ci: fix zizmor findings (#47)

acidghost · web-flow · commit 30f51d220aae · 2026-01-26T20:33:33.000+01:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,14 +1,20 @@
 version: 2
 updates:
- - package-ecosystem: "gomod"
-   directory: "/"
-   schedule:
-     interval: daily
- - package-ecosystem: "github-actions"
-   directory: "/"
-   schedule:
-     interval: daily
- - package-ecosystem: "devcontainers"
-   directory: "/"
-   schedule:
-     interval: weekly
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: daily
+    cooldown:
+      default-days: 7
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: daily
+    cooldown:
+      default-days: 7
+  - package-ecosystem: "devcontainers"
+    directory: "/"
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd               # v6.0.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5               # v6.2.0
         with:
           go-version: stable
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -15,9 +15,11 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd               # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5               # v6.2.0
         with:
           go-version: stable
+          cache: false
       - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a   # v6.4.0
         with:
           distribution: goreleaser
