From a1c3b953e13d5144acafeb9753b0aa9e285b1fa2 Mon Sep 17 00:00:00 2001
From: zariiii9003 <52598363+zariiii9003@users.noreply.github.com>
Date: Thu, 7 Aug 2025 13:48:48 +0200
Subject: [PATCH 1/3] fix broken url

---
 test/test_socketcan.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/test_socketcan.py b/test/test_socketcan.py
index 3df233f96..534ee2a61 100644
--- a/test/test_socketcan.py
+++ b/test/test_socketcan.py
@@ -377,7 +377,7 @@ def test_pypy_socketcan_support(self):
 
         This test shall document raw CAN socket support under PyPy. Once this test fails, it is likely that PyPy
         either implemented raw CAN socket support or at least changed the error that is thrown.
-        https://foss.heptapod.net/pypy/pypy/-/issues/3809
+        https://github.com/pypy/pypy/issues/3808
         https://github.com/hardbyte/python-can/issues/1479
         """
         try:
@@ -386,7 +386,7 @@ def test_pypy_socketcan_support(self):
             if "unknown address family" not in str(e):
                 warnings.warn(
                     "Please check if PyPy has implemented raw CAN socket support! "
-                    "See: https://foss.heptapod.net/pypy/pypy/-/issues/3809"
+                    "See: https://github.com/pypy/pypy/issues/3808"
                 )
 
 

From f3d45fb6f72b4e019c01e02b834d54440c87995d Mon Sep 17 00:00:00 2001
From: zariiii9003 <52598363+zariiii9003@users.noreply.github.com>
Date: Thu, 7 Aug 2025 13:49:42 +0200
Subject: [PATCH 2/3] fix zizmor warnings

---
 .github/workflows/ci.yml | 55 +++++++++++++++++++++++++++-------------
 1 file changed, 38 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b799b463e..f85b08d20 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,9 @@ on:
 env:
   PY_COLORS: "1"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ${{ matrix.os }}
@@ -29,9 +32,12 @@ jobs:
         ]
       fail-fast: false
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # 4.2.2
+      with:
+        fetch-depth: 0
+        persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@e92bafb6253dcd438e0484186d7669ea7a8ca1cc  # 6.4.3
     - name: Install tox
       run: uv tool install tox --with tox-uv
     - name: Setup SocketCAN
@@ -45,10 +51,10 @@ jobs:
         tox -e ${{ matrix.env }}
       env:
         # SocketCAN tests currently fail with PyPy because it does not support raw CAN sockets
-        # See: https://foss.heptapod.net/pypy/pypy/-/issues/3809
+        # See: https://github.com/pypy/pypy/issues/3808
         TEST_SOCKETCAN: "${{ matrix.os == 'ubuntu-latest' && ! startsWith(matrix.env, 'pypy' ) }}"
     - name: Coveralls Parallel
-      uses: coverallsapp/github-action@v2
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b  # 2.3.6
       with:
         github-token: ${{ secrets.github_token }}
         flag-name: Unittests-${{ matrix.os }}-${{ matrix.env }}
@@ -59,9 +65,12 @@ jobs:
     needs: test
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # 4.2.2
+      with:
+        fetch-depth: 0
+        persist-credentials: false
     - name: Coveralls Finished
-      uses: coverallsapp/github-action@v2
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b  # 2.3.6
       with:
         github-token: ${{ secrets.github_token }}
         parallel-finished: true
@@ -69,9 +78,12 @@ jobs:
   static-code-analysis:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # 4.2.2
+      with:
+        fetch-depth: 0
+        persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@e92bafb6253dcd438e0484186d7669ea7a8ca1cc  # 6.4.3
     - name: Install tox
       run: uv tool install tox --with tox-uv
     - name: Run linters
@@ -84,9 +96,12 @@ jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # 4.2.2
+      with:
+        fetch-depth: 0
+        persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@e92bafb6253dcd438e0484186d7669ea7a8ca1cc  # 6.4.3
     - name: Install tox
       run: uv tool install tox --with tox-uv
     - name: Build documentation
@@ -97,17 +112,18 @@ jobs:
     name: Packaging
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # 4.2.2
         with:
-          fetch-depth: 0  # fetch tags for setuptools-scm
+          fetch-depth: 0
+          persist-credentials: false
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@e92bafb6253dcd438e0484186d7669ea7a8ca1cc  # 6.4.3
       - name: Build wheel and sdist
-        run: uvx --from build pyproject-build --installer uv
+        run: uv build
       - name: Check build artifacts
         run: uvx twine check --strict dist/*
       - name: Save artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # 4.6.2
         with:
           name: release
           path: ./dist
@@ -123,10 +139,15 @@ jobs:
     # upload to PyPI only on release
     if: github.event.release && github.event.action == 'published'
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # 4.3.0
         with:
           path: dist
           merge-multiple: true
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be  # 2.4.0
+        with:
+          subject-path: 'dist/*'
+
       - name: Publish release distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # 1.12.4

From 402830f51ce8f49cfb9cf2ad88d31dbd6a9d02c5 Mon Sep 17 00:00:00 2001
From: zariiii9003 <52598363+zariiii9003@users.noreply.github.com>
Date: Fri, 8 Aug 2025 15:50:36 +0200
Subject: [PATCH 3/3] update dependabot.yml

---
 .github/dependabot.yml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 34c1a3a8c..e2781e2ef 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,6 +6,21 @@
 version: 2
 updates:
   - package-ecosystem: "uv"
+    # Enable version updates for development dependencies
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+    groups:
+      dev-deps:
+        patterns:
+          - "*"
+
+  - package-ecosystem: "github-actions"
+    # Enable version updates for GitHub Actions
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
\ No newline at end of file