GHA: misc maintenance

- shellcheck: check all (future) shell scripts.
  Suggested-by: Arthur Diniz
  Fixes #38
- drop permissions where missing.
- do not persist credentials after checkout.
- install prereqs first, then checkout source.
- bump checkout action to v5.
- bump REUSE action to v6.
- omit recommended/suggested packages in debian container to save
  install time.
- bump to latest shellcheck, checkbashisms, shfmt versions via
  Linuxbrew. Also making the install step 2-6x faster.
- reduce `apt` log noise.
- run spellcheckers: codespell and typos.
- run zizmor in pedantic mode, fix minor issues. Silence two warnings
  about unpinned Debian (pedantic) and Fedora (non-pedantic)
  container images.
- replace REUSE action with pip install.
- enable Dependabot for pip and GHA (quarterly).

Closes #68

Author: vszakats

.github/dependabot.yml

@@ -0,0 +1,28 @@
+# Copyright (C) Viktor Szakats. See LICENSE.md
+# SPDX-License-Identifier: curl
+
+# https://docs.github.com/code-security/dependabot/working-with-dependabot/dependabot-options-reference
+
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'quarterly'
+    cooldown:
+      default-days: 30
+    groups:
+      actions-deps:
+        patterns:
+          - '*'
+
+  - package-ecosystem: 'pip'
+    directories:
+      - '.github/workflows'
+    schedule:
+      interval: 'quarterly'
+    cooldown:
+      default-days: 7
+      semver-major-days: 15
+      semver-minor-days: 7
+      semver-patch-days: 3

.github/workflows/requirements.txt

@@ -0,0 +1,5 @@
+# Copyright (C) Viktor Szakats. See LICENSE.md
+# SPDX-License-Identifier: curl
+
+codespell==2.4.1
+reuse==6.1.2

.github/workflows/reuse.yml

@@ -38,40 +38,82 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   lint:
+    name: lint
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Install tools
         run: |
-          sudo apt-get update
-          sudo apt-get install -y shellcheck devscripts shfmt
+          /home/linuxbrew/.linuxbrew/bin/brew install zizmor shellcheck checkbashisms shfmt typos-cli
+          python3 -m venv ~/venv
+          ~/venv/bin/pip --disable-pip-version-check --no-input --no-cache-dir install --progress-bar off --prefer-binary \
+            -r .github/workflows/requirements.txt
+
+      - name: 'REUSE check'
+        run: |
+          source ~/venv/bin/activate
+          reuse lint
+
+      - name: Run zizmor
+        env:
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          zizmor --pedantic .github/workflows/*.yml
 
       - name: Run shellcheck
-        run: shellcheck wcurl tests/*
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          shellcheck --version
+          shellcheck $(grep -l '^#!/bin/sh' $(git ls-files))
 
       - name: Run checkbashisms
-        run: checkbashisms wcurl tests/*
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          checkbashisms --version
+          checkbashisms $(grep -l '^#!/bin/sh' $(git ls-files))
 
       - name: Run shfmt
-        run: shfmt --func-next-line --space-redirects --case-indent --binary-next-line --indent 4 --posix --diff .
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          shfmt --version
+          shfmt --func-next-line --space-redirects --case-indent --binary-next-line --indent 4 --posix --diff .
+
+      - name: Run codespell
+        run: |
+          source ~/venv/bin/activate
+          codespell --version
+          codespell
+
+      - name: Run typos
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          typos --version
+          typos
 
   debian:
     name: debian
     runs-on: ubuntu-latest
     container:
-      image: debian:stable
+      image: debian:stable  # zizmor: ignore[unpinned-images]
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
       - name: Install curl and shunit2
         run: |
-          apt-get update
-          apt-get install -y curl shunit2
+          apt-get -o Dpkg::Use-Pty=0 update
+          apt-get -o Dpkg::Use-Pty=0 install -y --no-install-suggests --no-install-recommends curl shunit2
+
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Run shunit2 tests
         run: ./tests/tests.sh
@@ -80,11 +122,8 @@ jobs:
     name: fedora
     runs-on: ubuntu-latest
     container:
-      image: fedora:latest
+      image: fedora:latest  # zizmor: ignore[unpinned-images]
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
       - name: Install git and shunit2
         run: |
           dnf install -y git
@@ -94,18 +133,25 @@ jobs:
           cd shunit2
           cp shunit2 /usr/local/bin/shunit2
 
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
       - name: Run shunit2 tests
         run: ./tests/tests.sh
 
   macos:
     name: macos
     runs-on: macos-latest
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
       - name: Install shunit2
-        run: brew install shunit2
+        run: HOMEBREW_NO_AUTO_UPDATE=1 brew install shunit2
+
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Run shunit2 tests
         run: ./tests/tests.sh