diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ebf6ca75..9cc82895 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
   directory: "/"
   schedule:
     interval: "weekly"
+  cooldown:
+    default-days: 2
 - package-ecosystem: npm
   directory: "/"
   schedule:
@@ -17,3 +19,5 @@ updates:
   commit-message:
     prefix: "[DEPENDENCY] "
     prefix-development: "[INTERNAL] "
+  cooldown:
+    default-days: 2
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index d962d99c..8b32f879 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -11,7 +11,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.auto_merge == null }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.auto_merge == null }}
     steps:
       - name: Dependabot metadata
         id: metadata
diff --git a/.github/workflows/github-ci.yml b/.github/workflows/github-ci.yml
index 5941c56c..bbd583cd 100644
--- a/.github/workflows/github-ci.yml
+++ b/.github/workflows/github-ci.yml
@@ -37,7 +37,7 @@ jobs:
       run: npm test
 
     - name: Send report to Coveralls
-      uses: coverallsapp/github-action@v2.3.7
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
 
     - name: Build e2e test image
       run: ./test/e2e/build-image.sh
diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml
index 97a687be..3e09028a 100644
--- a/.github/workflows/reuse-compliance.yml
+++ b/.github/workflows/reuse-compliance.yml
@@ -18,4 +18,4 @@ jobs:
     steps:
     - uses: actions/checkout@v6
     - name: Execute REUSE Compliance Check
-      uses: fsfe/reuse-action@v6
+      uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0
diff --git a/.npmrc b/.npmrc
index 3eeeab4e..f5bb40b0 100644
--- a/.npmrc
+++ b/.npmrc
@@ -2,3 +2,4 @@
 registry=https://registry.npmjs.org/
 lockfile-version=3
 ignore-scripts=true
+allow-git=none