advanced-security · Copilot · May 20, 2026 · May 20, 2026 · May 20, 2026 · May 20, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -17,11 +17,11 @@ updates:
       prefix-development: chore
     labels:
       - "Dependencies"
+    cooldown:
+      default-days: 3
     groups:
-      production-dependencies:
-        dependency-type: "production"
-      development-dependencies:
-        dependency-type: "development"
+      actions:
+        patterns: ["*"]
 
   - package-ecosystem: "cargo"
     directory: "/"
@@ -35,6 +35,8 @@ updates:
       prefix-development: chore
     labels:
       - "Dependencies"
+    cooldown:
+      default-days: 3
     groups:
       production-dependencies:
         dependency-type: "production"

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -162,5 +162,5 @@ jobs:
       - name: "Lint Markdown"
         if: steps.changes.outputs.src == 'true'
         run: |
-          npm install -g markdownlint-cli
-          markdownlint '**.md' --ignore node_modules --disable MD013
+          npm ci
+          npx markdownlint '**.md' --ignore node_modules --disable MD013
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -18,7 +18,7 @@ jobs:
       - name: "Run Coverage Report"
         if: github.ref == 'refs/heads/main'
         run: |
-          pip install ghastoolkit
+          pip install -r requirements.txt --require-hashes
           ./scripts/create-coverage.py report --markdown > $GITHUB_STEP_SUMMARY
 
       - name: "Upload Coverage Report"

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -17,7 +17,6 @@ jobs:
       pull-requests: write
 
     steps:
-    - uses: actions/checkout@v6
     - uses: actions/labeler@v6
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -25,7 +25,7 @@ jobs:
         run: |
           set -e
 
-          pip install yq
+          pip install -r requirements.txt --require-hashes
           current_version=$(cat .release.yml | yq -r ".version")
 
           released_version=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/:owner/:repo/releases/latest | jq -r ".tag_name")

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -37,7 +37,7 @@ jobs:
         id: get_version
         run: |
           set -e
-          pip install yq
+          pip install -r requirements.txt --require-hashes
           echo "version=$(cat .release.yml | yq -r ".version")" >> "$GITHUB_ENV"
           echo "release=true" >> "$GITHUB_ENV"
 

diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
@@ -29,7 +29,7 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          pip install ghastoolkit
+          pip install -r requirements.txt --require-hashes
           python ./.github/scripts/codeql.py version \
             --bump "${{ github.event.inputs.bump }}"
 

diff --git a/.gitignore b/.gitignore
@@ -9,6 +9,7 @@ ql/test/**/*.actual
 ql/test/**/CONSISTENCY
 work
 testing/
+node_modules/
 
 *.sarif
 *.tar.gz