From b79fdd348272777d06afdec1d7c2bdb0cc4993be Mon Sep 17 00:00:00 2001
From: Souradeep De <souradeep.de@jimdo.com>
Date: Tue, 12 May 2026 16:47:02 +0200
Subject: [PATCH 1/2] ktlo: pin GitHub actions to commit SHAs

---
 .github/dependabot.yml   | 8 ++++++++
 .github/workflows/ci.yml | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..effccfd
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 3
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c7d7242..e7ab45e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,11 +12,11 @@ jobs:
     steps:
 
     - name: Setup Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
       with:
         go-version: '^1.17'
 
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
 
     - name: Test
       run: make test

From 4e52248b27a6620721fd77bd62f577875fc94210 Mon Sep 17 00:00:00 2001
From: Souradeep De <souradeep.de@jimdo.com>
Date: Wed, 13 May 2026 10:36:45 +0200
Subject: [PATCH 2/2] ktlo: switch dependabot to monthly with staggered time

---
 .github/dependabot.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index effccfd..f872193 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,6 +3,8 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+      time: "15:00"
+      timezone: "Europe/Berlin"
     cooldown:
       default-days: 3