diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index d9a92048a..5f74b1389 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -13,6 +13,8 @@ updates:
       all-go-deps:
         patterns:
           - "*"  # group all non-security update PRs
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
@@ -21,3 +23,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
\ No newline at end of file
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 889636eea..4eab20d79 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -44,6 +44,7 @@ jobs:
               # We must fetch at least the immediate parents so that if this is
               # a pull request then we can checkout the head.
               fetch-depth: 2
+              persist-credentials: false
 
         - name: Install Go
           if: matrix.language == 'c' || matrix.language == 'go'