From 37c531318f80f659cda00e31308b6f0efc1a7dff Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 12 Dec 2023 13:54:21 +0800
Subject: [PATCH 1/5] chore: tighten workflow permissions

---
 .github/workflows/build.yaml                | 1 -
 .github/workflows/codeql-analysis.yaml      | 6 ++++--
 .github/workflows/dependabot-automerge.yaml | 6 ++++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index e024370..c959fd5 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -8,7 +8,6 @@ jobs:
   build-binaries:
     permissions:
       contents: read
-      actions: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
index 8697c74..9829ebd 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -7,11 +7,13 @@ on:
     branches:
     - main
 permissions:
-  actions: read
   contents: read
-  security-events: write
 jobs:
   analyze:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml
index 2110926..aec0b5d 100644
--- a/.github/workflows/dependabot-automerge.yaml
+++ b/.github/workflows/dependabot-automerge.yaml
@@ -5,10 +5,12 @@ on:
     branches:
     - main
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 jobs:
   dependabot-automerge:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     if: github.actor == 'dependabot[bot]'
     steps:

From 0a074883148602ed97a44e87235f4c9983cfdd77 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 12 Dec 2023 13:54:44 +0800
Subject: [PATCH 2/5] chore: pin docker base image hash

---
 deploy/go-cli-github/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/go-cli-github/Dockerfile b/deploy/go-cli-github/Dockerfile
index 0ae55c3..7d52a47 100644
--- a/deploy/go-cli-github/Dockerfile
+++ b/deploy/go-cli-github/Dockerfile
@@ -1,3 +1,3 @@
-FROM alpine:3.19
+FROM alpine:3.19@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
 ENTRYPOINT ["/go-cli-github"]
 COPY go-cli-github /

From 0edb084b0169ec00a43142bd40892f231ab65042 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 12 Dec 2023 14:02:47 +0800
Subject: [PATCH 3/5] chore: switch from manual branch protection to ruleset

---
 README.md                   | 16 +-------
 protect-default-branch.json | 82 +++++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 15 deletions(-)
 create mode 100644 protect-default-branch.json

diff --git a/README.md b/README.md
index 098ae91..1260375 100644
--- a/README.md
+++ b/README.md
@@ -76,20 +76,6 @@ Configure the repository:
 
     * Set Workflow permissions to "Read repository contents and package permissions"
 
-1. Go to repository Settings > Branches and add branch protection to `main`, and enable:
-
-    * Require a PR before merging
-        * Dismiss stale pull request approvals
-    * Require status checks to pass before merging
-        * Require branches to be up-to-date before merging.
-        * Required status checks:
-            * CodeQL
-            * lint-actions
-            * lint-commits
-            * lint-go
-            * test-go
-            * dependency-review
-            * build-binaries
-    * Include administrators
+1. Go to repository Settings > Rules > Rulesets, and import the `protect-default-branch.json` ruleset.
 
 1. That's it.
diff --git a/protect-default-branch.json b/protect-default-branch.json
new file mode 100644
index 0000000..fd7cd4b
--- /dev/null
+++ b/protect-default-branch.json
@@ -0,0 +1,82 @@
+{
+  "id": 239413,
+  "name": "protect-default-branch",
+  "target": "branch",
+  "source_type": "Repository",
+  "source": "smlx/go-cli-github",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": [
+        "~DEFAULT_BRANCH"
+      ]
+    }
+  },
+  "rules": [
+    {
+      "type": "deletion"
+    },
+    {
+      "type": "non_fast_forward"
+    },
+    {
+      "type": "update"
+    },
+    {
+      "type": "creation"
+    },
+    {
+      "type": "required_linear_history"
+    },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 1,
+        "dismiss_stale_reviews_on_push": false,
+        "require_code_owner_review": false,
+        "require_last_push_approval": false,
+        "required_review_thread_resolution": false
+      }
+    },
+    {
+      "type": "required_status_checks",
+      "parameters": {
+        "strict_required_status_checks_policy": true,
+        "required_status_checks": [
+          {
+            "context": "CodeQL",
+            "integration_id": 57789
+          },
+          {
+            "context": "lint-actions",
+            "integration_id": 15368
+          },
+          {
+            "context": "lint-commits",
+            "integration_id": 15368
+          },
+          {
+            "context": "lint-go",
+            "integration_id": 15368
+          },
+          {
+            "context": "test-go",
+            "integration_id": 15368
+          },
+          {
+            "context": "dependency-review",
+            "integration_id": 15368
+          }
+        ]
+      }
+    }
+  ],
+  "bypass_actors": [
+    {
+      "actor_id": 5,
+      "actor_type": "RepositoryRole",
+      "bypass_mode": "pull_request"
+    }
+  ]
+}
\ No newline at end of file

From 6039ed3d83abaaf0a921bdb47c6e73d7e49b02bb Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 12 Dec 2023 14:28:37 +0800
Subject: [PATCH 4/5] chore: simplify PR build

---
 .github/workflows/build.yaml | 43 +++++++++---------------------------
 1 file changed, 10 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index c959fd5..18ffdba 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -5,10 +5,15 @@ on:
     - main
 permissions: read-all
 jobs:
-  build-binaries:
+  build-snapshot:
     permissions:
       contents: read
+      packages: write
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        binary:
+        - go-cli-github
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
@@ -20,50 +25,22 @@ jobs:
     - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
       with:
         version: latest
-        args: build --snapshot --clean
-    - name: Upload binary artifacts
-      # work around limitations in the upload/download artifact actions
-      # https://github.com/actions/download-artifact#limitations
-      run: tar -cvf dist.tar dist
-    - name: Upload binaries tar file
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-      with:
-        name: dist.tar
-        path: dist.tar
-  build-images:
-    permissions:
-      contents: read
-      actions: read
-      packages: write
-      id-token: write
-    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
-    strategy:
-      matrix:
-        binary:
-        - go-cli-github
-    needs: build-binaries
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - name: Download binary artifacts
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-      with:
-        name: dist.tar
-    - name: Untar binaries
-      run: tar -xvf dist.tar
+        args: build --clean --debug --single-target --snapshot
     - name: Login to GHCR
+      if: github.actor != 'dependabot[bot]'
       uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Get Docker metadata
+      if: github.actor != 'dependabot[bot]'
       id: docker_metadata
       uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0
       with:
         images: ghcr.io/${{ github.repository }}/${{ matrix.binary }}
     - name: Build and push ${{ matrix.binary }} container image
-      id: docker_build
+      if: github.actor != 'dependabot[bot]'
       uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
       with:
         push: true

From 3688be92f42f4b10373643e7330b56f81f92d8a9 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 12 Dec 2023 14:28:50 +0800
Subject: [PATCH 5/5] chore: align Makefile build command with CI action

---
 Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 41ca910..954864a 100644
--- a/Makefile
+++ b/Makefile
@@ -14,4 +14,5 @@ generate: mod-tidy
 
 .PHONY: build
 build:
-	GOVERSION=$$(go version) goreleaser build  --clean --debug --snapshot
+	GOVERSION=$$(go version) \
+						goreleaser build --clean --debug --single-target --snapshot