Tim Ellison

Got it, thanks @BethGriggs! I'll assume that gets fixed at some point. I've got some comments on the website's rendering, but will open a website issue for that. I was...

Thanks for the suggestion @danielgazineu - sounds like a good idea. Let me share a few thoughts... As you know, AQAvit is our vehicle for demonstrating a runtime's quality. AQAvit...

Take a look at the [StepSecurity tool](https://app.stepsecurity.io/securerepo) that does this, plus restricts permissions of actions. I have used it to [raise a PR on my fork of `temurin-build`](https://github.com/tellison/temurin-build/pull/1/files) as an...

see also: https://github.com/ossf/scorecard-action

> Will dependabot still tell us when we're out of date? Does it read those hashes? yes it does

Hi @varunsh-coder, thank you for dropping in and being part of the conversation. I'm just looking for consensus from people before we run this on all our repos to improve...

> Just wanted to let you know that Dependabot has recently implemented support to add tag info in comments next to the commit SHA. So secure-workflows will add support for...

Once we have been through and fixed all these versions to hases, how will we ensure no more versions creep in? Clearly we can keep running the tool every so...

Plan is to wait until https://github.com/step-security/secure-workflows/issues/1087 is resolved before running on Adoptium repos. We agreed to set the minimal permissions scope and pin dependencies.

The PRs raised by the tool will fail the contributor agreement check (author is `Anonymous (bot@****.io)`). Will need to approve that.