From 53ee28f130563ee0916b3ec99cd9a0704eacc343 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 3 Sep 2025 23:46:41 -0700
Subject: [PATCH 1/3] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/dependabot.yml                          | 6 ++++++
 .github/workflows/ci.yml                        | 7 +++++--
 .github/workflows/test_nginx_lastest_commit.yml | 7 +++++--
 .github/workflows/test_openresty.yml            | 5 ++++-
 4 files changed, 20 insertions(+), 5 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..253bcb7
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 40080df..fddbfc1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions:
+  contents: read
+
 jobs:
   test-nginx:
     strategy:
@@ -15,7 +18,7 @@ jobs:
     runs-on: "ubuntu-20.04"
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - name: get dependencies
       run: |
          sudo apt update
@@ -25,7 +28,7 @@ jobs:
          sudo apt-get install libnet-dns-perl
          sudo cpan -T -i Test::More
     - name: 'checkout luajit2'
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       with:
         repository: openresty/luajit2
         path: luajit2
diff --git a/.github/workflows/test_nginx_lastest_commit.yml b/.github/workflows/test_nginx_lastest_commit.yml
index 04835cb..700aed7 100644
--- a/.github/workflows/test_nginx_lastest_commit.yml
+++ b/.github/workflows/test_nginx_lastest_commit.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions:
+  contents: read
+
 jobs:
   test-nginx:
     strategy:
@@ -18,7 +21,7 @@ jobs:
        CC: ${{ matrix.compiler.CC }}
        CXX: ${{ matrix.compiler.CXX }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - name: get dependencies
       run: |
          sudo apt update
@@ -28,7 +31,7 @@ jobs:
          sudo apt-get install libnet-dns-perl
          sudo cpan -T -i Test::More
     - name: 'checkout luajit2'
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       with:
         repository: openresty/luajit2
         path: luajit2
diff --git a/.github/workflows/test_openresty.yml b/.github/workflows/test_openresty.yml
index ab04d0a..49d7b16 100644
--- a/.github/workflows/test_openresty.yml
+++ b/.github/workflows/test_openresty.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions:
+  contents: read
+
 jobs:
   test-openresty:
     strategy:
@@ -15,7 +18,7 @@ jobs:
     runs-on: "ubuntu-20.04"
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - name: get dependencies
       run: |
          sudo apt update

From edcf9c223ff911b7a6d612f76edd2f3a4f8ec47a Mon Sep 17 00:00:00 2001
From: Fangzhou WU <61730710+Boat97@users.noreply.github.com>
Date: Thu, 4 Sep 2025 14:48:32 +0800
Subject: [PATCH 2/3] Update dependabot.yml

---
 .github/dependabot.yml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 253bcb7..2390d8c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,6 +1,10 @@
 version: 2
 updates:
-  - package-ecosystem: github-actions
-    directory: /
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
-      interval: daily
+      interval: "monthly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

From 4617962a4a9e0968322ef69e406215c24ea56386 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 5 Sep 2025 18:01:20 +0800
Subject: [PATCH 3/3] Bump actions/checkout from 3.6.0 to 5.0.0 (#3)

Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/f43a0e5ff2bd294095638e18286ca9a3d1956744...08c6903cd8c0fde910a37f88322edcfb5dd907a8)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml                        | 4 ++--
 .github/workflows/test_nginx_lastest_commit.yml | 4 ++--
 .github/workflows/test_openresty.yml            | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fddbfc1..1b8b13a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: "ubuntu-20.04"
 
     steps:
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
     - name: get dependencies
       run: |
          sudo apt update
@@ -28,7 +28,7 @@ jobs:
          sudo apt-get install libnet-dns-perl
          sudo cpan -T -i Test::More
     - name: 'checkout luajit2'
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         repository: openresty/luajit2
         path: luajit2
diff --git a/.github/workflows/test_nginx_lastest_commit.yml b/.github/workflows/test_nginx_lastest_commit.yml
index 700aed7..72abd06 100644
--- a/.github/workflows/test_nginx_lastest_commit.yml
+++ b/.github/workflows/test_nginx_lastest_commit.yml
@@ -21,7 +21,7 @@ jobs:
        CC: ${{ matrix.compiler.CC }}
        CXX: ${{ matrix.compiler.CXX }}
     steps:
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
     - name: get dependencies
       run: |
          sudo apt update
@@ -31,7 +31,7 @@ jobs:
          sudo apt-get install libnet-dns-perl
          sudo cpan -T -i Test::More
     - name: 'checkout luajit2'
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         repository: openresty/luajit2
         path: luajit2
diff --git a/.github/workflows/test_openresty.yml b/.github/workflows/test_openresty.yml
index 49d7b16..d21b0d9 100644
--- a/.github/workflows/test_openresty.yml
+++ b/.github/workflows/test_openresty.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: "ubuntu-20.04"
 
     steps:
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
     - name: get dependencies
       run: |
          sudo apt update