diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7e365f9..df54fbf 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,7 +5,11 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index d5b40b3..5e4fed5 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -22,13 +22,15 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f #v6.1.0
         with:
           node-version: '22'
           registry-url: 'https://registry.npmjs.org'
-          cache: npm
           scope: '@socketregistry'
+          package-manager-cache: false
       - run: npm install -g npm@latest
       - run: npm ci
       - name: Build package
@@ -41,25 +43,13 @@ jobs:
         env:
           SOCKET_CLI_DEBUG: ${{ inputs.debug }}
       - name: Create GitHub Release
-        id: create_release
-        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: v${{ steps.package-version.outputs.version }}
-          release_name: Release v${{ steps.package-version.outputs.version }}
-          body: |
-            Release of @socketsecurity/mcp v${{ steps.package-version.outputs.version }}
-
-            This release has been published to npm with provenance.
-          draft: false
-          prerelease: false
-      - name: Upload Package to Release
-        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./socketsecurity-mcp-${{ steps.package-version.outputs.version }}.tgz
-          asset_name: socketsecurity-mcp-${{ steps.package-version.outputs.version }}.tgz
-          asset_content_type: application/gzip
+          VERSION: ${{ steps.package-version.outputs.version }}
+        run: |
+          notes=$(printf '%s\n\n%s' \
+            "Release of @socketsecurity/mcp v${VERSION}" \
+            "This release has been published to npm with provenance.")
+          gh release create "v${VERSION}" "socketsecurity-mcp-${VERSION}.tgz" \
+            --title "Release v${VERSION}" \
+            --notes "$notes"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 448fe15..13b1b8d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -3,6 +3,8 @@ name: tests
 
 on: [pull_request, push]
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
@@ -17,7 +19,9 @@ jobs:
         node: ['lts/*']
 
     steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Use Node.js ${{ matrix.node }}
       uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f #v6.1.0
       with:
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..39d1b18
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,3 @@
+rules:
+  secrets-outside-env:
+    disable: true