ci: add security-scan + semgrep + dependabot

.github/actions/dockerless/action.yml

@@ -87,11 +87,12 @@ runs:
 
     - name: Acquire workflow scripts
       shell: bash
+      env:
+        SCRIPT_VERSION: ${{ inputs.script_version }}
       run: |
         echo "📥 Acquiring workflow scripts..."
         chmod +x "${{ github.action_path }}/scripts/acquire-scripts.sh"
-        "${{ github.action_path }}/scripts/acquire-scripts.sh" \
-          "${{ inputs.script_version }}"
+        "${{ github.action_path }}/scripts/acquire-scripts.sh" "$SCRIPT_VERSION"
 
     - name: Configure Git Authentication
       shell: bash
@@ -139,18 +140,17 @@ runs:
       run: |
         echo "🚀 Executing Simple Forge workflow..."
         echo "🔍 DEBUG: Input validation..."
-        echo "  simple_forge_api_key input: $([ -n '${{ inputs.simple_forge_api_key }}' ] && echo '[SET]' || echo '[EMPTY]')"
         echo "  API_KEY env var: $([ -n "$API_KEY" ] && echo "[SET - ${#API_KEY} chars]" || echo "[EMPTY]")"
         chmod +x "${{ github.action_path }}/scripts/orchestrate-workflow.sh"
         "${{ github.action_path }}/scripts/orchestrate-workflow.sh" \
-          "${{ inputs.job_id }}" \
-          "${{ inputs.issue_id }}" \
-          "${{ inputs.service_url }}" \
-          "${{ inputs.branch }}" \
+          "$JOB_ID" \
+          "$ISSUE_ID" \
+          "$SERVICE_URL" \
+          "$BRANCH" \
           "${{ github.repository }}" \
           "${{ github.run_id }}" \
           "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
-          "${{ inputs.simple_forge_api_key }}"
+          "$SIMPLE_FORGE_API_KEY"
 
     - name: Cleanup
       if: always()

.github/dependabot.yml

@@ -0,0 +1,21 @@
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - github-actions
+    commit-message:
+      prefix: deps
+      include: scope
+    groups:
+      actions-minor-and-patch:
+        applies-to: version-updates
+        update-types:
+          - minor
+          - patch

.github/workflows/security-scan-comment.yml

@@ -0,0 +1,15 @@
+name: Security Scan Comment
+on:
+  workflow_run:
+    workflows: ["Security Scan"]
+    types: [completed]
+permissions:
+  pull-requests: write
+  actions: read
+jobs:
+  comment:
+    if: github.event.workflow_run.event == 'pull_request'
+    uses: simple-container-com/actions/.github/workflows/security-scan-comment.yml@main
+    permissions:
+      pull-requests: write
+      actions: read

.github/workflows/security-scan.yml

@@ -0,0 +1,14 @@
+name: Security Scan
+on:
+  push:
+    branches: [v1]
+  pull_request:
+    branches: [v1]
+  workflow_dispatch:
+permissions:
+  contents: read
+jobs:
+  security:
+    uses: simple-container-com/actions/.github/workflows/security-scan.yml@main
+    permissions:
+      contents: read

.github/workflows/semgrep-comment.yml

@@ -0,0 +1,15 @@
+name: Semgrep Comment
+on:
+  workflow_run:
+    workflows: ["Semgrep"]
+    types: [completed]
+permissions:
+  pull-requests: write
+  actions: read
+jobs:
+  comment:
+    if: github.event.workflow_run.event == 'pull_request'
+    uses: simple-container-com/actions/.github/workflows/semgrep-comment.yml@main
+    permissions:
+      pull-requests: write
+      actions: read

.github/workflows/semgrep.yml

@@ -0,0 +1,14 @@
+name: Semgrep
+on:
+  push:
+    branches: [v1]
+  pull_request:
+    branches: [v1]
+  workflow_dispatch:
+permissions:
+  contents: read
+jobs:
+  semgrep:
+    uses: simple-container-com/actions/.github/workflows/semgrep.yml@main
+    permissions:
+      contents: read