From c86ade57b8ac6b26aa99ea5b850d5d5d53f523d8 Mon Sep 17 00:00:00 2001
From: Dan Yeaw <dan@yeaw.me>
Date: Sun, 24 Nov 2024 21:11:15 -0500
Subject: [PATCH 1/3] Allow immutable GitHub Action endpoints

---
 .github/workflows/build.yml              | 8 ++++----
 .github/workflows/pre-commit-updater.yml | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0559eb6..2a4e73b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -39,8 +39,8 @@ jobs:
             pypi.org:443
             github.com:443
             api.github.com:443
-            objects.githubusercontent.com:443
-            raw.githubusercontent.com:443
+            *.githubusercontent.com:443
+            ghcr.io
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -85,9 +85,9 @@ jobs:
             files.pythonhosted.org:443
             pypi.org:443
             github.com:443
+            *.githubusercontent.com:443
+            ghcr.io
             keys.openpgp.org:443
-            objects.githubusercontent.com:443
-            raw.githubusercontent.com:443
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
diff --git a/.github/workflows/pre-commit-updater.yml b/.github/workflows/pre-commit-updater.yml
index b4c9731..6c9ba4c 100644
--- a/.github/workflows/pre-commit-updater.yml
+++ b/.github/workflows/pre-commit-updater.yml
@@ -20,10 +20,10 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             files.pythonhosted.org:443
-            github.com:443
-            objects.githubusercontent.com:443
             pypi.org:443
-            raw.githubusercontent.com:443
+            github.com:443
+            *.githubusercontent.com:443
+            ghcr.io
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: main

From 27fddba8a8ac5edc69d1e82a53df03dfdf7f25d4 Mon Sep 17 00:00:00 2001
From: Dan Yeaw <dan@yeaw.me>
Date: Sun, 24 Nov 2024 21:12:02 -0500
Subject: [PATCH 2/3] Use GitHub App for pre-commit updates

---
 .github/workflows/pre-commit-updater.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pre-commit-updater.yml b/.github/workflows/pre-commit-updater.yml
index 6c9ba4c..61634fb 100644
--- a/.github/workflows/pre-commit-updater.yml
+++ b/.github/workflows/pre-commit-updater.yml
@@ -22,6 +22,7 @@ jobs:
             files.pythonhosted.org:443
             pypi.org:443
             github.com:443
+            api.github.com:443
             *.githubusercontent.com:443
             ghcr.io
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -38,10 +39,16 @@ jobs:
         run: pre-commit autoupdate --freeze
       - name: Run pre-commit hooks
         run: pre-commit run --all-files
+      - name: Create GitHub App Token
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        id: generate-token
+        with:
+          app-id: ${{ secrets.GAPHOR_UPDATER_APP_ID }}
+          private-key: ${{ secrets.GAPHOR_UPDATER_APP_PRIVATE_KEY }}
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
-          token: ${{ secrets.PR_CREATOR }}
+          token: ${{ steps.generate-token.outputs.token }}
           commit-message: Update pre-commit hooks
           branch: pre-commit-update
           delete-branch: true

From f837fb2bbce63fd5b38e8434533c0ec5d6775f45 Mon Sep 17 00:00:00 2001
From: Dan Yeaw <dan@yeaw.me>
Date: Sun, 24 Nov 2024 21:23:47 -0500
Subject: [PATCH 3/3] Update CI runners to use Ubuntu 24.04

---
 .github/workflows/build.yml              | 6 +++---
 .github/workflows/codeql.yml             | 2 +-
 .github/workflows/dependency-review.yml  | 2 +-
 .github/workflows/pr-labeler.yml         | 2 +-
 .github/workflows/pre-commit-updater.yml | 2 +-
 .github/workflows/release-drafter.yml    | 2 +-
 .github/workflows/scorecard.yml          | 2 +-
 7 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2a4e73b..fc539da 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,7 +25,7 @@ permissions:
 
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
     steps:
@@ -61,7 +61,7 @@ jobs:
 
   build:
     needs: lint
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: write
     strategy:
@@ -130,7 +130,7 @@ jobs:
   publish-to-pypi:
     name: Publish to PyPI (release only)
     needs: build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
     if: ${{ github.event_name == 'release' }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 8250f29..6869bcc 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -15,7 +15,7 @@ permissions:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       actions: read
       contents: read
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index e908a47..34f1f84 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
index 1a7c2ee..2e27b32 100644
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -10,7 +10,7 @@ jobs:
   pr-labeler:
     permissions:
       pull-requests: write  # for TimonVS/pr-labeler-action to add labels in PR
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: "!contains(github.event.head_commit.message, 'skip ci')"
     steps:
       - name: Harden Runner
diff --git a/.github/workflows/pre-commit-updater.yml b/.github/workflows/pre-commit-updater.yml
index 61634fb..cef4880 100644
--- a/.github/workflows/pre-commit-updater.yml
+++ b/.github/workflows/pre-commit-updater.yml
@@ -11,7 +11,7 @@ jobs:
 
   updater:
     name: Update
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index a056cb2..3323640 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -12,7 +12,7 @@ jobs:
     permissions:
       contents: write  # for release-drafter/release-drafter to create a github release
       pull-requests: write  # for release-drafter/release-drafter to add label to PR
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: "!contains(github.event.head_commit.message, 'skip ci')"
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "main"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index f78531b..1e389cf 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -12,7 +12,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write