diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
index 4cda9b1..a25a66d 100644
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -4,6 +4,8 @@ updates:
   directory: /
   schedule:
     interval: weekly
+  cooldown:
+    default-days: 7
   groups:
     actions-updates:
       dependency-type: production
@@ -15,6 +17,8 @@ updates:
   directory: /
   schedule:
     interval: weekly
+  cooldown:
+    default-days: 7
   groups:
     cargo-updates:
       dependency-type: production
diff --git a/.github/workflows/ci-actions.yaml b/.github/workflows/ci-actions.yaml
index 9368e17..3bb3b71 100644
--- a/.github/workflows/ci-actions.yaml
+++ b/.github/workflows/ci-actions.yaml
@@ -14,8 +14,11 @@ jobs:
     name: zizmor
     runs-on: ubuntu-latest
     permissions:
+      # write is needed to upload security events to GitHub code scanning.
       security-events: write
+      # we only need to read the contents of the repository.
       contents: read
+      # we only need to read the action metadata.
       actions: read
     steps:
     - name: harden runner
@@ -34,10 +37,10 @@ jobs:
     - name: zizmor
       run: uvx zizmor --pedantic --format sarif . > results.sarif
       env:
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
     - name: upload
-      uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4
+      uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4
       with:
         sarif_file: results.sarif
         category: zizmor
diff --git a/.github/workflows/ci-code.yaml b/.github/workflows/ci-code.yaml
index 0f95dfa..43515a4 100644
--- a/.github/workflows/ci-code.yaml
+++ b/.github/workflows/ci-code.yaml
@@ -9,6 +9,7 @@ on:
     - main
 
 permissions:
+  # we only need to read the contents of the repository.
   contents: read
 
 jobs:
diff --git a/.github/workflows/release-assets.yaml b/.github/workflows/release-assets.yaml
index faa995e..3a07604 100644
--- a/.github/workflows/release-assets.yaml
+++ b/.github/workflows/release-assets.yaml
@@ -12,6 +12,7 @@ jobs:
   assets:
     name: assets
     permissions:
+      # write is needed to upload release artifacts.
       contents: write
     runs-on: ubuntu-latest
     steps:
@@ -34,7 +35,8 @@ jobs:
       run: ./hack/assemble.sh
 
     - name: 'upload release artifacts'
-      run: ./hack/ci/upload-release-assets.sh "${{ github.event.release.tag_name }}"
+      run: ./hack/ci/upload-release-assets.sh
       env:
         GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        RELEASE_TAG: "${{ github.event.release.tag_name }}"
       if: ${{ github.event_name == 'release' }}
diff --git a/hack/ci/upload-release-assets.sh b/hack/ci/upload-release-assets.sh
index 6909705..495d204 100755
--- a/hack/ci/upload-release-assets.sh
+++ b/hack/ci/upload-release-assets.sh
@@ -2,18 +2,19 @@
 set -e
 
 retry() {
-  for i in $(seq 1 10); do
-    if "${@}"; then
-      return 0
-    else
-      sleep "${i}"
-    fi
-  done
-  "${@}"
+	for i in $(seq 1 10); do
+		if "${@}"; then
+			return 0
+		else
+			sleep "${i}"
+		fi
+	done
+	"${@}"
 }
 
-TAG="${1}"
-shift
+if [ -z "${RELEASE_TAG}" ]; then
+	exit 1
+fi
 
 cd target/assemble