From 2197a4e3602689d6d73dce305d3ab458837737b9 Mon Sep 17 00:00:00 2001
From: Eloi Manuel <eloi.manuel@consensys.net>
Date: Fri, 13 Feb 2026 11:53:57 +0100
Subject: [PATCH 1/5] chore: add dependabot configuration for GitHub Actions

---
 .github/dependabot.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..046bcd0
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,31 @@
+version: 2
+
+updates:
+  # 1) GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /            # GitHub scans .github/workflows from here
+    schedule:
+      interval: weekly
+      day: monday
+      time: "03:00"
+    open-pull-requests-limit: 5
+    assignees: ["alainncls"]
+    labels: ["dependencies", "github-actions"]
+    commit-message:
+      prefix: "deps(actions)"
+      include: "scope"
+    groups:
+      core-actions-minor-patch:
+        update-types: ["minor", "patch"]
+        patterns:
+          - "actions/*"
+          - "github/*"
+      third-party-actions-minor-patch:
+        update-types: ["minor", "patch"]
+        patterns:
+          - "*"
+        exclude-patterns:
+          - "actions/*"
+          - "github/*"
+    cooldown:
+      default-days: 7

From 792bfd87f5548bb51ee5378e4c4548e9f58eac04 Mon Sep 17 00:00:00 2001
From: Eloi Manuel <eloi.manuel@consensys.net>
Date: Fri, 13 Feb 2026 11:55:48 +0100
Subject: [PATCH 2/5] chore: add permissions configuration for workflows

---
 .github/workflows/build-lint.yml            | 4 ++++
 .github/workflows/security-code-scanner.yml | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/build-lint.yml b/.github/workflows/build-lint.yml
index e101526..d28b2d4 100644
--- a/.github/workflows/build-lint.yml
+++ b/.github/workflows/build-lint.yml
@@ -8,9 +8,13 @@ on:
     branches:
       - main
 
+permissions: {} # lock everything by default (least-privilege)
+
 jobs:
   build-lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Check out the repo
diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml
index 5cd10c2..221e83b 100644
--- a/.github/workflows/security-code-scanner.yml
+++ b/.github/workflows/security-code-scanner.yml
@@ -15,6 +15,8 @@ on:
         required: false
   workflow_dispatch:
 
+permissions: {} # lock everything by default (least-privilege)
+
 jobs:
   security-scan:
     uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2

From 3047187e56d8d51d4e73eacc9734e0b807778403 Mon Sep 17 00:00:00 2001
From: Eloi Manuel <eloi.manuel@consensys.net>
Date: Fri, 13 Feb 2026 11:56:24 +0100
Subject: [PATCH 3/5] chore: update job name for build-lint workflow

---
 .github/workflows/build-lint.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build-lint.yml b/.github/workflows/build-lint.yml
index d28b2d4..209fd0c 100644
--- a/.github/workflows/build-lint.yml
+++ b/.github/workflows/build-lint.yml
@@ -12,6 +12,7 @@ permissions: {} # lock everything by default (least-privilege)
 
 jobs:
   build-lint:
+    name: Build & Lint
     runs-on: ubuntu-latest
     permissions:
       contents: read

From 7afeea736dbf3a59ece0df9a4a1b336d57374112 Mon Sep 17 00:00:00 2001
From: Eloi Manuel <eloi.manuel@consensys.net>
Date: Fri, 13 Feb 2026 11:58:15 +0100
Subject: [PATCH 4/5] chore: update checkout step to include
 persist-credentials configuration

---
 .github/workflows/build-lint.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/build-lint.yml b/.github/workflows/build-lint.yml
index 209fd0c..cb71a21 100644
--- a/.github/workflows/build-lint.yml
+++ b/.github/workflows/build-lint.yml
@@ -20,6 +20,8 @@ jobs:
     steps:
       - name: Check out the repo
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install Node.js
         uses: actions/setup-node@v6

From afabc2f71b7bb4f29a5c2fc4e7cacb5c70f27210 Mon Sep 17 00:00:00 2001
From: Eloi Manuel <eloi.manuel@consensys.net>
Date: Fri, 13 Feb 2026 12:18:36 +0100
Subject: [PATCH 5/5] chore: add npm dependencies configuration to dependabot

---
 .github/dependabot.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 046bcd0..a3e32ac 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -29,3 +29,22 @@ updates:
           - "github/*"
     cooldown:
       default-days: 7
+
+  # 2) npm dependencies (package.json)
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "04:00"
+    open-pull-requests-limit: 5
+    assignees: ["alainncls"]
+    labels: ["dependencies", "npm"]
+    commit-message:
+      prefix: "deps(npm)"
+      include: "scope"
+    groups:
+      npm-minor-patch:
+        update-types: ["minor", "patch"]
+    cooldown:
+      default-days: 7