From 9d50ba83bd5480bedb9a3cf8c7753f2232cfd86c Mon Sep 17 00:00:00 2001
From: Luc Perkins <lucperkins@gmail.com>
Date: Mon, 11 May 2026 16:47:29 -0500
Subject: [PATCH 1/4] Apply pinning to GitHub Actions

---
 .github/dependabot.yml       | 16 ++++++++++++++++
 .github/workflows/ci.yaml    | 17 ++++++++++++++---
 .github/workflows/update.yml |  6 ++++--
 .github/zizmor.yml           |  5 +++++
 4 files changed, 39 insertions(+), 5 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/zizmor.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..d89d38d
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      actions:
+        patterns: ["*"]
+    ignore:
+      - dependency-name: DeterminateSystems/*
+    commit-message:
+      prefix: ci
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 413fb5c..877a2d0 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -22,12 +22,17 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
       - uses: DeterminateSystems/flake-checker-action@main
         with:
           fail-mode: true
+
       - if: success() || failure()
         uses: DeterminateSystems/determinate-nix-action@main
+
       - if: success() || failure()
         uses: DeterminateSystems/flakehub-cache-action@main
 
@@ -95,9 +100,13 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
       - uses: DeterminateSystems/determinate-nix-action@main
         if: ${{ github.event_name == 'merge_group' }}
+
       - uses: DeterminateSystems/flakehub-cache-action@main
         if: ${{ github.event_name == 'merge_group' }}
 
@@ -125,7 +134,9 @@ jobs:
       id-token: "write"
       contents: "read"
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: DeterminateSystems/determinate-nix-action@main
 
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index 245a9c6..3502ee0 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -14,8 +14,10 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: DeterminateSystems/determinate-nix-action@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: DeterminateSystems/determinate-nix-action@bafaa638b9d5ec0e7e3ac1a7fc80453ef1fd265f # v3.20.0
       - uses: DeterminateSystems/update-flake-lock@main
         with:
           pr-title: "Update Nix flake inputs" # Title of PR to be created
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..abdc40b
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        DeterminateSystems/*: ref-pin

From 696083c37c403c14a3f67e6672bd7a1da37a1c3d Mon Sep 17 00:00:00 2001
From: Luc Perkins <lucperkins@gmail.com>
Date: Tue, 12 May 2026 10:46:29 -0500
Subject: [PATCH 2/4] Provide cooldown for npm updates

---
 .github/dependabot.yml | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index d89d38d..5afc0b6 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -10,7 +10,27 @@ updates:
     groups:
       actions:
         patterns: ["*"]
-    ignore:
-      - dependency-name: DeterminateSystems/*
     commit-message:
       prefix: ci
+    labels:
+      - dependencies
+      - github-actions
+    ignore:
+      - dependency-name: DeterminateSystems/*
+
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-minor-days: 7
+      semver-patch-days: 3
+    groups:
+      npm-deps:
+        patterns: ["*"]
+    labels:
+      - dependencies
+      - npm
+

From 27849aa95458c2ae0e7524eb892fa590acc7eec3 Mon Sep 17 00:00:00 2001
From: Luc Perkins <lucperkins@gmail.com>
Date: Tue, 12 May 2026 10:53:09 -0500
Subject: [PATCH 3/4] Fix formatting

---
 .github/dependabot.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5afc0b6..6d3e42f 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -33,4 +33,3 @@ updates:
     labels:
       - dependencies
       - npm
-

From 449ce08c69c25925959cd1a55fe0bb0e5bdd7a6c Mon Sep 17 00:00:00 2001
From: Luc Perkins <lucperkins@gmail.com>
Date: Tue, 12 May 2026 11:01:11 -0500
Subject: [PATCH 4/4] Add zizmor action

---
 .github/workflows/update.yml |  2 +-
 .github/workflows/zizmor.yml | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index 3502ee0..a383996 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: DeterminateSystems/determinate-nix-action@bafaa638b9d5ec0e7e3ac1a7fc80453ef1fd265f # v3.20.0
+      - uses: DeterminateSystems/determinate-nix-action@main
       - uses: DeterminateSystems/update-flake-lock@main
         with:
           pr-title: "Update Nix flake inputs" # Title of PR to be created
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..e60cfa7
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,25 @@
+name: zizmor
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          config: .github/zizmor.yml