kibertoad · kibertoad · May 14, 2026 · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,12 +5,16 @@ updates:
     schedule:
       interval: 'monthly'
     open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: 'npm'
     directory: '/'
     schedule:
       interval: 'weekly'
     open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
     ignore:
       - dependency-name: "eslint"
       - dependency-name: "eslint-plugin-vitest"

diff --git a/.github/workflows/ci.common.yml b/.github/workflows/ci.common.yml
@@ -13,14 +13,19 @@ on:
         type: string
         default: 'fauxqs'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node ${{ inputs.node_version }}
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ inputs.node_version }}
           package-manager-cache: false
@@ -29,24 +34,31 @@ jobs:
         run: npm install --ignore-scripts
 
       - name: Build TS
-        run: npm run build -- --filter=${{ inputs.package_name }}
+        env:
+          PACKAGE_NAME: ${{ inputs.package_name }}
+        run: npm run build -- --filter="$PACKAGE_NAME"
 
       - name: Run lint
-        run: npm run lint -- --filter=${{ inputs.package_name }}
+        env:
+          PACKAGE_NAME: ${{ inputs.package_name }}
+        run: npm run lint -- --filter="$PACKAGE_NAME"
 
       - name: Docker start
-        run: npm run docker:start:ci -- --filter=${{ inputs.package_name }}
         env:
+          PACKAGE_NAME: ${{ inputs.package_name }}
           QUEUE_BACKEND: ${{ inputs.queue_backend }}
+        run: npm run docker:start:ci -- --filter="$PACKAGE_NAME"
 
       - name: Run Tests
-        run: |
-          echo "::notice::Running ${{ inputs.package_name }} with QUEUE_BACKEND=${{ inputs.queue_backend }}"
-          npm run test:ci -- --filter=${{ inputs.package_name }}
         env:
+          PACKAGE_NAME: ${{ inputs.package_name }}
           QUEUE_BACKEND: ${{ inputs.queue_backend }}
+        run: |
+          echo "::notice::Running $PACKAGE_NAME with QUEUE_BACKEND=$QUEUE_BACKEND"
+          npm run test:ci -- --filter="$PACKAGE_NAME"
 
       - name: Docker stop
-        run: npm run docker:stop:ci -- --filter=${{ inputs.package_name }}
         env:
+          PACKAGE_NAME: ${{ inputs.package_name }}
           QUEUE_BACKEND: ${{ inputs.queue_backend }}
+        run: npm run docker:stop:ci -- --filter="$PACKAGE_NAME"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,10 +6,14 @@ on:
       - main
   pull_request:
 
+permissions: {}
+
 jobs:
   changed-files-job:
     name: Get changed packages
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       packages: ${{ steps.detect.outputs.packages }}
       aws_packages: ${{ steps.detect.outputs.aws_packages }}
@@ -82,6 +86,8 @@ jobs:
   general:
     needs: [changed-files-job]
     if: needs.changed-files-job.outputs.packages != '[]'
+    permissions:
+      contents: read
     strategy:
       matrix:
         node-version: [22.x, 24.x]
@@ -94,6 +100,8 @@ jobs:
   aws-packages:
     needs: [changed-files-job]
     if: needs.changed-files-job.outputs.aws_packages != '[]'
+    permissions:
+      contents: read
     strategy:
       matrix:
         node-version: [22.x, 24.x]
@@ -113,6 +121,6 @@ jobs:
       pull-requests: write
       contents: write
     steps:
-      - uses: fastify/github-action-merge-dependabot@v3
+      - uses: fastify/github-action-merge-dependabot@59fc8817458fac20df8884576cfe69dbb77c9a07 # v3.9.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ensure-labels.yml b/.github/workflows/ensure-labels.yml
@@ -12,10 +12,14 @@ on:
       - labeled
       - unlabeled
 
+permissions: {}
+
 jobs:
   ensure_labels:
     name: Ensure PR has proper labeling
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - name: Check one of required labels are set
         uses: docker://agilepathway/pull-request-label-checker:v1.6.65

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -10,6 +10,8 @@ concurrency:
   group: release-main
   cancel-in-progress: false
 
+permissions: {}
+
 jobs:
   detect-changes:
     runs-on: ubuntu-latest
@@ -30,9 +32,10 @@ jobs:
           echo "bump=patch" >> $GITHUB_OUTPUT
           echo "should_publish=false" >> $GITHUB_OUTPUT
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Check if should skip
         id: skip-check
@@ -103,16 +106,20 @@ jobs:
 
       - name: Debug commit info
         if: steps.skip-check.outputs.should_skip != 'true' && steps.pr-info.outputs.should_publish == 'true'
+        env:
+          COMMIT_SHA: ${{ github.sha }}
+          PREVIOUS_SHA: ${{ github.event.before }}
+          PR_NUMBER: ${{ steps.pr-info.outputs.pr_number }}
         run: |
-          echo "Commit SHA: ${{ github.sha }}"
-          echo "Previous SHA: ${{ github.event.before }}"
-          echo "PR Number: ${{ steps.pr-info.outputs.pr_number }}"
+          echo "Commit SHA: $COMMIT_SHA"
+          echo "Previous SHA: $PREVIOUS_SHA"
+          echo "PR Number: $PR_NUMBER"
           echo "Files changed:"
-          git diff --name-only ${{ github.event.before }}..${{ github.sha }} || echo "git diff failed"
+          git diff --name-only "$PREVIOUS_SHA".."$COMMIT_SHA" || echo "git diff failed"
 
       - id: filter
         if: steps.skip-check.outputs.should_skip != 'true' && steps.pr-info.outputs.should_publish == 'true'
-        uses: dorny/paths-filter@v4
+        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
         with:
           base: ${{ github.event.before }}
           ref: ${{ github.sha }}
@@ -169,6 +176,8 @@ jobs:
       - name: Build dynamic matrix
         id: build-matrix
         if: steps.skip-check.outputs.should_skip != 'true' && steps.pr-info.outputs.should_publish == 'true'
+        env:
+          CHANGED: ${{ steps.filter.outputs.changes }}
         run: |
           # Package mapping: filterKey -> name, npmName
           declare -A PKG_NAMES=(
@@ -186,7 +195,6 @@ jobs:
             ["pkg_schemas"]="schemas"
           )
 
-          CHANGED='${{ steps.filter.outputs.changes }}'
           echo "Changed filters: $CHANGED"
 
           # Build matrix JSON array
@@ -270,7 +278,7 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           token: ${{ github.token }}
@@ -285,7 +293,7 @@ jobs:
         run: git pull --ff-only origin main
 
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24.x
           registry-url: 'https://registry.npmjs.org'

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,27 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false
+          annotations: true