diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5d35488..fc4143f 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -14,6 +14,10 @@ updates:
       - "dependencies"
       - "npm"
     rebase-strategy: "auto"
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - "version-update:semver-major"
 
   - package-ecosystem: "github-actions"
     directory: "/"
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 5c6989f..76daa1b 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -10,6 +10,13 @@ on:
 env:
   retention_days: 3
 
+permissions:
+  checks: write
+  contents: read
+  pull-requests: write
+  security-events: write # required for SARIF upload
+  actions: read
+
 jobs:
   tests:
     runs-on: ubuntu-latest
@@ -103,16 +110,11 @@ jobs:
           retention-days: ${{ env.retention_days }}
       # displays in summary page
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@v3
-        if: always() # always run even if the previous step fails
-        with:
-          report_paths: 'junit.xml'
-      # more in depth junit in console and annotations on failures
-      - uses: ashley-taylor/junit-report-annotations-action@1.3
         if: always()
+        uses: EnricoMi/publish-unit-test-result-action@v2
         with:
-          access-token: ${{ secrets.GITHUB_TOKEN }}
-          path: junit.xml
+          files: junit.xml
+          check_name: Test Results
       - run: npm run test:coverage
       - name: upload code coverage
         uses: actions/upload-artifact@v4
@@ -120,17 +122,12 @@ jobs:
           name: Report-CodeCoverage
           path: coverage
           retention-days: ${{ env.retention_days }}
-      # adds coverage comment to pr
-      - name: parse coverage
-        uses: danhunsaker/clover-reporter-action@v0.2.17-clover
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          clover-file: ./coverage/clover.xml
+
 
   automerge:
     needs: tests
     name: Auto-merge PR if tests pass
-    if: (github.actor == 'dependabot[bot]' || github.actor == 'imgbot[bot]') && needs.tests.result == 'success'
+    if: (github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]' || github.actor == 'imgbot[bot]') && needs.tests.result == 'success'
     runs-on: ubuntu-latest
     steps:
       - name: Merge PR