From 787f89dddc6ec91b9230bc9cb4a3900efedfbccf Mon Sep 17 00:00:00 2001
From: David Sanders <dsanders11@ucsbalum.com>
Date: Sat, 14 Mar 2026 00:08:40 -0700
Subject: [PATCH] ci: fixups to pass zizmor audit

---
 .github/dependabot.yml               | 2 ++
 .github/workflows/add-to-project.yml | 2 +-
 .github/workflows/release.yml        | 4 ++++
 .github/workflows/test.yml           | 2 ++
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 8ac6b8c..177b067 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,3 +4,5 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
index e236f78..37d9ef6 100644
--- a/.github/workflows/add-to-project.yml
+++ b/.github/workflows/add-to-project.yml
@@ -4,7 +4,7 @@ on:
   issues:
     types:
       - opened
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types:
       - opened
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b8cac46..ca85839 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,8 +5,12 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   test:
+    permissions:
+      contents: read
     uses: ./.github/workflows/test.yml
 
   release:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 68c6894..3e728b8 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -26,6 +26,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with: