P-2208: Harden github actions (#32)

* chore: harden GitHub Actions (P-2208)

- dependabot: 7-day cooldown on github-actions + npm ecosystems
- ci.yml: persist-credentials: false on all 4 checkouts; explicit pnpm version: 11
- release.yml: persist-credentials: false; drop pnpm cache from setup-node
  (cache-poisoning mitigation); quote variable to fix SC2086; explicit
  pnpm version: 11

Refs P-2208.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(ci): remove redundant pnpm version pin from action-setup

The `with: version: 11` on `pnpm/action-setup` conflicts with
`packageManager: pnpm@11.1.1` in package.json — the action refuses
both and errors with ERR_PNPM_BAD_PM_VERSION. Drop the action input
and let action-setup resolve from packageManager, which is the more
precise pin.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* release: remove redundant zizmor cache-poisoning ignore

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: keiloktql

.github/dependabot.yml

@@ -4,9 +4,13 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7

.github/workflows/ci.yml

@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@@ -45,6 +47,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@@ -66,6 +70,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@@ -90,6 +96,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8

.github/workflows/release.yml

@@ -17,6 +17,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0  # Fetch all history for changelog generation
+          persist-credentials: false
 
       - name: Verify tag is on main branch
         env:
@@ -40,8 +41,8 @@ jobs:
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: "22.14.0"
-          cache: 'pnpm'
           # No registry-url - using OIDC trusted publishing instead
+          # No cache - mitigates cache-poisoning risk in publish workflow
 
       - name: Update npm for trusted publishing
         run: npm install -g npm@latest
@@ -111,7 +112,7 @@ jobs:
             echo "Generating changelog from $PREV_TAG to $GITHUB_REF_NAME"
             # Extract commits with PR numbers and format them
             # Use tab as delimiter to safely handle semicolons and special characters
-            COMMITS=$(git log ${PREV_TAG}..HEAD --pretty=format:"%s	%h" --no-merges)
+            COMMITS=$(git log "${PREV_TAG}..HEAD" --pretty=format:"%s	%h" --no-merges)
           else
             echo "No previous tag found, using all commits"
             COMMITS=$(git log --pretty=format:"%s	%h" --no-merges)