chore: Update dependabot config and actions

Signed-off-by: Austin Ziegler <austin@zieglers.ca>

Author: halostatue

.github/dependabot.yml

@@ -4,13 +4,25 @@ updates:
   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: weekly
+      interval: monthly
     commit-message:
       prefix: 'deps'
+    groups:
+      actions:
+        applies-to: version-updates
+        update-types:
+          - minor
+          - patch
 
   - package-ecosystem: bundler
     directory: /
     schedule:
-      interval: weekly
+      interval: monthly
     commit-message:
       prefix: 'deps'
+    groups:
+      bundler:
+        applies-to: version-updates
+        update-types:
+          - minor
+          - patch

.github/workflows/ci.yml

@@ -37,7 +37,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+      - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           ruby-version: '3.4'
           rubygems: latest
@@ -76,7 +76,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+      - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           ruby-version: '3.4'
           rubygems: latest
@@ -131,7 +131,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+      - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           ruby-version: ${{ matrix.ruby }}
           rubygems: latest
@@ -150,9 +150,9 @@ jobs:
       fail-fast: false
       matrix:
         os:
-          - macos-13
           - macos-14
           - macos-15
+          - macos-26
         ruby:
           - '2.6'
           - '2.7'
@@ -180,7 +180,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+      - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           ruby-version: ${{ matrix.ruby }}
           rubygems: latest
@@ -232,7 +232,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+      - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           ruby-version: ${{ matrix.ruby }}
           rubygems: latest
@@ -278,7 +278,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+      - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           ruby-version: ${{ matrix.ruby }}
           rubygems: latest
@@ -324,7 +324,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+      - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           ruby-version: ${{ matrix.ruby }}
           rubygems: latest

.github/workflows/dependency-review.yml

@@ -38,4 +38,4 @@ jobs:
           persist-credentials: false
 
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
+        uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1

.github/workflows/publish-docs.yml

@@ -8,7 +8,7 @@ on:
 permissions: {}
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: publish-docs-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -19,8 +19,8 @@ jobs:
 
     permissions:
       contents: read
-      pages: write
-      id-token: write
+      pages: write    # Publish documentation to pages
+      id-token: write # Publish documentation to pages
 
     steps:
       - name: Harden the runner
@@ -36,9 +36,9 @@ jobs:
         run: |
           ruby -e \
             'print "version=", Gem::Specification.load(ARGV[0]).rubygems_version, "\n"' \
-            color.gemspec >>"${GITHUB_OUTPUT}"
+            diff-lcs.gemspec >>"${GITHUB_OUTPUT}"
 
-      - uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+      - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           bundler-cache: false
           ruby-version: ruby

.github/workflows/publish-gem.yml

@@ -36,8 +36,8 @@ jobs:
       rubygems_release_gem: true
 
     permissions:
-      contents: write
-      id-token: write
+      contents: write # Create a new tag
+      id-token: write # Authenticate for gem publishing
 
     steps:
       - name: Harden the runner
@@ -65,7 +65,7 @@ jobs:
             'print "version=", Gem::Specification.load(ARGV[0]).rubygems_version, "\n"' \
             diff-lcs.gemspec >>"${GITHUB_OUTPUT}"
 
-      - uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+      - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           bundler-cache: false
           ruby-version: ruby
@@ -102,6 +102,6 @@ jobs:
     needs: release
     permissions:
       contents: read
-      pages: write
-      id-token: write
+      pages: write    # Publish documentation
+      id-token: write # Authenticate for gem publishing
     uses: ./.github/workflows/publish-docs.yml

.github/workflows/reviewdog.yml

@@ -17,7 +17,7 @@ jobs:
 
     permissions:
       contents: read
-      pull-requests: write
+      pull-requests: write # Reviewdog comments on pull requests
 
     steps:
       - name: Harden Runner
@@ -36,7 +36,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: reviewdog/action-typos@fe961cdbe416990b23bc1597325891575ef2dd7c # v1.18.0
+      - uses: reviewdog/action-typos@d5eb1bbcd1b3bfde596f6eeb470322727862fe98 # v1.19.0
 
   actionlint:
     if: ${{ github.event.action != 'closed' }}
@@ -45,7 +45,7 @@ jobs:
 
     permissions:
       contents: read
-      pull-requests: write
+      pull-requests: write # Reviewdog comments on pull requests
 
     steps:
       - name: Harden Runner
@@ -61,4 +61,4 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: reviewdog/action-actionlint@95395aac8c053577d0bc67eb7b74936c660c6f66 # v1.67.0
+      - uses: reviewdog/action-actionlint@f00ad0691526c10be4021a91b2510f0a769b14d0 # v1.68.0

.github/workflows/scorecards.yml

@@ -13,13 +13,11 @@ concurrency:
 
 jobs:
   zizmor:
-    name: zizmor latest via uv
+    name: zizmor latest via zizmor-action
     runs-on: ubuntu-latest
 
     permissions:
-      security-events: write
-      contents: read
-      actions: read
+      security-events: write # Zizmor writes security events
 
     steps:
       - name: Harden Runner
@@ -29,23 +27,14 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
-            release-assets.githubusercontent.com:443
-            files.pythonhosted.org:443
+            ghcr.io:443
             github.com:443
-            objects.githubusercontent.com:443
-            pypi.org:443
+            pkg-containers.githubusercontent.com:443
 
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
-      - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
-
-      - run: uvx zizmor --persona pedantic --format sarif . > results.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.29.5
+      - uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
         with:
-          sarif_file: results.sarif
-          category: zizmor
+          persona: pedantic