diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 48063c2..acf271d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
     groups:
       actions-minor:
         update-types:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 3385aaa..0745f74 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -29,6 +29,8 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         id: initialize
diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
index 37ae142..da49a22 100644
--- a/.github/workflows/dependabot.yml
+++ b/.github/workflows/dependabot.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     # Checking the actor will prevent your Action run failing on non-Dependabot
     # PRs but also ensures that it only does work for Dependabot PRs.
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.actor == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
     steps:
       # This first step will fail if there's no metadata and so the approval
       # will not occur.
diff --git a/.github/workflows/licensed.yml b/.github/workflows/licensed.yml
index 5ecf729..26d116a 100644
--- a/.github/workflows/licensed.yml
+++ b/.github/workflows/licensed.yml
@@ -23,7 +23,8 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         id: setup-node
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 91660f8..a3d8f4c 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -27,6 +27,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Node.js
         id: setup-node
diff --git a/.github/workflows/start.yml b/.github/workflows/start.yml
index b518e92..7f96536 100644
--- a/.github/workflows/start.yml
+++ b/.github/workflows/start.yml
@@ -35,6 +35,8 @@ jobs:
             pg_major: 17
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./
         with:
           version: ${{ matrix.version }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a1fdb22..7c00b73 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -18,6 +18,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version-file: .node-version