diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..45bd89a3
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 8
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 8
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0e02bf4f..d2b68a4a 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,7 +9,7 @@ jobs:
     name: Publish
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: dylanvann/publish-github-action@v1.1.49
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+      - uses: dylanvann/publish-github-action@973d5c2eec5df00513bb013e4424eaf04117ebd1 # v1.1.49
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 574fa432..754c9eb5 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,7 +9,7 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
       - name: Install
         run: yarn install --frozen-lockfile
       - name: Deduplicate dependencies
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 00000000..b5e8618b
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1 @@
+min-release-age=8