chore(ci): harden GitHub Actions (#36)

* chore(ci): harden github actions

* chore(ci): add dependabot

Author: natemoo-re

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/format.yml

@@ -6,11 +6,15 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   format:
     if: github.repository_owner == 'bombshell-dev'
-    uses: bombshell-dev/automation/.github/workflows/format.yml@main
-    secrets: inherit
+    uses: bombshell-dev/automation/.github/workflows/format.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9  # main as of 2026-05-13
+    secrets:
+      BOT_APP_ID: ${{ secrets.BOT_APP_ID }}
+      BOT_PRIVATE_KEY: ${{ secrets.BOT_PRIVATE_KEY }}
     permissions:
       contents: write
       pull-requests: write

.github/workflows/preview.yml

@@ -4,11 +4,12 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions: {}
+
 jobs:
   format:
     if: github.repository_owner == 'bombshell-dev'
-    uses: bombshell-dev/automation/.github/workflows/preview.yml@main
-    secrets: inherit
+    uses: bombshell-dev/automation/.github/workflows/preview.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9  # main as of 2026-05-13
     permissions:
       contents: write
       pull-requests: write

.github/workflows/publish.yaml .github/workflows/publish.yml.github/workflows/publish.yaml renamed to .github/workflows/publish.yml

@@ -6,11 +6,15 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   publish:
     if: github.repository_owner == 'bombshell-dev'
-    uses: bombshell-dev/automation/.github/workflows/publish.yml@main
-    secrets: inherit
+    uses: bombshell-dev/automation/.github/workflows/publish.yml@3a8b4a38fe464b0b51d14962ae416a169517fba9  # main as of 2026-05-13
+    secrets:
+      BOT_APP_ID: ${{ secrets.BOT_APP_ID }}
+      BOT_PRIVATE_KEY: ${{ secrets.BOT_PRIVATE_KEY }}
     permissions:
       contents: write
       pull-requests: write