From 96eda0e3bb2253ab85de9447b4c7e1052ca75091 Mon Sep 17 00:00:00 2001
From: Rob Hague <rob.hague00@gmail.com>
Date: Fri, 10 Apr 2026 23:02:18 +0200
Subject: [PATCH 1/3] Harden actions

- Pin remaining actions
- Specify top-level/default `permissions: contents: read` in build.yml
- Set `persist-credentials: false` on checkout
- Add an environment for nuget publish job and use `release` event trigger
- Add dependabot cooldown
---
 .github/dependabot.yml      |  8 ++++--
 .github/workflows/build.yml | 55 +++++++++++++++++++++++--------------
 .github/workflows/docs.yml  | 14 ++++++----
 3 files changed, 48 insertions(+), 29 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5c54e4dd2..97a82d726 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,14 +9,14 @@ updates:
     directory: "/test/Renci.SshNet.IntegrationTests/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "nuget"
     directory: "/"
     schedule:
       interval: "monthly"
     ignore: # See justifications in Directory.Packages.props
-      - dependency-name: "Microsoft.Bcl.AsyncInterfaces"
-  
       - dependency-name: "System.Formats.Asn1"
         update-types: ["version-update:semver-major"]
       
@@ -26,8 +26,12 @@ updates:
       dependencies:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bd49e0600..25249ea79 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,21 +1,30 @@
 name: Build
 
 on:
-  - push
-  - pull_request
-  - workflow_dispatch
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+      - 'copilot/**'
+  pull_request:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   Linux:
     runs-on: ubuntu-24.04
     steps:
     - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0 # needed for Nerdbank.GitVersioning
+        persist-credentials: false
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
 
     - name: Build Unit Tests .NET
       run: dotnet build -f net10.0 test/Renci.SshNet.Tests/
@@ -48,7 +57,7 @@ jobs:
           test/Renci.SshNet.IntegrationTests/
 
     - name: Archive Coverlet Results
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
           name: Coverlet Results Linux
           path: coverlet
@@ -57,12 +66,13 @@ jobs:
     runs-on: windows-2025
     steps:
     - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0 # needed for Nerdbank.GitVersioning
+        persist-credentials: false
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
 
     - name: Build Solution
       run: dotnet build Renci.SshNet.slnx
@@ -74,7 +84,7 @@ jobs:
       run: dotnet pack
 
     - name: Archive NuGet Package
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: NuGet Package
         path: src/Renci.SshNet/bin/Release/*.*nupkg
@@ -108,15 +118,16 @@ jobs:
     runs-on: windows-2025
     steps:
     - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0 # needed for Nerdbank.GitVersioning
+        persist-credentials: false
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
 
     - name: Setup WSL2
-      uses: Vampire/setup-wsl@6a8db447be7ed35f2f499c02c6e60ff77ef11278 # v6.0.0
+      uses: Vampire/setup-wsl@d1da7f2c0322a5ee4f24975344f67fc0f5baf364 # 7.0.0
       with:
         distribution: Ubuntu-24.04
 
@@ -140,7 +151,7 @@ jobs:
           test\Renci.SshNet.IntegrationTests\
 
     - name: Archive Coverlet Results
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: Coverlet Results Windows .NET Framework
         path: coverlet
@@ -150,15 +161,16 @@ jobs:
     runs-on: windows-2025
     steps:
     - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0 # needed for Nerdbank.GitVersioning
+        persist-credentials: false
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
 
     - name: Setup WSL2
-      uses: Vampire/setup-wsl@6a8db447be7ed35f2f499c02c6e60ff77ef11278 # v6.0.0
+      uses: Vampire/setup-wsl@d1da7f2c0322a5ee4f24975344f67fc0f5baf364 # v7.0.0
       with:
         distribution: Ubuntu-24.04
 
@@ -182,7 +194,7 @@ jobs:
           test\Renci.SshNet.IntegrationTests\
 
     - name: Archive Coverlet Results
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: Coverlet Results Windows .NET
         path: coverlet
@@ -200,7 +212,7 @@ jobs:
       - Windows-Integration-Tests-Net
     steps:
       - name: Download NuGet Package
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: NuGet Package
 
@@ -219,7 +231,8 @@ jobs:
   Publish-NuGet-Package:
     name: Publish NuGet Package
     runs-on: ubuntu-24.04
-    if: startsWith(github.event.ref, 'refs/tags/20')
+    if: github.event_name == 'release'
+    environment: nuget-publish
     permissions:
       id-token: write
     needs:
@@ -229,12 +242,12 @@ jobs:
       - Windows-Integration-Tests-Net
     steps:
       - name: Download NuGet Package
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: NuGet Package
 
       - name: NuGet login (OIDC → temp API key)
-        uses: NuGet/login@v1
+        uses: NuGet/login@d22cc5f58ff5b88bf9bd452535b4335137e24544 # v1.1.0
         id: login
         with:
           user: ${{ secrets.NUGET_USER }}
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 85c71df84..b8566db05 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -19,16 +19,18 @@ jobs:
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
 
       - name: Setup docfx
         run: dotnet tool update -g docfx
@@ -37,10 +39,10 @@ jobs:
         run: docfx ./docfx/docfx.json
 
       - name: Upload documentation
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
         with:
           path: './docfx/_site'
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

From e10c384b8a91a6617b5bef1429ba7db16f6a002d Mon Sep 17 00:00:00 2001
From: Rob Hague <rob.hague00@gmail.com>
Date: Sun, 12 Apr 2026 11:07:32 +0200
Subject: [PATCH 2/3] test public release version

---
 version.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.json b/version.json
index 1945ff7bb..de3c791b4 100644
--- a/version.json
+++ b/version.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/main/src/NerdBank.GitVersioning/version.schema.json",
-  "version": "2025.1.1-prerelease.{height}",
+  "version": "2025.1.1",
   "assemblyVersion": {
     "precision": "revision"
   },
@@ -15,4 +15,4 @@
     "versionIncrement": "build",
     "firstUnstableTag": "prerelease"
   }
-}
\ No newline at end of file
+}

From 99b47f9bbc730592fa972171314a99d5773f911b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sun, 12 Apr 2026 09:27:56 +0000
Subject: [PATCH 3/3] Bump the dependencies group with 9 updates

Bumps coverlet.collector from 6.0.4 to 8.0.1
Bumps coverlet.msbuild from 6.0.4 to 8.0.1
Bumps GitHubActionsTestLogger from 3.0.1 to 3.0.3
Bumps Meziantou.Analyzer from 3.0.18 to 3.0.44
Bumps Microsoft.Bcl.Cryptography from 10.0.3 to 10.0.5
Bumps Microsoft.Extensions.Logging.Console from 10.0.3 to 10.0.5
Bumps SonarAnalyzer.CSharp from 10.20.0.135146 to 10.22.0.136894
Bumps System.Formats.Asn1 from 10.0.3 to 10.0.5
Bumps Testcontainers from 4.10.0 to 4.11.0

---
updated-dependencies:
- dependency-name: coverlet.collector
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: coverlet.msbuild
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: GitHubActionsTestLogger
  dependency-version: 3.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: Meziantou.Analyzer
  dependency-version: 3.0.44
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: Microsoft.Bcl.Cryptography
  dependency-version: 10.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: Microsoft.Extensions.Logging.Console
  dependency-version: 10.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: SonarAnalyzer.CSharp
  dependency-version: 10.22.0.136894
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: System.Formats.Asn1
  dependency-version: 10.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: Testcontainers
  dependency-version: 4.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Directory.Packages.props | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index 8991d83e0..2b3c666ff 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -6,22 +6,22 @@
   <ItemGroup>
     <PackageVersion Include="BenchmarkDotNet" Version="0.15.8" />
     <PackageVersion Include="BouncyCastle.Cryptography" Version="2.6.2" />
-    <PackageVersion Include="coverlet.collector" Version="6.0.4" />
-    <PackageVersion Include="coverlet.msbuild" Version="6.0.4" />
-    <PackageVersion Include="GitHubActionsTestLogger" Version="3.0.1" />
-    <PackageVersion Include="Meziantou.Analyzer" Version="3.0.18" />
+    <PackageVersion Include="coverlet.collector" Version="8.0.1" />
+    <PackageVersion Include="coverlet.msbuild" Version="8.0.1" />
+    <PackageVersion Include="GitHubActionsTestLogger" Version="3.0.3" />
+    <PackageVersion Include="Meziantou.Analyzer" Version="3.0.44" />
     <!-- Should stay on LTS .NET releases. -->
-    <PackageVersion Include="Microsoft.Bcl.Cryptography" Version="10.0.3" />
+    <PackageVersion Include="Microsoft.Bcl.Cryptography" Version="10.0.5" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.3" />
-    <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="10.0.3" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="10.0.5" />
     <PackageVersion Include="MSTest" Version="4.1.0" />
     <PackageVersion Include="Moq" Version="4.20.72" />
     <PackageVersion Include="Nerdbank.GitVersioning" Version="3.9.50" />
     <PackageVersion Include="PolySharp" Version="1.15.0" />
-    <PackageVersion Include="SonarAnalyzer.CSharp" Version="10.20.0.135146" />
+    <PackageVersion Include="SonarAnalyzer.CSharp" Version="10.22.0.136894" />
     <PackageVersion Include="StyleCop.Analyzers" Version="1.2.0-beta.556" />
     <!-- Should stay on LTS .NET releases. -->
-    <PackageVersion Include="System.Formats.Asn1" Version="10.0.3" />
-    <PackageVersion Include="Testcontainers" Version="4.10.0" />
+    <PackageVersion Include="System.Formats.Asn1" Version="10.0.5" />
+    <PackageVersion Include="Testcontainers" Version="4.11.0" />
   </ItemGroup>
 </Project>