From 5b7e9d123f60483a234fcd44f2c53276660808b9 Mon Sep 17 00:00:00 2001 From: Mahangu Weerasinghe Date: Sun, 31 May 2026 15:54:39 +0530 Subject: [PATCH] chore: pin third-party GitHub Actions to SHAs + enable Dependabot Hardens against supply-chain risk on mutable tags. Dependabot keeps the pinned SHAs fresh weekly, with major bumps held under cooldown. Tracking: DEVPROD-1072 --- .github/dependabot.yml | 23 +++++++++++++++++++++++ .github/workflows/changelog.yml | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..8c19cc9d2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,23 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 10 + groups: + actions-minor-patch: + patterns: + - "*" + update-types: + - "minor" + - "patch" + actions-major: + patterns: + - "*" + update-types: + - "major" + cooldown: + default-days: 7 + semver-major-days: 14 diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 685216914..880352768 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -22,7 +22,7 @@ jobs: name: Comment about the change log label steps: - name: Comment PR - uses: thollander/actions-comment-pull-request@v3 + uses: thollander/actions-comment-pull-request@65f9e5c9a1f2cd378bd74b2e057c9736982a8e74 # v3 with: message: | Hey @${{ github.event.pull_request.user.login }}, good job getting this PR merged! :tada: