh. Pass via env (SCRIPT_VERSION) and reference as "$SCRIPT_VERSION" inside the run block.

2. .github/actions/dockerless/action.yml:139 — multiple inputs (job_id, issue_id, service_url, branch, simple_forge_api_key) interpolated as positional args, plus the simple_forge_api_key debug echo using single-quoted ${{ inputs.simple_forge_api_key }} (would break the quoting if the API key contains an apostrophe). All references replaced with the env-mapped variables already declared in the env: block. The duplicate debug echo was redundant with the API_KEY env-var debug line just below; removed it.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
---
 .github/actions/dockerless/action.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/actions/dockerless/action.yml b/.github/actions/dockerless/action.yml
index 6dc9a9c..9e2793e 100644
--- a/.github/actions/dockerless/action.yml
+++ b/.github/actions/dockerless/action.yml
@@ -87,11 +87,12 @@ runs:
 
     - name: Acquire workflow scripts
       shell: bash
+      env:
+        SCRIPT_VERSION: ${{ inputs.script_version }}
       run: |
         echo "📥 Acquiring workflow scripts..."
         chmod +x "${{ github.action_path }}/scripts/acquire-scripts.sh"
-        "${{ github.action_path }}/scripts/acquire-scripts.sh" \
-          "${{ inputs.script_version }}"
+        "${{ github.action_path }}/scripts/acquire-scripts.sh" "$SCRIPT_VERSION"
 
     - name: Configure Git Authentication
       shell: bash
@@ -139,18 +140,17 @@ runs:
       run: |
         echo "🚀 Executing Simple Forge workflow..."
         echo "🔍 DEBUG: Input validation..."
-        echo "  simple_forge_api_key input: $([ -n '${{ inputs.simple_forge_api_key }}' ] && echo '[SET]' || echo '[EMPTY]')"
         echo "  API_KEY env var: $([ -n "$API_KEY" ] && echo "[SET - ${#API_KEY} chars]" || echo "[EMPTY]")"
         chmod +x "${{ github.action_path }}/scripts/orchestrate-workflow.sh"
         "${{ github.action_path }}/scripts/orchestrate-workflow.sh" \
-          "${{ inputs.job_id }}" \
-          "${{ inputs.issue_id }}" \
-          "${{ inputs.service_url }}" \
-          "${{ inputs.branch }}" \
+          "$JOB_ID" \
+          "$ISSUE_ID" \
+          "$SERVICE_URL" \
+          "$BRANCH" \
           "${{ github.repository }}" \
           "${{ github.run_id }}" \
           "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
-          "${{ inputs.simple_forge_api_key }}"
+          "$SIMPLE_FORGE_API_KEY"
 
     - name: Cleanup
       if: always()