From bf3a473d4060779ebf17c32e589b847f8965284f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 19 Apr 2026 13:18:33 +0000 Subject: [PATCH] eng: pin actions/checkout to SHA and add Dependabot config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two supply-chain security hardening changes: 1. copilot-setup-steps.yml used actions/checkout@v6 (mutable tag), unlike every other workflow in the repo which pins to immutable commit SHAs. Pinned to de0fac2e (v6.0.2) to match the rest of the repo. 2. Added .github/dependabot.yml to enable weekly automated PRs for outdated GitHub Actions — so future version drift is surfaced automatically rather than discovered manually. Co-Authored-By: Claude Sonnet 4.6 --- .github/dependabot.yml | 9 +++++++++ .github/workflows/copilot-setup-steps.yml | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..1a9ee05 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,9 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + labels: + - "dependencies" diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index d1d84b2..77cfc80 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install gh-aw extension uses: github/gh-aw-actions/setup-cli@ba90f2186d7ad780ec640f364005fa24e797b360 # v0.68.3 with: