From c3887678999517cc1b0de8969250de34affdf8dc Mon Sep 17 00:00:00 2001
From: fxai <fxai@pm.me>
Date: Fri, 5 Dec 2025 08:45:00 +0100
Subject: [PATCH 1/5] force lowercase repository name

---
 .github/workflows/dev_build_push.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dev_build_push.yml b/.github/workflows/dev_build_push.yml
index 20f6852..10a0c9c 100644
--- a/.github/workflows/dev_build_push.yml
+++ b/.github/workflows/dev_build_push.yml
@@ -23,11 +23,15 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Create lowercase repository name
+        id: repo
+        run: echo "name=${GITHUB_REPOSITORY,,}" >> $GITHUB_OUTPUT
+
       - name: Build and push :dev image
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
-          tags: ghcr.io/${{ github.repository }}:dev
+          tags: ghcr.io/${{ steps.repo.outputs.name }}:dev
           cache-from: type=gha
           cache-to: type=gha,mode=max

From 57faff7a7b1e579987dd58aaafaacb6659a3017f Mon Sep 17 00:00:00 2001
From: fxai <fxai@pm.me>
Date: Fri, 5 Dec 2025 08:52:38 +0100
Subject: [PATCH 2/5] add permissions to workflow

---
 .github/workflows/dev_build_push.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/dev_build_push.yml b/.github/workflows/dev_build_push.yml
index 10a0c9c..df5e24f 100644
--- a/.github/workflows/dev_build_push.yml
+++ b/.github/workflows/dev_build_push.yml
@@ -9,6 +9,11 @@ jobs:
     # Only allow running on the dev branch
     if: github.ref == 'refs/heads/dev'
 
+    permissions:
+      contents: write      # Needed to create tags and releases
+      packages: write      # Needed to push to GHCR
+      id-token: write      # For trusted publishing
+
     steps:
       - name: Checkout dev branch
         uses: actions/checkout@v4

From f46ab02fc2000c5a39d577b8bed798952589f7ee Mon Sep 17 00:00:00 2001
From: fxai <fxai@pm.me>
Date: Wed, 10 Dec 2025 09:12:41 +0100
Subject: [PATCH 3/5] new .dockerignore file

---
 .dockerignore | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 .dockerignore

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..5f2d5b1
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,14 @@
+# Exclude the Git version control folder
+.git
+.gitignore
+.github
+
+# General exclusions
+pytest.ini
+README.md
+TODO.md
+tests/
+
+# Nix develop
+flake.lock
+flake.nix

From 8b66cec0d6a031e4e50b81608e7dac94e8a276e6 Mon Sep 17 00:00:00 2001
From: fxai <fxai@pm.me>
Date: Wed, 10 Dec 2025 09:22:28 +0100
Subject: [PATCH 4/5] add .github folder to .dockerignore

---
 .dockerignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.dockerignore b/.dockerignore
index 5f2d5b1..a9d4978 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,7 +1,7 @@
 # Exclude the Git version control folder
 .git
 .gitignore
-.github
+.github/
 
 # General exclusions
 pytest.ini

From 8ed9c5e361a4bf89a3e6729f3ae92dea680393ca Mon Sep 17 00:00:00 2001
From: fxai <fxai@pm.me>
Date: Wed, 10 Dec 2025 09:33:23 +0100
Subject: [PATCH 5/5] new security scan github action

---
 .dockerignore                       |  1 +
 .github/workflows/security_scan.yml | 42 +++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 .github/workflows/security_scan.yml

diff --git a/.dockerignore b/.dockerignore
index a9d4978..ec4135f 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -8,6 +8,7 @@ pytest.ini
 README.md
 TODO.md
 tests/
+compose.yml
 
 # Nix develop
 flake.lock
diff --git a/.github/workflows/security_scan.yml b/.github/workflows/security_scan.yml
new file mode 100644
index 0000000..d70d9d9
--- /dev/null
+++ b/.github/workflows/security_scan.yml
@@ -0,0 +1,42 @@
+name: security scan
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  gosec_zizmor:
+    name: security scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version: stable
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@6be2b51fd78feca86af91f5186b7964d76cb1256 # v2.22.10
+        with:
+          args: "-no-fail -fmt json -out results.json ./..."
+
+      - name: Check Gosec Results
+        run: |
+          FOUND=$(jq '.Stats.found // 0' results.json)
+          echo "Gosec found $FOUND issue(s)"
+          if [ "$FOUND" -gt 0 ]; then
+            echo "❌ Security issues detected! Please fix them before merging."
+            exit 1
+          else
+            echo "✅ No security issues found."
+          fi
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+        with:
+          inputs: .
\ No newline at end of file