From 989d514ce1de7d40314dfc4563551b9538374f8b Mon Sep 17 00:00:00 2001
From: Ryan Atkinson <mail@ryanatkn.com>
Date: Sun, 14 Jun 2026 05:47:43 -0400
Subject: [PATCH 1/4] wip

---
 .github/workflows/check.yml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 0579f4b..397113a 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -9,19 +9,31 @@ on:
   pull_request:
     branches: ['**']
 
+# Cancel a PR's in-progress run when a new commit supersedes it; let main-branch
+# runs finish so every commit on main stays verified.
+concurrency:
+  group: check-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+# Least privilege: the check only reads the repo.
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     strategy:
       matrix:
         node-version: ['24.14']
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
+          cache: npm
       - run: npm ci
       - run: npx @fuzdev/gro check --workspace --build

From 4f908e9c52dfcb01cde310f29883c4805654df00 Mon Sep 17 00:00:00 2001
From: Ryan Atkinson <mail@ryanatkn.com>
Date: Sun, 14 Jun 2026 05:50:31 -0400
Subject: [PATCH 2/4] wip

---
 .github/dependabot.yml      | 14 ++++++++++++++
 .github/workflows/check.yml |  4 ++--
 2 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..f1c3d6b
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,14 @@
+# Keeps the SHA-pinned actions in .github/workflows/ current: Dependabot opens
+# PRs that bump each pin *and* rewrite its `# vX.Y.Z` comment, so pinning stays
+# maintainable instead of silently rotting.
+
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    # Batch action bumps into one PR instead of one-per-action.
+    groups:
+      actions:
+        patterns: ['*']
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 397113a..ebc54a1 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -29,9 +29,9 @@ jobs:
         node-version: ['24.14']
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm

From c2547b1bcd47227a6f22d4fe2c64cbbabdc7947b Mon Sep 17 00:00:00 2001
From: Ryan Atkinson <mail@ryanatkn.com>
Date: Sun, 14 Jun 2026 06:06:30 -0400
Subject: [PATCH 3/4] wip

---
 .github/workflows/check.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index ebc54a1..19440b0 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -8,6 +8,8 @@ on:
     branches: [main]
   pull_request:
     branches: ['**']
+  # Allow manually re-running the check from the Actions tab.
+  workflow_dispatch:
 
 # Cancel a PR's in-progress run when a new commit supersedes it; let main-branch
 # runs finish so every commit on main stays verified.
@@ -29,7 +31,13 @@ jobs:
         node-version: ['24.14']
 
     steps:
+      # persist-credentials: false keeps the GITHUB_TOKEN out of .git/config, so a
+      # compromised build dependency can't read it. If you add a step that pushes
+      # via git (deploy, tag, generated commit), set this back to true or
+      # authenticate that step explicitly.
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:

From f21dc7c7db578cf7148b88320709563aa0d3f6e0 Mon Sep 17 00:00:00 2001
From: Ryan Atkinson <mail@ryanatkn.com>
Date: Sun, 14 Jun 2026 06:31:01 -0400
Subject: [PATCH 4/4] wip

---
 .github/dependabot.yml | 14 --------------
 1 file changed, 14 deletions(-)
 delete mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index f1c3d6b..0000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-# Keeps the SHA-pinned actions in .github/workflows/ current: Dependabot opens
-# PRs that bump each pin *and* rewrite its `# vX.Y.Z` comment, so pinning stays
-# maintainable instead of silently rotting.
-
-version: 2
-updates:
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: weekly
-    # Batch action bumps into one PR instead of one-per-action.
-    groups:
-      actions:
-        patterns: ['*']