From 136b59a4a60ac63f62c9916524c6cd7bde91c4e4 Mon Sep 17 00:00:00 2001
From: lars20070 <l.nilse@dunelm.org.uk>
Date: Tue, 21 Apr 2026 09:34:39 +0200
Subject: [PATCH 1/6] Ignore all instances of .DS_Store

---
 .gitignore        |   2 +-
 website/.DS_Store | Bin 8196 -> 0 bytes
 2 files changed, 1 insertion(+), 1 deletion(-)
 delete mode 100644 website/.DS_Store

diff --git a/.gitignore b/.gitignore
index 8135818..f3709a2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-.DS_Store
+**/.DS_Store
 node_modules
 dist
 .pnpm-debug.log
diff --git a/website/.DS_Store b/website/.DS_Store
deleted file mode 100644
index 1e8142416237f3421281e458e54a00755e44bfd8..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHMU2GIp6u#fI(3yeC6lf{C0X8)9Q;M_&TK){%c8gRXknWb20<OC|LpxzQQ+8%|
zK|*XKz9>rKPka*pAH^7d5>1E@A0WPID$0xTC-Fre4Ekg=dhXm=Lbp`q#emLD?mhS3
zbI!f@oco=*d+##F&|T2m7;9vV$&@+O=1_5q#Q8i=OH$ConIL_}OqR=*-0`gCWT#1o
z9iaz84}=~FJrH^z^uV3q0XnmJl4m&g1ve~14}>20UwVLlA7Yd_jR$l>Q2*0Gg?|Mg
zT20-4qB`9Je4SW8;{lxz)K{f3#q9xsDuOEpggWtKT%2e;pc8@$bq1l%5X_9=h5~<f
z(u?`x3~@ojGW0;`f$1LLVKbYJvjWR9tK$CtL3Z3SU9YwEDx|9FS+i^88hMU<I63N+
zl3vCuxZRojLEcI^j+HIfGui#7QA%qIdmP)#n6{Dk6-?bAkwb%~tvjV|r(o-@ubUJM
zS&@~rw)o`9w)XbcmRM(7=c$(1$<4gJVSUG`Q;J;Qv~FvE`lvN#J5LHb5PS<*ZG~ND
zDvh#6+LAeEZ2Ts<DMnjvu}3^wR5g^1{<3VeqRxr#A5;&dwfRM|Z11>dI<~vt$h$<-
z+B}y$(3f-UeR+fP2Xl^97_;59R+r0Ixq_APj4sPcnvWRnkY^nCcx~8q@?MWGnAWs{
zYxEl=XBLeFNxMTP4adb6-n3v|g>rsw{gUM?*0gTivOTeL_rA&6d**3%^Hp`2+-Q5|
z5!1*IluX?lJ&<v8hOL|S$Y9ZQ&8%gl?97-^hn%8J);26^TpWo;XA&JMWX)p*(>tLx
z$+ADk(q&QgkWP!+<LG=AU3*WaacK6YWzpzC&gsb;RO*4k%2iP{<&q6rCJ<~{tE#D^
zwEvpRmq4m*?P_$u%47{o(-kpKN2eMcEDGOhyMoTG+tla~?cW%g=+>bn=#F<qqYv?!
zcV}F0@3>*ps;&gn_Y!Z|9nIv8y(NNR(A!77{*F;USL)SG&+(b$kUeC`0X|%puKQ**
zHY}=*_D55)_L)q(WZFfOU{9Ma&@VT|o5lY4o>iLSt-*H5Y%#l!4z8W-5Hl#aPO~%Y
zMRtz8$=+v|*k$%9yT-m^->`4lckD-Yo&APt)M6eq)FFbESdC_^!3M<9g>LM^KJ+7r
z6b>T`9R`lTK>;Nk#|b=!CvXN&;c2{pm+=~2#~V103-|~ZaS5N`b6mw2_!`&oGk(GE
zQjH`_iZowZAk|9^(rT$$S}$#qHj9-@<%k*%ED4CzO_j=s37+|+W4DT!$c_ipzB?jf
zuFVxOvS4BT(xz2w+dH<#Z(vD)uZ*{wQS3u^3gCU{`a4~Lxk(XB>XLGxRYuhSVcs|{
zbKq(<LOP}{mkIOQEYZAIT`3dVwb`QC9BGj$zBI{is_P<c3Pq7tC7R8Vjf$*6G&ZSQ
z6pAOUS~Txhw<|ovHRiV?-I0V$F`>z~57xKYhwLJ|!X^o<-?JasPwWrK1knb>u!2C!
zA-WbF=)`7h!8Y__2X>;5;F`h!1~G(T<Or@uFai^KxbRTKqnIGbp2p(@*t2*B&*FKU
z!%KJtuLjV42k%yZ@xiHJ#Dz*QjyZ`$@a8O^o%`I!zrJ<3Yr2g7w=(0Se|=08lX=^6
z>=7Ef94J$lc6YU^#Bv+?{l9nS_y4=gsBpER2SN|rmIqLsNGA9RKhsBz-?d|uAEwL`
zmzxmOSD}K7@P7X~PV~kfhE$IQym&w-1SJlofBhjKJpbt$@DF~hhUY(r=ae74|E2T)
EPdFWEHUIzs


From 11c89f834a196eb93eb6f36f1051c164437dbf65 Mon Sep 17 00:00:00 2001
From: lars20070 <l.nilse@dunelm.org.uk>
Date: Tue, 21 Apr 2026 09:58:21 +0200
Subject: [PATCH 2/6] bypass approval

---
 .github/workflows/lat-check.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/lat-check.yaml b/.github/workflows/lat-check.yaml
index a9a7de7..8029ced 100644
--- a/.github/workflows/lat-check.yaml
+++ b/.github/workflows/lat-check.yaml
@@ -1,5 +1,8 @@
 name: lat check
-on: [push, pull_request]
+on:
+  push:
+  pull_request_target:
+    types: [ opened, synchronize, reopened ]
 
 permissions:
   contents: read
@@ -9,4 +12,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
       - uses: lars20070/lat-check-action@v1

From 655bd7550d8eedfcb64658b422773e19c4909276 Mon Sep 17 00:00:00 2001
From: lars20070 <l.nilse@dunelm.org.uk>
Date: Tue, 21 Apr 2026 10:21:51 +0200
Subject: [PATCH 3/6] Add comments

---
 .github/workflows/lat-check.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/lat-check.yaml b/.github/workflows/lat-check.yaml
index 8029ced..893bf51 100644
--- a/.github/workflows/lat-check.yaml
+++ b/.github/workflows/lat-check.yaml
@@ -2,8 +2,11 @@ name: lat check
 on:
   push:
   pull_request_target:
+    # Use `pull_request_target` so fork PRs run without maintainer approval.
+    # Note: do NOT execute PR code in any step below.
     types: [ opened, synchronize, reopened ]
 
+# Minimal token. Mitigation against the `pull_request_target` foot-gun.
 permissions:
   contents: read
 
@@ -13,5 +16,9 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          # `pull_request_target` checks out the base by default.
+          # Pin to the PR head SHA so we actually check the PR's changes.
+          # `push` has no PR payload, so fall through to `github.sha`,
+          # i.e. the pushed commit.
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
       - uses: lars20070/lat-check-action@v1

From 60fe0f280c1b9d07d6b836f7ff0e0ef51fb2e8eb Mon Sep 17 00:00:00 2001
From: lars20070 <l.nilse@dunelm.org.uk>
Date: Thu, 30 Apr 2026 17:44:28 +0200
Subject: [PATCH 4/6] Remove recursive ignore for .DS_Store in .gitignore

---
 .gitignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index f3709a2..8135818 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-**/.DS_Store
+.DS_Store
 node_modules
 dist
 .pnpm-debug.log

From 1aea8f5488d9208a66b7581eaa59b33949a3a68c Mon Sep 17 00:00:00 2001
From: lars20070 <l.nilse@dunelm.org.uk>
Date: Sat, 16 May 2026 09:44:18 +0200
Subject: [PATCH 5/6] Pin SHA for actions

---
 .github/workflows/lat-check.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/lat-check.yaml b/.github/workflows/lat-check.yaml
index 893bf51..1d5e8ea 100644
--- a/.github/workflows/lat-check.yaml
+++ b/.github/workflows/lat-check.yaml
@@ -4,7 +4,7 @@ on:
   pull_request_target:
     # Use `pull_request_target` so fork PRs run without maintainer approval.
     # Note: do NOT execute PR code in any step below.
-    types: [ opened, synchronize, reopened ]
+    types: [opened, synchronize, reopened]
 
 # Minimal token. Mitigation against the `pull_request_target` foot-gun.
 permissions:
@@ -14,11 +14,11 @@ jobs:
   lat-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           # `pull_request_target` checks out the base by default.
           # Pin to the PR head SHA so we actually check the PR's changes.
           # `push` has no PR payload, so fall through to `github.sha`,
           # i.e. the pushed commit.
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
-      - uses: lars20070/lat-check-action@v1
+      - uses: lars20070/lat-check-action@94f09a73ede7899a2bb3acbda2d3ea1455bbddf9

From c472fc75893cefe280f4c48d8a4ba6d2bfd8ff23 Mon Sep 17 00:00:00 2001
From: lars20070 <l.nilse@dunelm.org.uk>
Date: Sat, 16 May 2026 09:51:47 +0200
Subject: [PATCH 6/6] Do not write GITHUB_TOKEN

---
 .github/workflows/lat-check.yaml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/lat-check.yaml b/.github/workflows/lat-check.yaml
index 1d5e8ea..263744d 100644
--- a/.github/workflows/lat-check.yaml
+++ b/.github/workflows/lat-check.yaml
@@ -2,11 +2,14 @@ name: lat check
 on:
   push:
   pull_request_target:
-    # Use `pull_request_target` so fork PRs run without maintainer approval.
-    # Note: do NOT execute PR code in any step below.
+    # `lat check` is a pure static analyzer: tree-sitter parsing of source
+    # files, regex scanning for `@lat:` comments, and markdown parsing. It
+    # never installs dependencies, requires/imports from the checkout, or
+    # loads config from the working tree.
     types: [opened, synchronize, reopened]
 
-# Minimal token. Mitigation against the `pull_request_target` foot-gun.
+# Read-only token. With `pull_request_target` + PR-head checkout, this is
+# the primary blast-radius limiter if the invariant above is ever broken.
 permissions:
   contents: read
 
@@ -21,4 +24,6 @@ jobs:
           # `push` has no PR payload, so fall through to `github.sha`,
           # i.e. the pushed commit.
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          # Don't write the GITHUB_TOKEN into .git/config
+          persist-credentials: false
       - uses: lars20070/lat-check-action@94f09a73ede7899a2bb3acbda2d3ea1455bbddf9