fix: harden GitHub Actions workflows (zizmor)

- Add `permissions: {}` to test workflow to fix excessive-permissions
- Upgrade actions/checkout to v6.0.2 and add persist-credentials: false
- Remove npm cache from publish workflow to prevent cache-poisoning
- Add dependabot cooldown configuration (auto-fix)
- Disable secrets-outside-env rule via .github/zizmor.yml

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: reberhardt7

.github/dependabot.yml

@@ -5,7 +5,11 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7

.github/workflows/provenance.yml

@@ -22,12 +22,13 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f #v6.1.0
         with:
           node-version: '22'
           registry-url: 'https://registry.npmjs.org'
-          cache: npm
           scope: '@socketregistry'
       - run: npm install -g npm@latest
       - run: npm ci

.github/workflows/test.yml

@@ -3,6 +3,8 @@ name: tests
 
 on: [pull_request, push]
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
@@ -17,7 +19,9 @@ jobs:
         node: ['lts/*']
 
     steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Use Node.js ${{ matrix.node }}
       uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f #v6.1.0
       with:

.github/zizmor.yml

@@ -0,0 +1,3 @@
+rules:
+  secrets-outside-env:
+    disable: true