From f279d216eca9e03e56cd491e815695d03fe4bb5d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 25 Apr 2026 11:06:14 +0000
Subject: [PATCH 1/5] Initial plan


From 5b2cb0ba371d402ece0f87ba89d925cb4d42ae5e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 25 Apr 2026 11:12:00 +0000
Subject: [PATCH 2/5] fix: address all zizmor security findings in GitHub
 Actions workflows

Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python-lib/sessions/d81c6415-5af8-4064-9ff0-dbcbaa56a382

Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
---
 .github/dependabot.yml        |  4 ++++
 .github/workflows/python.yml  | 14 ++++++++++++++
 .github/workflows/release.yml | 12 +++++++++---
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 423d4b3f6..e91d61095 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,6 +7,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     allow:
       - dependency-type: 'all'
     versioning-strategy: 'auto'
@@ -21,6 +23,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       ## prefix maximum string length of 15
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index 46e29b82f..c32a4c52f 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -34,6 +34,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -58,6 +60,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -82,6 +86,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -106,6 +112,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -142,6 +150,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -192,6 +202,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Create reports directory
         run: mkdir ${{ env.REPORTS_DIR }}
       - name: Setup Python Environment
@@ -270,6 +282,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6215ce44f..831fa97fb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -49,6 +49,8 @@ jobs:
       - name: Checkout code
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -71,6 +73,8 @@ jobs:
       - name: Checkout code
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -113,17 +117,19 @@ jobs:
           private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }}
       - name: Get GitHub App User ID
         id: release-bot-user-id
-        run: |
-          set -xeu
-          echo "user-id=$(gh api "/users/${{ steps.release-bot-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
+          APP_SLUG: ${{ steps.release-bot-token.outputs.app-slug }}
           GH_TOKEN: ${{ steps.release-bot-token.outputs.token }}
+        run: |
+          set -xeu
+          echo "user-id=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
 
       - name: Checkout code
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
           token: ${{ steps.release-bot-token.outputs.token }}
 
       - name: Setup python

From 1a42e8ead629c9fedf9e389a1226fee87299af1b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 25 Apr 2026 11:22:00 +0000
Subject: [PATCH 3/5] fix: revert persist-credentials in release checkout
 (untested combination)

Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python-lib/sessions/bac418dc-f9c3-42ea-8458-9a0e45c232da

Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
---
 .github/workflows/release.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 831fa97fb..c6d0ed3ca 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -129,7 +129,6 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
-          persist-credentials: false
           token: ${{ steps.release-bot-token.outputs.token }}
 
       - name: Setup python

From f959774e7308966fab7fbde8f50851ea267a9c0f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 25 Apr 2026 11:23:54 +0000
Subject: [PATCH 4/5] fix: pin actions/create-github-app-token to commit hash

Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python-lib/sessions/5f232a3e-e355-44c1-a91c-547173d8ae78

Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c6d0ed3ca..bfb9f0d12 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -110,7 +110,7 @@ jobs:
       - name: Generate GitHub App Token
         id: release-bot-token
         # see https://github.com/actions/create-github-app-token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
         with:
           # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases
           app-id: 3335294

From 1a8dae399dd97c4829cdd04657b4b7de005ae118 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 25 Apr 2026 11:27:52 +0000
Subject: [PATCH 5/5] fix: add persist-credentials: false to release job
 checkout

Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python-lib/sessions/69159903-7018-45d5-91da-59b12e9b9078

Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bfb9f0d12..52f265ccf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -130,6 +130,7 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ steps.release-bot-token.outputs.token }}
+          persist-credentials: false
 
       - name: Setup python
         # see https://github.com/actions/setup-python