P-2208: Harden github actions

[keiloktql]

• dependabot: 7-day cooldown on github-actions + npm ecosystems
• ci.yml: persist-credentials: false on all 4 checkouts; explicit pnpm version: 11
• release.yml: persist-credentials: false; drop pnpm cache from setup-node (cache-poisoning mitigation); quote variable to fix SC2086; explicit pnpm version: 11

Refs P-2208.

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

[linear-code]

P-2208

[gemini-code-assist]

Code Review

This pull request attempts to introduce a cooldown property to the Dependabot configuration for both GitHub Actions and npm ecosystems. However, the review feedback correctly identifies that cooldown is not a supported key in the official Dependabot schema, which will lead to validation errors and prevent Dependabot from processing updates for these ecosystems.

[gemini-code-assist]

The cooldown property is not a supported configuration key in the official GitHub Dependabot schema. Including this key will cause a validation error, and Dependabot will fail to process updates for the github-actions ecosystem. If the intention is to delay updates to mitigate potential supply chain risks (e.g., waiting for a 'soak' period), Dependabot does not currently support this natively. You may need to use a third-party tool or adjust the schedule to achieve a similar effect.

[gemini-code-assist]

The cooldown property is not recognized by the Dependabot configuration parser. This will likely result in a 'Dependabot couldn't parse your .github/dependabot.yml' error in the GitHub repository settings, preventing updates for the npm ecosystem. It is recommended to remove these lines to ensure the configuration remains valid.

[keiloktql]

The cooldown property is not a supported configuration key in the official GitHub Dependabot schema.

This is incorrect — cooldown is officially supported by Dependabot version updates. GitHub shipped GA on 2025-07-01 and expanded ecosystem coverage on 2025-07-29:

• Changelog: Dependabot supports configuration of a minimum package age (2025-07-01)
• Changelog: Dependabot expanded cooldown and package manager support (2025-07-29)
• Schema reference: cooldown.default-days in the Dependabot options reference

default-days is supported across all package ecosystems including github-actions and npm. This is also the exact field zizmor's dependabot-cooldown audit recommends. Keeping both blocks as-is.

[keiloktql]

Done in e539803, but flagging for posterity: the zizmor: ignore[cache-poisoning] was not dead config — zizmor still flags actions/setup-node with cache-poisoning ("enables caching by default", Low confidence) under release-tag triggers even with no cache: key, because the heuristic is on the action itself. The ignore was actively suppressing that Low-confidence false positive.

Removing it anyway for consistency with sibling SDKs (getformo/sdk, getformo/sdk-node), both of which carry the same residual finding without suppression. The actual cache-poisoning mitigation (removing cache: 'pnpm') is in place; the Low residual is the documented heuristic noise.