diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 9d1eded..325b0f5 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,6 +7,8 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
@@ -15,3 +17,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 84a7b2d..c675715 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -6,6 +6,9 @@ on:
     - main
   pull_request:
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: bash -l {0}
@@ -31,10 +34,12 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
 
     - name: Setup Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ matrix.python-version }}
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 75e4c5d..fac63f2 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -16,10 +16,12 @@ jobs:
     permissions:
       id-token: write
     steps:
-    - uses: actions/checkout@v5
-    
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
+
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: '3.x'
     - name: Install dependencies
@@ -31,7 +33,7 @@ jobs:
     - name: Install built wheel
       run: pip install dist/*.whl
     - name: Echo current tag
-      run: echo ${{ github.ref }}
+      run: echo "$GITHUB_REF"
     - name: Get package version
       run: |
         export PACKAGE_VERSION=$(python -c 'import matplotlib_inline; print(matplotlib_inline.__version__)')
@@ -41,5 +43,5 @@ jobs:
           exit 1
         fi
     - name: Publish package
-      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
+      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
 
diff --git a/matplotlib_inline/__init__.py b/matplotlib_inline/__init__.py
index d275175..2c03285 100644
--- a/matplotlib_inline/__init__.py
+++ b/matplotlib_inline/__init__.py
@@ -1,6 +1,6 @@
 from . import backend_inline, config  # noqa
 
-__version__ = "0.2.1"
+__version__ = "0.2.2"
 
 # we can't ''.join(...) otherwise finding the version number at build time requires
 # import which introduces IPython and matplotlib at build time, and thus circular