From 6112c27a02347e52969bffdfc640a0758a6c5f5b Mon Sep 17 00:00:00 2001
From: Fran Mulero <francisco-jose.mulero@broadcom.com>
Date: Fri, 8 Nov 2024 08:27:21 +0100
Subject: [PATCH] Upgrade GH actions and configure dependabot

Signed-off-by: Fran Mulero <francisco-jose.mulero@broadcom.com>
---
 .github/dependabot.yml     | 10 ++++++++++
 .github/workflows/main.yml | 16 +++++++++-------
 2 files changed, 19 insertions(+), 7 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..48f4288
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+
+version: 2
+# Check for updates to GitHub Actions every week
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
\ No newline at end of file
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 8181c4a..e484f1a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -7,6 +7,8 @@ on:
     types: [published]
   pull_request:
   workflow_dispatch:
+# Remove all permissions by default
+permissions: {}
 jobs:
   build:
     runs-on: ubuntu-20.04
@@ -16,7 +18,7 @@ jobs:
       INSTALLBUILDER_LICENSE: ${{ secrets.INSTALLBUILDER_LICENSE }}
       UPLOAD_API_KEY: ${{ secrets.UPLOAD_API_KEY }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Download and install InstallBuilder
         run: |
           set -e
@@ -29,7 +31,7 @@ jobs:
         run: ./scripts/build.sh
       - name: Copy release files
         run: cp output-*/bndiagnostic-*.run output-amd64/bndiagnostic-update.xml .
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
         with:
           name: release
           path: |
@@ -43,8 +45,8 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/download-artifact@v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
         with:
           path: ./artifacts
       - name: Set tag name
@@ -79,12 +81,12 @@ jobs:
     env:
       S3_URL: ${{ secrets.S3_URL }}
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/download-artifact@v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
         with:
           path: ./artifacts
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}