From a70bd3ac53f33e92490ab76c4d56f42956328fb0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 5 May 2026 11:01:45 +0000
Subject: [PATCH 1/5] Initial plan


From b0362bb6ac56f0dea052b7324ae3a7d344080eef Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 5 May 2026 11:07:32 +0000
Subject: [PATCH 2/5] chore: add zizmor workflow and fix artipacked findings in
 all workflows

Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python/sessions/f1c5d1ea-912f-4afc-a9a4-e6a6f74f6a57

Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
---
 .github/workflows/docker.yml  |  1 +
 .github/workflows/python.yml  | 14 +++++++++
 .github/workflows/release.yml |  6 ++++
 .github/workflows/zizmor.yml  | 55 +++++++++++++++++++++++++++++++++++
 4 files changed, 76 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index ba9ea15f..3139cfaf 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -50,6 +50,7 @@ jobs:
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
         with:
+          persist-credentials: false
           fetch-depth: 0
       - name: setup reports-dir
         run: mkdir "$REPORTS_DIR"
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index 7ac76a40..c9bd2917 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -53,6 +53,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
@@ -76,6 +78,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
@@ -99,6 +103,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
@@ -132,6 +138,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
@@ -155,6 +163,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
@@ -188,6 +198,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
@@ -225,6 +237,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Create reports directory
         run: mkdir ${{ env.REPORTS_DIR }}
       - name: Setup Python Environment
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 302d2483..5928733e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -72,6 +72,8 @@ jobs:
       - name: Checkout code
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
@@ -95,6 +97,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
@@ -134,6 +138,7 @@ jobs:
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
         with:
+          persist-credentials: false
           fetch-depth: 0
       - name: Setup python
         # see https://github.com/actions/setup-python
@@ -222,6 +227,7 @@ jobs:
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
         with:
+          persist-credentials: false
           ref: ${{ needs.release-PyPI.outputs.tag }}
       - name: setup dirs
         run: |
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 00000000..e1cb5136
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,55 @@
+# This file is part of CycloneDX Python
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+# For details of what checks are run for PRs please refer below
+# docs: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
+
+name: Workflow Security Analysis
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+  schedule:
+    # weekly scan: every Saturday at 00:00 UTC
+    - cron: '0 0 * * 6'
+
+concurrency:
+  group: '${{ github.workflow }}-${{ github.ref }}'
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Harden GitHub Workflows (zizmor)
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
+      - name: Run zizmor 🌈
+        # see https://github.com/zizmorcore/zizmor-action
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e  # v0.5.3
+        with:
+          advanced-security: false
+          annotations: true

From 2e5f096f6b82359fd2cc726f5762712d2828054b Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Tue, 5 May 2026 13:14:54 +0200
Subject: [PATCH 3/5] Apply suggestion from @jkowalleck

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 .github/workflows/zizmor.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index e1cb5136..007ff897 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -24,6 +24,9 @@ on:
   pull_request:
     paths:
       - '.github/workflows/**'
+  push:
+    paths:
+      - ".github/workflows/**"
   schedule:
     # weekly scan: every Saturday at 00:00 UTC
     - cron: '0 0 * * 6'

From 89dd2071c8ea85554af068ae66264b0305d9ad98 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Tue, 5 May 2026 13:16:06 +0200
Subject: [PATCH 4/5] Update .github/workflows/zizmor.yml

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 .github/workflows/zizmor.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 007ff897..fce36a9a 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -54,5 +54,11 @@ jobs:
         # see https://github.com/zizmorcore/zizmor-action
         uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e  # v0.5.3
         with:
+          # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than
+          # uploading a SARIF report to GitHub's Security tab.
+          # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS),
+          # both of which are unnecessary here and would violate the least-privilege policy.
+          # The two modes are mutually exclusive: advanced-security must be false for
+          # annotations to take effect.
           advanced-security: false
           annotations: true

From 42d8b4b66e72a08f982fb80632dcc9c2345c3ac7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 5 May 2026 11:18:56 +0000
Subject: [PATCH 5/5] fix: add cooldown configuration to dependabot.yml to
 resolve zizmor findings

Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python/sessions/ddd8d7f8-99fe-41e7-8d6a-4b4b44e7a9a1

Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
---
 .github/dependabot.yml       | 6 ++++++
 .github/workflows/zizmor.yml | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f7adb7f2..e5e8598e 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,6 +12,8 @@ updates:
       prefix: 'chore'   ## prefix maximum string length of 15
       include: 'scope'
     open-pull-requests-limit: 999
+    cooldown:
+      default-days: 7
   - package-ecosystem: 'docker'
     directory: '/'
     schedule:
@@ -24,6 +26,8 @@ updates:
       prefix: 'chore'  ## prefix maximum string length of 15
       include: 'scope'
     open-pull-requests-limit: 999
+    cooldown:
+      default-days: 7
   - package-ecosystem: 'pip'
     directory: '/'
     schedule:
@@ -37,3 +41,5 @@ updates:
       prefix: 'chore'  ## prefix maximum string length of 15
       include: 'scope'
     open-pull-requests-limit: 999
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index fce36a9a..1e27a0ce 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -24,9 +24,11 @@ on:
   pull_request:
     paths:
       - '.github/workflows/**'
+      - '.github/dependabot.yml'
   push:
     paths:
       - ".github/workflows/**"
+      - ".github/dependabot.yml"
   schedule:
     # weekly scan: every Saturday at 00:00 UTC
     - cron: '0 0 * * 6'