trimble-oss · coliff · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
@@ -0,0 +1,20 @@
+# Agents
+
+<!-- https://agents.md -->
+
+## GitHub Actions Workflows
+
+- Always use the latest version
+- YML files should begin with --- on the first line.
+- All GitHub Actions should use SHA-1 pinned versions.
+- All should be formatted with Prettier.
+- If using `actions/checkout`, it should have `persist-credentials: false` set.
+- GitHub Actions should have a cooldown period of 7 days.
+
+## Dependabot
+
+- GitHub Actions updates should be grouped and updated monthly.
+- npm packages should be grouped and updated monthly.
+- Limit number of Dependabot PRs to be open to 2.
+- Dependabot config should be formatted with Prettier.
+- Dependencies should have a cooldown period of 7 days
@@ -3,7 +3,7 @@ updates:
   - package-ecosystem: npm
     directory: "/"
     schedule:
-      interval: weekly
+      interval: monthly
     cooldown:
       default-days: 7
     labels:
@@ -16,14 +16,16 @@ updates:
           - "minor"
           - "patch"
     versioning-strategy: increase
-    open-pull-requests-limit: 1
+    open-pull-requests-limit: 2
 
   - package-ecosystem: github-actions
     directory: "/"
     schedule:
       interval: monthly
+    cooldown:
+      default-days: 7
     groups:
       github-actions:
         patterns:
           - "*"
-    open-pull-requests-limit: 1
+    open-pull-requests-limit: 2
@@ -22,7 +22,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Hugo
-        uses: peaceiris/actions-hugo@v3
+        uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
           hugo-version: '0.145.0'
           extended: true
@@ -45,7 +45,7 @@ jobs:
 
       - name: Build And Deploy
         id: builddeploy
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9 # v1
         with:
           azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_LIVELY_ROCK_075179F10 }}
           repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)
@@ -64,7 +64,7 @@ jobs:
     steps:
       - name: Close Pull Request
         id: closepullrequest
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9 # v1
         with:
           azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_LIVELY_ROCK_075179F10 }}
           action: "close"
@@ -15,4 +15,4 @@ jobs:
           persist-credentials: false
 
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.7
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
@@ -30,7 +30,7 @@ jobs:
           node-version: 18
 
       - name: Run Sonar Scan Action
-        uses: sonarsource/sonarqube-scan-action@master
+        uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}