From e46f2941889e2b89d86d0ae10ec20f8ad7337fff Mon Sep 17 00:00:00 2001 From: Christoph Hamsen <37963496+xopham@users.noreply.github.com> Date: Tue, 4 Feb 2025 16:45:40 +0100 Subject: [PATCH 1/2] Add dependabot for github actions --- .github/dependabot.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000000..c272b36b581 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + groups: + gh-actions-packages: + patterns: + - "*" From 8309694e58cf8f27a1e6b6398b56585301601276 Mon Sep 17 00:00:00 2001 From: Christoph Hamsen <37963496+xopham@users.noreply.github.com> Date: Tue, 4 Feb 2025 16:45:42 +0100 Subject: [PATCH 2/2] Pin actions by hash --- .github/workflows/update-docker-build-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-docker-build-image.yaml b/.github/workflows/update-docker-build-image.yaml index dc13242d692..211bc8c0493 100644 --- a/.github/workflows/update-docker-build-image.yaml +++ b/.github/workflows/update-docker-build-image.yaml @@ -19,7 +19,7 @@ jobs: pull-requests: write # Required to create a pull request steps: - name: Checkout the repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Download ghcommit CLI run: | curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L