From ff6060b884722d00ce8a3f533838da0eebca5edb Mon Sep 17 00:00:00 2001
From: "securityeng-bot[bot]"
 <219863240+securityeng-bot[bot]@users.noreply.github.com>
Date: Wed, 27 May 2026 15:55:07 +0000
Subject: [PATCH 1/2] ci: enforce ignore-scripts policy for Node package
 managers

---
 .npmrc | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .npmrc

diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..97b895e
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1 @@
+ignore-scripts=true

From f3ad7f1a16bc6f475e19117c98bc7fbc3ea4510e Mon Sep 17 00:00:00 2001
From: Agent <agent@docker.com>
Date: Fri, 5 Jun 2026 13:24:30 +0000
Subject: [PATCH 2/2] fix: pin GitHub Actions to full commit SHAs in workflows

Pins actions/checkout, actions/upload-artifact, actions/download-artifact,
actions/setup-node, and ncipollo/release-action to full commit SHAs in
ci.yml and release.yml to satisfy the repo's action allow-list policy.
---
 .github/workflows/ci.yml      | 10 +++++-----
 .github/workflows/release.yml |  6 +++---
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0f0ad04..8a98bc2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,7 +25,7 @@ jobs:
                     - master
         steps:
             - name: Checkout
-              uses: actions/checkout@v4
+              uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
             - name: Setup Node for Unit Tests
               uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 #v4.0.3
@@ -61,7 +61,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout
-              uses: actions/checkout@v4
+              uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
             - name: Setup Node for Build
               uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 #v4.0.3
@@ -78,7 +78,7 @@ jobs:
                   npm run build
 
             - name: Upload build artifacts
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
                   name: build-output
                   path: dist/
@@ -95,10 +95,10 @@ jobs:
                     - 22
         steps:
             - name: Checkout
-              uses: actions/checkout@v4
+              uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
             - name: Download build artifacts
-              uses: actions/download-artifact@v4
+              uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
               with:
                   name: build-output
                   path: dist
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d666724..485a004 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,11 +13,11 @@ jobs:
     release:
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v5
+            - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
             # Uses NPM Trusted Publishers for access to the registry
             # See https://docs.npmjs.com/trusted-publishers
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
                   node-version-file: .node-version
                   registry-url: https://registry.npmjs.org
@@ -40,7 +40,7 @@ jobs:
 
             - name: GitHub Release
               if: ${{ ! inputs.dryRun }}
-              uses: ncipollo/release-action@v1.20.0
+              uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
               with:
                   generateReleaseNotes: true
                   makeLatest: true