From eee86ec5b4a5f9a2eb3b7a237f4bf708fd466af4 Mon Sep 17 00:00:00 2001
From: Tobias Wochinger <tobias.wochinger@clickhouse.com>
Date: Wed, 15 Apr 2026 10:27:12 +0200
Subject: [PATCH 1/2] ci: add missing dependabot cooldown

---
 .github/dependabot.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 091812ec..d8e70154 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -34,6 +34,9 @@ updates:
     directory: "/examples"
     schedule:
       interval: "daily"
+    # making zizmor happy as it requires a cooldown value, but we ignore all dependencies in this folder anyway
+    cooldown:
+      default-days: 7
     labels: []
     ignore:
       - dependency-name: "*"

From 3ee47ea9e1223885e9ed8f5f87405266a06cf6bc Mon Sep 17 00:00:00 2001
From: Tobias Wochinger <tobias.wochinger@clickhouse.com>
Date: Fri, 17 Apr 2026 13:57:19 +0200
Subject: [PATCH 2/2] fix(ci): disable zizmor advanced security to unblock
 release pushes

With advanced-security enabled, zizmor uploads SARIF to GitHub Code Scanning.
A branch protection ruleset requiring code scanning results would block the
release workflow because its version-bump commit doesn't exist on GitHub yet,
so code scanning can't produce results for it.

Switching to advanced-security: false keeps zizmor as a regular CI check
(pass/fail) without uploading to Code Scanning. Also sets min-severity to
medium to filter out noisy low-severity findings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/zizmor.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index c706f5c4..725619c3 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -19,7 +19,6 @@ jobs:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
       contents: read
     steps:
       - name: Checkout
@@ -29,4 +28,7 @@ jobs:
       - name: Run zizmor
         uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
         with:
-          advanced-security: true
+          # Using false as a code scanning ruleset would block the release
+          # workflow which creates a new commit and pushes directly to main.
+          advanced-security: false
+          min-severity: medium