diff --git a/.github/PklProject b/.github/PklProject
index 3dc8d2c..005b83e 100644
--- a/.github/PklProject
+++ b/.github/PklProject
@@ -18,7 +18,7 @@ amends "pkl:Project"
 
 dependencies {
   ["pkl.impl.ghactions"] {
-    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.3.3"
+    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.3.5"
   }
   ["com.github.actions"] {
     uri = "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.3.0"
diff --git a/.github/PklProject.deps.json b/.github/PklProject.deps.json
index 5853c2c..1b39d6e 100644
--- a/.github/PklProject.deps.json
+++ b/.github/PklProject.deps.json
@@ -3,30 +3,30 @@
   "resolvedDependencies": {
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.3.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.3.1",
       "checksums": {
-        "sha256": "76174cb974310b3d952280b76ed224eb4ee6fd5419bf696ad9a66fba44bd427d"
+        "sha256": "fd515da685ea126678c3ec684e84a4f992d43481cc1d75cb866cd55775f675f9"
       }
     },
     "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.3.3",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.3.5",
       "checksums": {
-        "sha256": "ee5d6f7a8049930e311c4dd2d3f528dfe828694329aea9bb90da5afed4d736ec"
+        "sha256": "2b26d02c3b244a28e7913457ba195cbf767a1d1079ab2ed469074c4da870de12"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.experimental.deepToTyped@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.experimental.deepToTyped@1.1.1",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.experimental.deepToTyped@1.2.0",
       "checksums": {
-        "sha256": "1e6e29b441ffdee2605d317f6543a4a604aab5af472b63f0c47d92a3b4b36f7f"
+        "sha256": "84c7feb391f4ac273a99dc89b8fd51dbcd21dbda4ce640f6908527f83acdd4d6"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.0.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.0.3",
       "checksums": {
-        "sha256": "ebc9698278d8aac71bb5a7e4d913c3bbb75d57e8e725f0298e346e36783f6ca2"
+        "sha256": "d368900942efb88ed51a98f9614748b06c74ba43423f045fcd6dedb5dbdc0bea"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1": {
diff --git a/.github/workflows/__lockfile__.yml b/.github/workflows/__lockfile__.yml
index 840f6e8..83ff96a 100644
--- a/.github/workflows/__lockfile__.yml
+++ b/.github/workflows/__lockfile__.yml
@@ -10,6 +10,7 @@ name: __lockfile__
     - '**'
     tags-ignore:
     - '**'
+permissions: {}
 jobs:
   locks:
     if: 'false'
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6d4dc3f..9bf6c61 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -53,8 +53,10 @@ jobs:
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
+        ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }}
         persist-credentials: false
         fetch-depth: 0
+    - run: git config --global --add safe.directory $(pwd)
     - run: hawkeye check --config licenserc.toml --fail-if-unknown
     container:
-      image: ghcr.io/korandoru/hawkeye@sha256:c3ab994c0d81f3d116aabf9afc534e18648e3e90d7525d741c1e99dd8166ec85
+      image: ghcr.io/korandoru/hawkeye@sha256:e0abf8dbfaeeeba1249679d662d9fb404b1dcdb041c6093ea1f7a6edb7d89319
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 1cadb02..2deb777 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -51,8 +51,10 @@ jobs:
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
+        ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }}
         persist-credentials: false
         fetch-depth: 0
+    - run: git config --global --add safe.directory $(pwd)
     - run: hawkeye check --config licenserc.toml --fail-if-unknown
     container:
-      image: ghcr.io/korandoru/hawkeye@sha256:c3ab994c0d81f3d116aabf9afc534e18648e3e90d7525d741c1e99dd8166ec85
+      image: ghcr.io/korandoru/hawkeye@sha256:e0abf8dbfaeeeba1249679d662d9fb404b1dcdb041c6093ea1f7a6edb7d89319
diff --git a/.github/workflows/prb.yml b/.github/workflows/prb.yml
index 15e287e..f8d918b 100644
--- a/.github/workflows/prb.yml
+++ b/.github/workflows/prb.yml
@@ -47,11 +47,13 @@ jobs:
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
+        ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }}
         persist-credentials: false
         fetch-depth: 0
+    - run: git config --global --add safe.directory $(pwd)
     - run: hawkeye check --config licenserc.toml --fail-if-unknown
     container:
-      image: ghcr.io/korandoru/hawkeye@sha256:c3ab994c0d81f3d116aabf9afc534e18648e3e90d7525d741c1e99dd8166ec85
+      image: ghcr.io/korandoru/hawkeye@sha256:e0abf8dbfaeeeba1249679d662d9fb404b1dcdb041c6093ea1f7a6edb7d89319
   upload-event-file:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
index 17b74d4..839e476 100644
--- a/.github/workflows/release-branch.yml
+++ b/.github/workflows/release-branch.yml
@@ -51,11 +51,13 @@ jobs:
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
+        ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }}
         persist-credentials: false
         fetch-depth: 0
+    - run: git config --global --add safe.directory $(pwd)
     - run: hawkeye check --config licenserc.toml --fail-if-unknown
     container:
-      image: ghcr.io/korandoru/hawkeye@sha256:c3ab994c0d81f3d116aabf9afc534e18648e3e90d7525d741c1e99dd8166ec85
+      image: ghcr.io/korandoru/hawkeye@sha256:e0abf8dbfaeeeba1249679d662d9fb404b1dcdb041c6093ea1f7a6edb7d89319
   trigger-downstream-builds:
     if: github.repository_owner == 'apple'
     needs:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 016fc07..021a357 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -51,11 +51,13 @@ jobs:
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
+        ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }}
         persist-credentials: false
         fetch-depth: 0
+    - run: git config --global --add safe.directory $(pwd)
     - run: hawkeye check --config licenserc.toml --fail-if-unknown
     container:
-      image: ghcr.io/korandoru/hawkeye@sha256:c3ab994c0d81f3d116aabf9afc534e18648e3e90d7525d741c1e99dd8166ec85
+      image: ghcr.io/korandoru/hawkeye@sha256:e0abf8dbfaeeeba1249679d662d9fb404b1dcdb041c6093ea1f7a6edb7d89319
   deploy-github-release:
     needs:
     - build