Sorry for the commit noise here, I fixed two lingering subpath mistakes (I'm pretty sure these are a bug in zizmor's --fix; I'll triage that separately.)

Question about Dependabot.

Before, we just used major versions, like actions/checkout@v6. Dependabot would only update us to `v7, not minor or patch bumps.

Now, we pin to an exact commit, actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2, which of course maps to an exact x.y.z.

Does this mean Dependabot will now update us to 6.0.3, or 6.1.1, or whatever is available when it next triggers? This means more notifications. Is this the preferred way?

Or can we configure it to only trigger when there's a major bump?

@hugovk Dependabot can be configured to only update on major versions, I don't think having the pin set at a minor/patch would change that policy if it's defined already in dependabot.yml? Because I do know that Dependabot will ignore your policy completely if there's a security vulnerability associated with an action, leading to a patch/minor release getting used.