From 9faeb282045ec3f779074695638a0cfc8c40c234 Mon Sep 17 00:00:00 2001
From: zerosnacks <zerosnacks@protonmail.com>
Date: Tue, 16 Sep 2025 12:18:46 +0200
Subject: [PATCH 1/4] pin deps, leave foundry-toolchain unpinned to be able to
 catch issues upstream more easily

---
 .github/workflows/ci.yml     | 4 ++--
 .github/workflows/codeql.yml | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 12eb681a..737bcf21 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -88,7 +88,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: crate-ci/typos@v1
+      - uses: crate-ci/typos@85f62a8a84f939ae994ab3763f01a0296d61a7ee # v1
 
   ci-success:
     runs-on: ubuntu-latest
@@ -102,6 +102,6 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Decide whether the needed jobs succeeded or failed
-        uses: re-actors/alls-green@release/v1
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d6ad1b0d..a96e49b6 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,5 +1,8 @@
 name: CodeQL
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["master"]

From 51d3fe7c1a420faa1c78f0a16b0c34f80285a5ef Mon Sep 17 00:00:00 2001
From: zerosnacks <zerosnacks@protonmail.com>
Date: Tue, 16 Sep 2025 12:20:02 +0200
Subject: [PATCH 2/4] add dependabot

---
 .github/dependabot.yml | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..5ace4600
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

From aacacbd666e37f71effb38dafbf593ec10d530c2 Mon Sep 17 00:00:00 2001
From: zerosnacks <zerosnacks@protonmail.com>
Date: Tue, 16 Sep 2025 12:28:55 +0200
Subject: [PATCH 3/4] no package read permission required

---
 .github/workflows/codeql.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a96e49b6..7edce5ea 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -22,7 +22,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
-      packages: read
       actions: read
       contents: read
 

From f0c2da8bc8327946bc92ac656486e22a28b87a59 Mon Sep 17 00:00:00 2001
From: zerosnacks <zerosnacks@protonmail.com>
Date: Tue, 16 Sep 2025 12:30:23 +0200
Subject: [PATCH 4/4] remove duplicate perm

---
 .github/workflows/codeql.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 7edce5ea..9bf24662 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,7 +23,6 @@ jobs:
     permissions:
       security-events: write
       actions: read
-      contents: read
 
     strategy:
       fail-fast: false