From a1d9eb0b0b6b6af5ef9fb6cae2b97833507f1d8c Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Sat, 30 May 2026 18:23:36 -0400
Subject: [PATCH] wip

---
 .github/dependabot.yml        |  2 ++
 .github/workflows/release.yml | 35 ++++++++++++++++-------------------
 .github/workflows/zizmor.yml  | 23 +++++++++++++++++++++++
 3 files changed, 41 insertions(+), 19 deletions(-)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f6faee6..8e5296d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
     groups:
       github-actions:
         patterns:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4355fa3..a615b9c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,16 +1,22 @@
 name: Create Release
 
-on:
+on: # zizmor: ignore[concurrency-limits]
   push:
     tags:
       - 'v*'
 
+permissions: {}
+
 jobs:
-  build:
+  build: # zizmor: ignore[anonymous-definition]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # create GitHub release and upload assets
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
         uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2
@@ -40,21 +46,12 @@ jobs:
           version: ${{ github.ref }}
 
       - name: Create release
-        id: create_release
-        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ steps.changelog.outputs.version }}
-          release_name: ${{ steps.changelog.outputs.version }}
-          body: ${{ steps.changelog.outputs.text }}
-
-      - name: Upload zip to release
-        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./resources/dist.tar.gz
-          asset_name: dist.tar.gz
-          asset_content_type: application/tar+gz
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_VERSION: ${{ steps.changelog.outputs.version }}
+          RELEASE_NOTES: ${{ steps.changelog.outputs.text }}
+        run: |
+          gh release create "$RELEASE_VERSION" \
+            --title "$RELEASE_VERSION" \
+            --notes "$RELEASE_NOTES" \
+            ./resources/dist.tar.gz
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..1278d67
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,23 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches:
+      - master
+      - '*.x'
+    paths:
+      - '.github/**.yml'
+  pull_request:
+    paths:
+      - '.github/**.yml'
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    uses: statamic/.github/.github/workflows/zizmor.yml@7e941c239074d66da6cad3322bec3b1005c80cf7
+    permissions: {}