fix: harden GitHub Actions workflows (zizmor)

reberhardt7 · jdalton · commit d6df46fc0ca4 · 2026-03-25T11:49:03.000-04:00
- Add dependabot cooldown configuration (default 7 days)
- Fix pnpm/action-setup SHA to match v5 tag (ref-version-mismatch)
- Disable secrets-outside-env rule via .github/zizmor.yml
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -8,3 +8,5 @@ updates:
     schedule:
       interval: yearly
     open-pull-requests-limit: 0
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
@@ -37,7 +37,7 @@ jobs:
           cache: ''
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@58e6119fe4f3092a76a7771efb55e04d25b6b26f # v5
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - name: Install dependencies
         shell: bash
@@ -77,7 +77,7 @@ jobs:
           cache: ''
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@58e6119fe4f3092a76a7771efb55e04d25b6b26f # v5
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - name: Install dependencies
         shell: bash
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,3 @@
+rules:
+  secrets-outside-env:
+    disable: true

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+rules:`
	`2`	`+ secrets-outside-env:`
	`3`	`+ disable: true`