From 2950691b064d83c17533bbefc268c09b286d73cf Mon Sep 17 00:00:00 2001
From: Dan Chen <dan@djc.me>
Date: Mon, 25 May 2026 18:36:20 -0700
Subject: [PATCH 1/3] chore: update dependency pins

---
 .github/workflows/validate.yml | 2 +-
 bun.lock                       | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 127c8a8..1767ee7 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -90,7 +90,7 @@ jobs:
           inputs: .github/workflows
           min-severity: medium
           min-confidence: medium
-          version: v1.24.1
+          version: v1.25.2
 
   shellcheck:
     runs-on: ubuntu-latest
diff --git a/bun.lock b/bun.lock
index 26e88f7..9e43399 100644
--- a/bun.lock
+++ b/bun.lock
@@ -41,8 +41,8 @@
 
     "undici-types": ["undici-types@7.24.6", "", {}, "sha512-WRNW+sJgj5OBN4/0JpHFqtqzhpbnV0GuB+OozA9gCL7a993SmU+1JBZCzLNxYsbMfIeDL+lTsphD5jN5N+n0zg=="],
 
-    "bun-types/@types/node": ["@types/node@25.7.0", "", { "dependencies": { "undici-types": "~7.21.0" } }, "sha512-z+pdZyxE+RTQE9AcboAZCb4otwcrvgHD+GlBpPgn0emDVt0ohrTMhAwlr2Wd9nZ+nihhYFxO2pThz3C5qSu2Eg=="],
+    "bun-types/@types/node": ["@types/node@25.9.1", "", { "dependencies": { "undici-types": ">=7.24.0 <7.24.7" } }, "sha512-xfrlY7UD5rMJk3ZVJP8BNzS28J36YJg+xp+LPXV1TdWxr8uMH5A860QNxYDGQe/ylDSgjxE52Q9VnO7p75tJxg=="],
 
-    "bun-types/@types/node/undici-types": ["undici-types@7.21.0", "", {}, "sha512-w9IMgQrz4O0YN1LtB7K5P63vhlIOvC7opSmouCJ+ZywlPAlO9gIkJ+otk6LvGpAs2wg4econaCz3TvQ9xPoyuQ=="],
+    "bun-types/@types/node/undici-types": ["undici-types@7.24.6", "", {}, "sha512-WRNW+sJgj5OBN4/0JpHFqtqzhpbnV0GuB+OozA9gCL7a993SmU+1JBZCzLNxYsbMfIeDL+lTsphD5jN5N+n0zg=="],
   }
 }

From 833b8663dcdb9815a7c8773659da27afdfa53893 Mon Sep 17 00:00:00 2001
From: Dan Chen <dan@djc.me>
Date: Mon, 25 May 2026 18:39:43 -0700
Subject: [PATCH 2/3] ci: narrow update app token permissions

---
 .github/workflows/update-opencode-release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/update-opencode-release.yml b/.github/workflows/update-opencode-release.yml
index d757649..bdfb75a 100644
--- a/.github/workflows/update-opencode-release.yml
+++ b/.github/workflows/update-opencode-release.yml
@@ -91,6 +91,8 @@ jobs:
         with:
           client-id: ${{ secrets.APP_CLIENT_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
 
       - name: Create pull request
         id: create-pr

From cfb5ab2a480f92a6e12531493ea2e5a067698e4b Mon Sep 17 00:00:00 2001
From: Dan Chen <dan@djc.me>
Date: Mon, 25 May 2026 18:42:49 -0700
Subject: [PATCH 3/3] ci: use latest zizmor

---
 .github/workflows/validate.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 1767ee7..97e5ff6 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -90,7 +90,6 @@ jobs:
           inputs: .github/workflows
           min-severity: medium
           min-confidence: medium
-          version: v1.25.2
 
   shellcheck:
     runs-on: ubuntu-latest