From 83a8c4ff405fa78f2af136e3082f7b21234229a3 Mon Sep 17 00:00:00 2001
From: Corbin Crutchley <git@crutchcorn.dev>
Date: Wed, 27 May 2026 09:19:05 -0700
Subject: [PATCH 1/5] chore: upgrade PNPM to 11

---
 package.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 98f3b5b..cee691a 100644
--- a/package.json
+++ b/package.json
@@ -12,7 +12,7 @@
   "keywords": [],
   "author": "",
   "license": "MIT",
-  "packageManager": "pnpm@10.5.2",
+  "packageManager": "pnpm@11.4.0+sha512.f0febc7e37552ab485494a914241b338e0b3580b93d54ce31f00933015880863129038a1b4ae4e414a0ee63ac35bf21197e990172c4a68256450b5636310968f",
   "devDependencies": {
     "@types/node": "^25.2.0",
     "typescript": "^5.9.3"
@@ -20,4 +20,4 @@
   "dependencies": {
     "typesense": "^2.1.0"
   }
-}
\ No newline at end of file
+}

From bd5489e3bbda1626171b208910fb22876a4b96ff Mon Sep 17 00:00:00 2001
From: Corbin Crutchley <git@crutchcorn.dev>
Date: Wed, 27 May 2026 09:19:11 -0700
Subject: [PATCH 2/5] chore: pin and upgrade CI

---
 .github/workflows/fly.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/fly.yml b/.github/workflows/fly.yml
index 0dfe48a..5b64a07 100644
--- a/.github/workflows/fly.yml
+++ b/.github/workflows/fly.yml
@@ -12,8 +12,8 @@ jobs:
     name: Deploy app
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: superfly/flyctl-actions/setup-flyctl@1.5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # 1.5
       - name: Deploy App
         run: flyctl deploy --remote-only
         env:
@@ -24,9 +24,9 @@ jobs:
     needs: [deploy]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: '.nvmrc'
           cache: "pnpm"

From dc1d8801a7f8c5c70854f64edfaa9ec35b37c9d6 Mon Sep 17 00:00:00 2001
From: Corbin Crutchley <git@crutchcorn.dev>
Date: Wed, 27 May 2026 09:19:44 -0700
Subject: [PATCH 3/5] chore: add Zizmor workflow

---
 .github/workflows/zizmor.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..7a659b2
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,25 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          advanced-security: false
+          annotations: true

From 57581234dfc2d2b195798808b3ce20aea50c2484 Mon Sep 17 00:00:00 2001
From: Corbin Crutchley <git@crutchcorn.dev>
Date: Wed, 27 May 2026 09:19:59 -0700
Subject: [PATCH 4/5] chore: autofix Zizmor

---
 .github/workflows/fly.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/fly.yml b/.github/workflows/fly.yml
index 5b64a07..7cf54ad 100644
--- a/.github/workflows/fly.yml
+++ b/.github/workflows/fly.yml
@@ -13,6 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # 1.5
       - name: Deploy App
         run: flyctl deploy --remote-only
@@ -25,6 +27,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:

From 58e7929812aa842c770fef3a5bdb4e75219f1abd Mon Sep 17 00:00:00 2001
From: Corbin Crutchley <git@crutchcorn.dev>
Date: Wed, 27 May 2026 09:23:14 -0700
Subject: [PATCH 5/5] chore: fix Zizmor issues

---
 .github/workflows/fly.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/fly.yml b/.github/workflows/fly.yml
index 7cf54ad..4622e6a 100644
--- a/.github/workflows/fly.yml
+++ b/.github/workflows/fly.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     concurrency: