From 8b9fe638c73c0dc4dcf24588e8d9fdec9f31c081 Mon Sep 17 00:00:00 2001
From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com>
Date: Thu, 9 Apr 2026 11:55:42 +0000
Subject: [PATCH 1/2] Initial plan


From 36f540f1957ac3560bb05f0895e427caf6f214c2 Mon Sep 17 00:00:00 2001
From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com>
Date: Thu, 9 Apr 2026 12:03:35 +0000
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=92=20Pin=20GitHub=20Actions=20SHA?=
 =?UTF-8?q?s=20&=20harden=20Dependabot=20configuration?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Agent-Logs-Url: https://github.com/stroeer/github-app-token/sessions/eac572eb-99da-425b-99c8-cb0d021122f8

Co-authored-by: saefty <25341735+saefty@users.noreply.github.com>
---
 .github/dependabot.yml        | 17 +++++++++++++++++
 .github/workflows/publish.yml |  4 ++--
 .github/workflows/test.yml    |  2 +-
 .npmrc                        |  1 +
 4 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .npmrc

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..45bd89a3
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 8
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 8
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0e02bf4f..d2b68a4a 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,7 +9,7 @@ jobs:
     name: Publish
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: dylanvann/publish-github-action@v1.1.49
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+      - uses: dylanvann/publish-github-action@973d5c2eec5df00513bb013e4424eaf04117ebd1 # v1.1.49
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 574fa432..754c9eb5 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,7 +9,7 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
       - name: Install
         run: yarn install --frozen-lockfile
       - name: Deduplicate dependencies
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 00000000..b5e8618b
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1 @@
+min-release-age=8