From 94e492b58a0f837bd509b82df1fe2b167c8362cd Mon Sep 17 00:00:00 2001
From: Corbin Crutchley <git@crutchcorn.dev>
Date: Wed, 27 May 2026 09:09:20 -0700
Subject: [PATCH 1/5] chore: upgrade PNPM to 11

---
 package.json        | 8 +-------
 pnpm-workspace.yaml | 9 +++++++++
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/package.json b/package.json
index 13350b6..67accc0 100644
--- a/package.json
+++ b/package.json
@@ -5,7 +5,6 @@
 	"type": "module",
 	"scripts": {
 		"prepare": "husky",
-		"preinstall": "node -e \"if(process.env.CI == 'true') {console.log('Skipping preinstall...')} else {process.exit(1)}\" || npx -y only-allow pnpm",
 		"test": "pnpm test:unit && pnpm test:e2e",
 		"test:unit": "nx run-many --targets=test:sherif,test:knip,test:eslint,test:publint,test --exclude=e2e",
 		"test:e2e": "nx run e2e:test",
@@ -30,7 +29,7 @@
 	"engines": {
 		"node": ">=24.0.0"
 	},
-	"packageManager": "pnpm@10.28.2",
+	"packageManager": "pnpm@11.4.0+sha512.f0febc7e37552ab485494a914241b338e0b3580b93d54ce31f00933015880863129038a1b4ae4e414a0ee63ac35bf21197e990172c4a68256450b5636310968f",
 	"devDependencies": {
 		"@eslint/js": "^9.37.0",
 		"@nx/vite": "22.5.4",
@@ -51,10 +50,5 @@
 		"typescript-eslint": "^8.57.0",
 		"vite": "catalog:",
 		"vitest": "catalog:"
-	},
-	"pnpm": {
-		"overrides": {
-			"ioredis": "catalog:"
-		}
 	}
 }
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index ff9a56c..0e46c0f 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -27,3 +27,12 @@ onlyBuiltDependencies:
   - sharp
 
 minimumReleaseAge: 10080 # 7 days
+
+overrides:
+  "ioredis": "catalog:"
+
+allowBuilds:
+  esbuild: true
+  msgpackr-extract: true
+  nx: true
+  sharp: true

From 6e03645b346a860bf2f176fe7b84827ba0cb9603 Mon Sep 17 00:00:00 2001
From: Corbin Crutchley <git@crutchcorn.dev>
Date: Wed, 27 May 2026 09:12:11 -0700
Subject: [PATCH 2/5] chore: pin GHA actions

---
 .github/workflows/dependabot-auto-merge.yml |  2 +-
 .github/workflows/fly.yml                   |  8 ++++----
 .github/workflows/test.yml                  | 12 ++++++------
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index f3143ee..4dbd18d 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
       - name: Enable auto-merge for Dependabot PRs
         run: gh pr merge --auto --merge "$PR_URL"
         env:
diff --git a/.github/workflows/fly.yml b/.github/workflows/fly.yml
index 67bb530..ef773e6 100644
--- a/.github/workflows/fly.yml
+++ b/.github/workflows/fly.yml
@@ -15,8 +15,8 @@ jobs:
     name: Deploy app
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: superfly/flyctl-actions/setup-flyctl@1.5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # 1.5
       - name: Deploy App
         run: flyctl deploy --remote-only
         env:
@@ -26,8 +26,8 @@ jobs:
     name: Deploy redis
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: superfly/flyctl-actions/setup-flyctl@1.5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # 1.5
       - name: Deploy Redis
         working-directory: ./services/redis
         run: flyctl deploy --remote-only
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 476a96e..e7726f7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -12,13 +12,13 @@ jobs:
   unit-tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: ".nvmrc"
           cache: "pnpm"
@@ -41,13 +41,13 @@ jobs:
   e2e-tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: ".nvmrc"
           cache: "pnpm"

From 4fef8cfb01ff0f721217907f340068149b16138f Mon Sep 17 00:00:00 2001
From: Corbin Crutchley <git@crutchcorn.dev>
Date: Wed, 27 May 2026 09:12:20 -0700
Subject: [PATCH 3/5] chore: autofix zizmor

---
 .github/workflows/fly.yml  | 4 ++++
 .github/workflows/test.yml | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/fly.yml b/.github/workflows/fly.yml
index ef773e6..38f6ed5 100644
--- a/.github/workflows/fly.yml
+++ b/.github/workflows/fly.yml
@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # 1.5
       - name: Deploy App
         run: flyctl deploy --remote-only
@@ -27,6 +29,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # 1.5
       - name: Deploy Redis
         working-directory: ./services/redis
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e7726f7..ec3e86e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -13,6 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@@ -42,6 +44,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8

From e937aaf8576c9599d71b484c6aee48873ac29898 Mon Sep 17 00:00:00 2001
From: Corbin Crutchley <git@crutchcorn.dev>
Date: Wed, 27 May 2026 09:13:09 -0700
Subject: [PATCH 4/5] chore: add Zizmor action

---
 .github/workflows/zizmor.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..7a659b2
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,25 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          advanced-security: false
+          annotations: true

From eae1c9a49c93ccb2953bc7e90736d81b46e6a6ce Mon Sep 17 00:00:00 2001
From: Corbin Crutchley <git@crutchcorn.dev>
Date: Wed, 27 May 2026 09:19:33 -0700
Subject: [PATCH 5/5] chore: pass Zizmor now

---
 .github/workflows/dependabot-auto-merge.yml | 3 +++
 .github/workflows/fly.yml                   | 3 +++
 .github/workflows/test.yml                  | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 4dbd18d..a0d9d2a 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, reopened]
 
+permissions:
+  pull-requests: read
+
 jobs:
   dependabot:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/fly.yml b/.github/workflows/fly.yml
index 38f6ed5..f0a6d38 100644
--- a/.github/workflows/fly.yml
+++ b/.github/workflows/fly.yml
@@ -10,6 +10,9 @@ concurrency:
   group: deploy-group # ensure only one deploy action runs at a time
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     name: Deploy app
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ec3e86e..9a42eb7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,6 +8,9 @@ on:
     types:
       - checks_requested
 
+permissions:
+  contents: read
+
 jobs:
   unit-tests:
     runs-on: ubuntu-latest