From 9a2d0b0e08fac79154f3c25e8bf35eb2e4d74c10 Mon Sep 17 00:00:00 2001
From: t0kubetsu <alexis.danjon@nc3.lu>
Date: Tue, 9 Jun 2026 10:16:36 +0200
Subject: [PATCH 1/4] chore(ci): add CI workflow and Dependabot hardening

- CI runs inside containerised Debian/Python/Node images (not bare ubuntu-latest)
- Dependabot enabled for package ecosystem + github-actions
---
 .github/dependabot.yml   |  7 +++++++
 .github/workflows/ci.yml | 27 +++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/ci.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..50e50eb
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    labels: [dependencies, ci]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..9f5a355
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,27 @@
+name: CI
+on:
+  push:
+    branches: [main, dev, 'feature/**']
+  pull_request:
+    branches: [main, dev]
+jobs:
+  shellcheck:
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    container:
+      image: debian:trixie-slim
+    steps:
+      - run: apt-get update && apt-get install -y --no-install-recommends git shellcheck
+      - uses: actions/checkout@v4
+      - run: find . -name '*.sh' -exec shellcheck --severity=warning {} +
+
+  ansible-lint:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+    container:
+      image: python:3.13-slim
+    steps:
+      - run: apt-get update && apt-get install -y --no-install-recommends git
+      - uses: actions/checkout@v4
+      - run: pip install --no-cache-dir ansible-lint
+      - run: ansible-lint . --profile=production

From 616bb059c8333aac3ee714a2ede920be9385819a Mon Sep 17 00:00:00 2001
From: t0kubetsu <alexis.danjon@nc3.lu>
Date: Tue, 9 Jun 2026 10:30:25 +0200
Subject: [PATCH 2/4] fix(ci): add ca-certificates to debian:trixie-slim apt
 install

debian:trixie-slim ships without CA certificates; actions/checkout@v4
clones via HTTPS and fails with "SSL CA cert" error without them.
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9f5a355..448d3c7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,7 +11,7 @@ jobs:
     container:
       image: debian:trixie-slim
     steps:
-      - run: apt-get update && apt-get install -y --no-install-recommends git shellcheck
+      - run: apt-get update && apt-get install -y --no-install-recommends ca-certificates git shellcheck
       - uses: actions/checkout@v4
       - run: find . -name '*.sh' -exec shellcheck --severity=warning {} +
 

From d01a3506f26a25be7050b113d925c14ca1b38732 Mon Sep 17 00:00:00 2001
From: t0kubetsu <alexis.danjon@nc3.lu>
Date: Tue, 9 Jun 2026 11:56:52 +0200
Subject: [PATCH 3/4] =?UTF-8?q?ci(workflow):=20fix=20push=20branch=20trigg?=
 =?UTF-8?q?ers=20=E2=80=94=20feat/**=20+=20fix/**=20replace=20feature/**?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 448d3c7..3bf2f71 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,7 +1,7 @@
 name: CI
 on:
   push:
-    branches: [main, dev, 'feature/**']
+    branches: [main, dev, 'feat/**', 'fix/**']
   pull_request:
     branches: [main, dev]
 jobs:

From dd00c8de26b43399b2b9930f5446fe8b6b517e0c Mon Sep 17 00:00:00 2001
From: t0kubetsu <alexis.danjon@nc3.lu>
Date: Tue, 9 Jun 2026 17:35:51 +0200
Subject: [PATCH 4/4] fix(ci): bump actions/checkout from v4 to v6

---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3bf2f71..42c72ee 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,7 +12,7 @@ jobs:
       image: debian:trixie-slim
     steps:
       - run: apt-get update && apt-get install -y --no-install-recommends ca-certificates git shellcheck
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - run: find . -name '*.sh' -exec shellcheck --severity=warning {} +
 
   ansible-lint:
@@ -22,6 +22,6 @@ jobs:
       image: python:3.13-slim
     steps:
       - run: apt-get update && apt-get install -y --no-install-recommends git
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - run: pip install --no-cache-dir ansible-lint
       - run: ansible-lint . --profile=production