From 68358ccb5061041f814f9e2249a11b1ddb15d224 Mon Sep 17 00:00:00 2001
From: Ryan Eberhardt <reberhardt7@gmail.com>
Date: Tue, 24 Mar 2026 22:32:01 -0700
Subject: [PATCH] fix: harden GitHub Actions workflows (zizmor)

- Fix impostor-commit and ref-version-mismatch for pnpm/action-setup by
  using the dereferenced commit SHA instead of the annotated tag object SHA
- Add dependabot cooldown configuration (default-days: 7) to mitigate
  supply-chain risks from immediate dependency updates

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/actions/setup/action.yml | 2 +-
 .github/dependabot.yml           | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index f67c6663..a27a0fad 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -41,7 +41,7 @@ runs:
         debug: ${{ inputs.debug }}
 
     - name: Setup pnpm
-      uses: pnpm/action-setup@b307475762933b98ed359c036b0e51f26b63b74b # v5.0.0
+      uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
       # NOTE: Do not specify 'version' here - pnpm-action-setup automatically reads
       # the version from the 'packageManager' field in package.json. Specifying both
       # causes ERR_PNPM_BAD_PM_VERSION errors.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 85b3a123..137a3c84 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,3 +8,5 @@ updates:
     schedule:
       interval: yearly
     open-pull-requests-limit: 0
+    cooldown:
+      default-days: 7