fix: harden GitHub Actions workflows and update dependabot config

loekensgard · claude · loekensgard · commit e1234238017d · 2026-02-20T16:17:26.000+01:00
- build_and_test.yaml: add explicit permissions (contents: read)
- release.yaml: restrict permissions to empty (uses app token),
  add concurrency group
- dependabot.yml: update schedule to first Monday of month,
  change nuget prefix to "fix:", add labels, separate minor/patch group

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,32 +1,35 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
 version: 2
 updates:
-  - package-ecosystem: "nuget" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  # Check for updates to nuget packages
+  - package-ecosystem: "nuget"
+    directory: "/"
     schedule:
-      interval: "monthly"
-      time: "09:00"
-      timezone: "Europe/Oslo"
+      interval: 'cron'
+      cronjob: '0 8 * * MON#1'
+      timezone: 'Europe/Oslo'
+    labels:
+      - "dependencies"
+      - "nuget"
     commit-message:
-      prefix: "build:"
+      prefix: "fix:"
     groups:
-      all:
+      # Group all non-major updates together
+      minor-patch-updates:
         patterns:
           - "*"
+        update-types:
+          - "minor"
+          - "patch"
 
+  # Check for updates to GitHub Actions
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-        interval: "monthly"
-        time: "09:00"
-        timezone: "Europe/Oslo"
+      interval: 'cron'
+      cronjob: '0 8 * * MON#1'
+      timezone: 'Europe/Oslo'
+    labels:
+      - "dependencies"
+      - "github-actions"
     commit-message:
       prefix: "ci:"
-    groups:
-      all:
-        patterns:
-          - "*"
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -5,9 +5,13 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
-  pull-requests: write
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# action uses an app-token
+# the built-in token doesn't need any permissions
+permissions: {}
 
 jobs:
   release-please:
@@ -22,4 +26,4 @@ jobs:
         with:
           token: ${{ steps.app-token.outputs.token }}
           config-file: ".github/release-please-config.json"
-          manifest-file: ".github/.release-please-manifest.json"
+          manifest-file: ".github/.release-please-manifest.json"
