From 5a3edee0827c2d4852904154528ced881eeebe4e Mon Sep 17 00:00:00 2001
From: Nate Moore <nate@natemoo.re>
Date: Wed, 13 May 2026 00:11:23 -0400
Subject: [PATCH 1/2] chore(ci): harden github actions

---
 .github/workflows/format.yml                    | 8 ++++++--
 .github/workflows/preview.yml                   | 5 +++--
 .github/workflows/{publish.yaml => publish.yml} | 8 ++++++--
 3 files changed, 15 insertions(+), 6 deletions(-)
 rename .github/workflows/{publish.yaml => publish.yml} (60%)

diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
index b302405..85f8b65 100644
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@@ -6,11 +6,15 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   format:
     if: github.repository_owner == 'bombshell-dev'
-    uses: bombshell-dev/automation/.github/workflows/format.yml@main
-    secrets: inherit
+    uses: bombshell-dev/automation/.github/workflows/format.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9  # main as of 2026-05-13
+    secrets:
+      BOT_APP_ID: ${{ secrets.BOT_APP_ID }}
+      BOT_PRIVATE_KEY: ${{ secrets.BOT_PRIVATE_KEY }}
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
index c0600d9..10fd928 100644
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -4,11 +4,12 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions: {}
+
 jobs:
   format:
     if: github.repository_owner == 'bombshell-dev'
-    uses: bombshell-dev/automation/.github/workflows/preview.yml@main
-    secrets: inherit
+    uses: bombshell-dev/automation/.github/workflows/preview.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9  # main as of 2026-05-13
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yml
similarity index 60%
rename from .github/workflows/publish.yaml
rename to .github/workflows/publish.yml
index 5bb8e19..09263d9 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yml
@@ -6,11 +6,15 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   publish:
     if: github.repository_owner == 'bombshell-dev'
-    uses: bombshell-dev/automation/.github/workflows/publish.yml@main
-    secrets: inherit
+    uses: bombshell-dev/automation/.github/workflows/publish.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9  # main as of 2026-05-13
+    secrets:
+      BOT_APP_ID: ${{ secrets.BOT_APP_ID }}
+      BOT_PRIVATE_KEY: ${{ secrets.BOT_PRIVATE_KEY }}
     permissions:
       contents: write
       pull-requests: write

From a50ab56420ac382c6cce7d48c82f04e0c1517031 Mon Sep 17 00:00:00 2001
From: Nate Moore <nate@natemoo.re>
Date: Wed, 13 May 2026 00:11:30 -0400
Subject: [PATCH 2/2] chore(ci): add dependabot

---
 .github/dependabot.yml | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..ca79ca5
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly