From a7f08a19056b08acbf7ce8937b55cd51140247bf Mon Sep 17 00:00:00 2001
From: ken <3939605+kenyiu@users.noreply.github.com>
Date: Fri, 27 Mar 2026 18:43:05 +0000
Subject: [PATCH] Add Dependabot and update CI workflows

Add a Dependabot config to track GitHub Actions and pip dependencies weekly. Update deploy workflow to run on ubuntu-24.04, set repository permissions for contents, add a concurrency group, and pin actions (checkout and astral-sh/setup-uv) to specific SHAs for reproducible runs. Modify refresh-data workflow to explicitly pass the OSO_API_KEY secret instead of using secret inheritance.
---
 .github/dependabot.yml       | 15 +++++++++++++++
 .github/workflows/deploy.yml | 11 ++++++++---
 2 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..12eea0d
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index da74a73..628e5de 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -8,13 +8,18 @@ on:
 
 jobs:
   build-deploy:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    concurrency:
+      group: deploy
+      cancel-in-progress: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           fetch-depth: 2
 
-      - uses: astral-sh/setup-uv@v4
+      - uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a  # v4.2.0
       - run: uv python install 3.13
 
       - name: Install Python deps