From 31e361a046518d70961127cf45cf3203bd920d95 Mon Sep 17 00:00:00 2001
From: David Sanders <dsanders11@ucsbalum.com>
Date: Sat, 14 Mar 2026 00:15:00 -0700
Subject: [PATCH] ci: fixups to pass zizmor audit

---
 .github/dependabot.yml                   | 2 ++
 .github/workflows/check-electron-abi.yml | 9 ++++++---
 .github/workflows/release.yml            | 4 ++++
 .github/workflows/test.yml               | 2 ++
 .github/workflows/update-abi.yml         | 1 +
 5 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 8ac6b8c..177b067 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,3 +4,5 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/check-electron-abi.yml b/.github/workflows/check-electron-abi.yml
index 0346d1d..6c8b478 100644
--- a/.github/workflows/check-electron-abi.yml
+++ b/.github/workflows/check-electron-abi.yml
@@ -28,14 +28,17 @@ jobs:
       run: npm install --save-dev node-abi
     - name: Check ABI for Electron version
       uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      env:
+        ELECTRON_VERSION: ${{ github.event.inputs.electron-version }}
+        EXPECTED_ABI: ${{ github.event.inputs.expected-abi }}
       with:
         script: |
           const { getAbi } = await import('${{ github.workspace }}/node_modules/node-abi/index.js');
 
-          const abi = getAbi('${{ github.event.inputs.electron-version }}', 'electron');
+          const abi = getAbi(process.env.ELECTRON_VERSION, 'electron');
 
-          if (abi !== '${{ github.event.inputs.expected-abi }}') {
-            core.error(`Got ABI ${abi}, expected ${{ github.event.inputs.expected-abi }}`);
+          if (abi !== process.env.EXPECTED_ABI) {
+            core.error(`Got ABI ${abi}, expected ${process.env.EXPECTED_ABI}`);
             process.exitCode = 1;
           } else {
             core.info(`Got expected ABI ${abi}`);
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b160cad..79d1258 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,8 +6,12 @@ on:
       - main
       - 3-x-y
 
+permissions: {}
+
 jobs:
   test:
+    permissions:
+      contents: read
     uses: ./.github/workflows/test.yml
 
   release:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d02b765..5aa6b00 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
diff --git a/.github/workflows/update-abi.yml b/.github/workflows/update-abi.yml
index 62f7f04..46aa038 100644
--- a/.github/workflows/update-abi.yml
+++ b/.github/workflows/update-abi.yml
@@ -27,6 +27,7 @@ jobs:
         creds: ${{ secrets.GH_APP_CREDS }}
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
+        persist-credentials: false
         ref: ${{ matrix.branch }}
         token: ${{ steps.generate-token.outputs.token }}
     - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0