From 1817f4ce98255e5b47cd782e329581612860019e Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Mon, 1 Jun 2026 10:03:40 +0100
Subject: [PATCH 1/3] wip

---
 .github/dependabot.yml                |  2 ++
 .github/workflows/code-style-lint.yml | 10 +++++++---
 .github/workflows/tests.yml           | 13 ++++++++++---
 .github/workflows/zizmor.yml          | 23 +++++++++++++++++++++++
 4 files changed, 42 insertions(+), 6 deletions(-)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f6faee69..8e5296db 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
     groups:
       github-actions:
         patterns:
diff --git a/.github/workflows/code-style-lint.yml b/.github/workflows/code-style-lint.yml
index 32762f3d..1909b587 100644
--- a/.github/workflows/code-style-lint.yml
+++ b/.github/workflows/code-style-lint.yml
@@ -1,19 +1,23 @@
 name: Lint code style issues
 
-on:
+on: # zizmor: ignore[concurrency-limits]
   pull_request:
 
+permissions: {}
+
 jobs:
-  lint-code-styling:
+  lint-code-styling: # zizmor: ignore[anonymous-definition]
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Check PHP code style issues
         uses: aglipanci/laravel-pint-action@36de00d5f5a8a4e12d443e01671daa12a18f4c79 # v2.6
         with:
           testMode: true
           verboseMode: true
-          pintVersion: 1.16.0
\ No newline at end of file
+          pintVersion: 1.16.0
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 1d53e315..b79e45b4 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,6 +1,6 @@
 name: Run Tests
 
-on:
+on: # zizmor: ignore[concurrency-limits]
   push:
     branches:
       - master
@@ -9,6 +9,8 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions: {}
+
 jobs:
   php-tests:
     runs-on: ubuntu-latest
@@ -24,6 +26,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
         uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2
@@ -33,9 +37,12 @@ jobs:
           coverage: none
 
       - name: Install dependencies
+        env:
+          LARAVEL: ${{ matrix.laravel }}
+          STABILITY: ${{ matrix.stability }}
         run: |
-          composer require "laravel/framework:${{ matrix.laravel }}" --no-interaction --no-update
-          composer update --${{ matrix.stability }} --prefer-dist --no-interaction --no-suggest
+          composer require "illuminate/contracts:$LARAVEL" --no-interaction --no-update
+          composer update --$STABILITY --prefer-dist --no-interaction --no-suggest
 
       - name: Execute tests
         run: vendor/bin/phpunit
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 00000000..1278d678
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,23 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches:
+      - master
+      - '*.x'
+    paths:
+      - '.github/**.yml'
+  pull_request:
+    paths:
+      - '.github/**.yml'
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    uses: statamic/.github/.github/workflows/zizmor.yml@7e941c239074d66da6cad3322bec3b1005c80cf7
+    permissions: {}

From b3f7a612b76aeec99173706bb9e7147f679f5723 Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Mon, 1 Jun 2026 10:05:48 +0100
Subject: [PATCH 2/3] wip

---
 .github/workflows/code-style-lint.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/code-style-lint.yml b/.github/workflows/code-style-lint.yml
index 1909b587..2c6fa915 100644
--- a/.github/workflows/code-style-lint.yml
+++ b/.github/workflows/code-style-lint.yml
@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Check PHP code style issues
-        uses: aglipanci/laravel-pint-action@36de00d5f5a8a4e12d443e01671daa12a18f4c79 # v2.6
+        uses: aglipanci/laravel-pint-action@36de00d5f5a8a4e12d443e01671daa12a18f4c79 # 2.6
         with:
           testMode: true
           verboseMode: true

From 19881aa83edf52580dff051be6c15195c1138b5e Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Mon, 1 Jun 2026 15:13:24 -0400
Subject: [PATCH 3/3] add shell for consistency while we're here

---
 .github/workflows/tests.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index b79e45b4..d3077665 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -37,6 +37,7 @@ jobs:
           coverage: none
 
       - name: Install dependencies
+        shell: bash
         env:
           LARAVEL: ${{ matrix.laravel }}
           STABILITY: ${{ matrix.stability }}