From 751234b5f63e015f761c54f14a1b062bb7518a61 Mon Sep 17 00:00:00 2001
From: Thomas Watson <thomas.watson@datadoghq.com>
Date: Tue, 3 Mar 2026 10:53:17 +0100
Subject: [PATCH] chore(ci): pin actions to SHAs, add Dependabot with cooldown
 and grouping

Pin all GitHub Actions to full commit SHAs instead of version tags for
supply-chain safety. Add inline comments with the resolved version
(e.g. v4.3.1). Add Dependabot for github-actions (weekly), with a 5-day
cooldown (excluding @datadog/*) and a single grouped PR for action updates.
---
 .github/actions/build-test-wasm/action.yaml |  8 ++++----
 .github/dependabot.yml                      | 17 +++++++++++++++++
 .github/workflows/build.yml                 |  8 ++++----
 .github/workflows/release.yml               |  8 ++++----
 4 files changed, 29 insertions(+), 12 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/actions/build-test-wasm/action.yaml b/.github/actions/build-test-wasm/action.yaml
index 246a38c..306d258 100644
--- a/.github/actions/build-test-wasm/action.yaml
+++ b/.github/actions/build-test-wasm/action.yaml
@@ -7,10 +7,10 @@ inputs:
 runs:
   using: 'composite'
   steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       - run: yarn install
         shell: bash
       - name: Install wasm-pack
@@ -24,7 +24,7 @@ runs:
       - name: Test WASM
         run: node test_wasm.js ${{ inputs.crate }}
         shell: bash
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: prebuilds-wasm-${{ inputs.crate }}
           if-no-files-found: ignore
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..985225c
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+# Dependabot version updates
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 5
+      exclude:
+        - "@datadog/*"
+    groups:
+      gh-actions-packages:
+        patterns:
+          - "*"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0533478..bbd1e28 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,7 +15,7 @@ jobs:
           - library_config
           - datadog-js-zstd
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: 'Use composite action'
         uses: ./.github/actions/build-test-wasm
         with:
@@ -38,10 +38,10 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       - run: yarn install
       - name: Compute module size tree and report
         uses: qard/heaviest-objects-in-the-universe@v1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c6b9ea6..9023435 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
           - library_config
           - datadog-js-zstd
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: 'Use composite action'
         uses: ./.github/actions/build-test-wasm
         with:
@@ -40,9 +40,9 @@ jobs:
     outputs:
       pkgjson: ${{ steps.pkg.outputs.json }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '24'
           registry-url: 'https://registry.npmjs.org'