From fb53d4094f0917d17ef150a8b6b0fa9eff09cf8c Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Sun, 10 Mar 2024 00:12:32 +0000
Subject: [PATCH 1/9] Update workflow names

---
 .github/workflows/codeql-analysis.yml   | 2 +-
 .github/workflows/dependency-review.yml | 2 +-
 .github/workflows/markdown-links.yml    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d735519..d3aef6e 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,4 +1,4 @@
-name: "CodeQL"
+name: CodeQL analysis
 on:
   push:
     branches:
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index d3ba613..2507259 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -1,4 +1,4 @@
-name: dependency-review
+name: Dependency review
 on:
   pull_request:
     branches:
diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml
index 6fdb4d3..56c685c 100644
--- a/.github/workflows/markdown-links.yml
+++ b/.github/workflows/markdown-links.yml
@@ -1,4 +1,4 @@
-name: "Markdown links"
+name: Markdown links check
 on:
   push:
     branches:

From f87e62cefbcdb6377cb471f4f152b6ef4d467626 Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Sun, 10 Mar 2024 00:17:11 +0000
Subject: [PATCH 2/9] Add OpenSSF Scorecard supply-chain security workflow

---
 .github/workflows/openssf-scorecard.yml | 40 +++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .github/workflows/openssf-scorecard.yml

diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
new file mode 100644
index 0000000..254d85c
--- /dev/null
+++ b/.github/workflows/openssf-scorecard.yml
@@ -0,0 +1,40 @@
+name: OpenSSF Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '0 3 * * 1'
+  push:
+    branches: [ "main" ]
+
+# Declare default workflow permissions as read only
+permissions: read-all
+
+jobs:
+  analysis:
+    name: OpenSSF Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Needed to upload the results to code scanning dashboard
+      id-token: write # Needed to publish results to OpenSSF API and get a badge (see publish_results below)
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+      - name: Run analysis
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+      - name: Upload Actions artifact
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - name: Upload to code scanning dashboard
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif
+

From b73d6de3618e1ff773f33b69ee781594ecafeff1 Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Sun, 10 Mar 2024 00:54:08 +0000
Subject: [PATCH 3/9] Add OpenSSF Scorecard badge

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b860d49..a9be735 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 # flog
 
-[![CodeQL](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml) [![Issues](https://img.shields.io/github/issues/marcransome/flog)](https://github.com/marcransome/flog/issues) [![License](https://img.shields.io/badge/license-MIT-blue)](https://opensource.org/licenses/mit-license.php) [![macOS](https://img.shields.io/badge/macOS-11+-blue)](https://www.apple.com/macos/)
+[![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/marcransome/flog?style=flat&label=OpenSSF%20Scorecard)](https://securityscorecards.dev/viewer/?uri=github.com/marcransome/flog) [![CodeQL](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml) [![Issues](https://img.shields.io/github/issues/marcransome/flog)](https://github.com/marcransome/flog/issues) [![License](https://img.shields.io/badge/license-MIT-blue)](https://opensource.org/licenses/mit-license.php) [![macOS](https://img.shields.io/badge/macOS-11+-blue)](https://www.apple.com/macos/)
 
 `flog` is a command-line tool for sending log messages to Apple's unified logging system and is primaily intended for use in scripts.
 

From 19ff98646848575386faa6564d212df6d3af43b6 Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Sun, 10 Mar 2024 01:03:01 +0000
Subject: [PATCH 4/9] Update OpenSSF Scorecard badge

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a9be735..7ac7849 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 # flog
 
-[![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/marcransome/flog?style=flat&label=OpenSSF%20Scorecard)](https://securityscorecards.dev/viewer/?uri=github.com/marcransome/flog) [![CodeQL](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml) [![Issues](https://img.shields.io/github/issues/marcransome/flog)](https://github.com/marcransome/flog/issues) [![License](https://img.shields.io/badge/license-MIT-blue)](https://opensource.org/licenses/mit-license.php) [![macOS](https://img.shields.io/badge/macOS-11+-blue)](https://www.apple.com/macos/)
+[![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/marcransome/flog?label=OpenSSF%20Scorecard)](https://securityscorecards.dev/viewer/?uri=github.com/marcransome/flog) [![CodeQL](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml) [![Issues](https://img.shields.io/github/issues/marcransome/flog)](https://github.com/marcransome/flog/issues) [![License](https://img.shields.io/badge/license-MIT-blue)](https://opensource.org/licenses/mit-license.php) [![macOS](https://img.shields.io/badge/macOS-11+-blue)](https://www.apple.com/macos/)
 
 `flog` is a command-line tool for sending log messages to Apple's unified logging system and is primaily intended for use in scripts.
 

From 5727ed859d268ee4c5ac5b679417bb770e4ac1ab Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Sun, 10 Mar 2024 19:16:30 +0000
Subject: [PATCH 5/9] Remediate OpenSSF Scorecard pinned-dependencies

---
 .github/workflows/codeql-analysis.yml   | 6 +++---
 .github/workflows/dependency-review.yml | 4 ++--
 .github/workflows/markdown-links.yml    | 6 +++---
 .github/workflows/openssf-scorecard.yml | 5 ++---
 4 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d3aef6e..a55078e 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -19,11 +19,11 @@ jobs:
       security-events: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Install dependencies
       run: brew install popt
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         languages: cpp
         queries: security-and-quality
@@ -33,4 +33,4 @@ jobs:
         cmake -S . -B build
         cmake --build build
     - name: Perform CodeQL analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 2507259..bb7de4c 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -10,9 +10,9 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Dependency review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
         with:
           comment-summary-in-pr: true
           fail-on-severity: low
diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml
index 56c685c..4836e6b 100644
--- a/.github/workflows/markdown-links.yml
+++ b/.github/workflows/markdown-links.yml
@@ -16,10 +16,10 @@ jobs:
   markdown-links:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Check links in modified Markdown files
       if: github.event_name == 'pull_request'
-      uses: gaurav-nelson/github-action-markdown-link-check@v1
+      uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
       with:
         base-branch: main
         check-modified-files-only: yes
@@ -27,7 +27,7 @@ jobs:
         config-file: .github/markdown/markdown-links.json
     - name: Check links in all Markdown files
       if: github.event_name != 'pull_request'
-      uses: gaurav-nelson/github-action-markdown-link-check@v1
+      uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
       with:
         use-verbose-mode: yes
         config-file: .github/markdown/markdown-links.json
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
index 254d85c..729b4d9 100644
--- a/.github/workflows/openssf-scorecard.yml
+++ b/.github/workflows/openssf-scorecard.yml
@@ -17,8 +17,8 @@ jobs:
       security-events: write # Needed to upload the results to code scanning dashboard
       id-token: write # Needed to publish results to OpenSSF API and get a badge (see publish_results below)
     steps:
-      - name: Checkout code
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
       - name: Run analysis
@@ -37,4 +37,3 @@ jobs:
         uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
         with:
           sarif_file: results.sarif
-

From dc69567e3f33ff7d0b5b81c0f3bba762e1a9a2d3 Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Sun, 10 Mar 2024 20:06:34 +0000
Subject: [PATCH 6/9] Remediate OpenSSF Scorecard token-permissions

---
 .github/workflows/codeql-analysis.yml   | 5 +++--
 .github/workflows/dependency-review.yml | 3 +++
 .github/workflows/markdown-links.yml    | 3 +++
 .github/workflows/openssf-scorecard.yml | 1 -
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index a55078e..f2875b0 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,13 +9,14 @@ on:
   schedule:
     - cron: '00 18 * * 1'
   workflow_dispatch:
+
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
     runs-on: macos-latest
     permissions:
-      actions: read
-      contents: read
       security-events: write
     steps:
     - name: Checkout repository
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index bb7de4c..1818d47 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
     branches:
       - main
+
+permissions: read-all
+
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml
index 4836e6b..3aed28a 100644
--- a/.github/workflows/markdown-links.yml
+++ b/.github/workflows/markdown-links.yml
@@ -12,6 +12,9 @@ on:
   schedule:
     - cron: '0 18 * * 1'
   workflow_dispatch:
+
+permissions: read-all
+
 jobs:
   markdown-links:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
index 729b4d9..be2f132 100644
--- a/.github/workflows/openssf-scorecard.yml
+++ b/.github/workflows/openssf-scorecard.yml
@@ -6,7 +6,6 @@ on:
   push:
     branches: [ "main" ]
 
-# Declare default workflow permissions as read only
 permissions: read-all
 
 jobs:

From 7fc421c8f9a81c8da8b12f9c16df441cf804f00a Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Sun, 10 Mar 2024 20:28:33 +0000
Subject: [PATCH 7/9] Bump OpenSSF Scorecard workflow actions

---
 .github/workflows/openssf-scorecard.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
index be2f132..76e00cd 100644
--- a/.github/workflows/openssf-scorecard.yml
+++ b/.github/workflows/openssf-scorecard.yml
@@ -21,18 +21,18 @@ jobs:
         with:
           persist-credentials: false
       - name: Run analysis
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
       - name: Upload Actions artifact
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
       - name: Upload to code scanning dashboard
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
         with:
           sarif_file: results.sarif

From 3093ad86ff64fcc459bf1241be35f15f0c0b517d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 13 Mar 2024 17:17:29 +0000
Subject: [PATCH 8/9] Bump github/codeql-action from 3.24.6 to 3.24.7

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.6 to 3.24.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/8a470fddafa5cbb6266ee11b37ef4d8aae19c571...3ab4101902695724f9365a384f86c1074d94e18c)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/codeql-analysis.yml   | 4 ++--
 .github/workflows/openssf-scorecard.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index f2875b0..b7b1001 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -24,7 +24,7 @@ jobs:
     - name: Install dependencies
       run: brew install popt
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
+      uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
       with:
         languages: cpp
         queries: security-and-quality
@@ -34,4 +34,4 @@ jobs:
         cmake -S . -B build
         cmake --build build
     - name: Perform CodeQL analysis
-      uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
+      uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
index 76e00cd..c6d1965 100644
--- a/.github/workflows/openssf-scorecard.yml
+++ b/.github/workflows/openssf-scorecard.yml
@@ -33,6 +33,6 @@ jobs:
           path: results.sarif
           retention-days: 5
       - name: Upload to code scanning dashboard
-        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
+        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
         with:
           sarif_file: results.sarif

From acd3bfe38673901886fbbd328a9abc962c9c3286 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Mar 2024 15:48:51 +0000
Subject: [PATCH 9/9] Bump actions/checkout from 4.1.1 to 4.1.2

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...9bb56186c3b09b4f86b1c65136769dd318469633)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/codeql-analysis.yml   | 2 +-
 .github/workflows/dependency-review.yml | 2 +-
 .github/workflows/markdown-links.yml    | 2 +-
 .github/workflows/openssf-scorecard.yml | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b7b1001..d609107 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,7 +20,7 @@ jobs:
       security-events: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
     - name: Install dependencies
       run: brew install popt
     - name: Initialize CodeQL
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 1818d47..5951e86 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -13,7 +13,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Dependency review
         uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
         with:
diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml
index 3aed28a..3daee2e 100644
--- a/.github/workflows/markdown-links.yml
+++ b/.github/workflows/markdown-links.yml
@@ -19,7 +19,7 @@ jobs:
   markdown-links:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
     - name: Check links in modified Markdown files
       if: github.event_name == 'pull_request'
       uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
index c6d1965..59b815d 100644
--- a/.github/workflows/openssf-scorecard.yml
+++ b/.github/workflows/openssf-scorecard.yml
@@ -17,7 +17,7 @@ jobs:
       id-token: write # Needed to publish results to OpenSSF API and get a badge (see publish_results below)
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
           persist-credentials: false
       - name: Run analysis