From bfb859cf320fb7e2a9d329cbf9a4f0337d348b1b Mon Sep 17 00:00:00 2001
From: Jamison French <jamison@developmentseed.org>
Date: Mon, 1 Jun 2026 15:36:36 -0500
Subject: [PATCH 1/2] chore: replace version tag with SHA value

---
 .github/workflows/deploy.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index cdabe2c..5728538 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -55,10 +55,10 @@ jobs:
     
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 20
           cache: 'npm'
@@ -67,7 +67,7 @@ jobs:
         run: npm ci
 
       - name: Assume Github OIDC role
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
         if: github.event_name == 'workflow_dispatch'
         with:
           aws-region: us-west-2

From ccd40fbd799e5e49a60630d3b7e01c60bc00946d Mon Sep 17 00:00:00 2001
From: Jamison French <jamison@developmentseed.org>
Date: Wed, 3 Jun 2026 18:17:31 -0500
Subject: [PATCH 2/2] fix(security): add dependabot

---
 .github/dependabot.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..a19faaa
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 30
+
+  - package-ecosystem: uv
+    directory: /
+    schedule:
+      interval: monthly
+    groups:
+      python-dependencies:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 30