Feat: Hashpin sensitive dependencies on GitHub Actions and enable Dependabot to update them monthly (#3892)

* feat: hashpin sensitive dependencies on GHAs Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * feat: enable dependabot for monthly updates on GHA Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> --------- Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
2025-01-30 15:32:37 +08:00 · 2023-12-13 01:17:13 -03:00 · 2023-12-13 01:17:13 -03:00 · b7423ffbe5
commit b7423ffbe5
parent e81fb9eddf
3 changed files with 24 additions and 14 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
--- a/.github/workflows/clang-format-fix.yml
+++ b/.github/workflows/clang-format-fix.yml
@ -21,9 +21,9 @@ jobs:
    permissions:
        contents: write # In order to allow EndBug/add-and-commit to commit changes
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
    - name: Fix C and Java formatting issues detected by clang-format
-      uses: DoozyX/clang-format-lint-action@v0.13
+      uses: DoozyX/clang-format-lint-action@9ea72631b74e61ce337d0839a90e76180e997283 # v0.13
      with:
        source: '.'
        extensions: 'c,h,cpp,hpp,java'
@ -31,7 +31,7 @@ jobs:
        inplace: True
        style: file
        exclude: './config ./hl/src/H5LTanalyze.c ./hl/src/H5LTparse.c ./hl/src/H5LTparse.h ./src/H5Epubgen.h ./src/H5Einit.h ./src/H5Eterm.h ./src/H5Edefin.h ./src/H5version.h ./src/H5overflow.h'
-    - uses: EndBug/add-and-commit@v9
+    - uses: EndBug/add-and-commit@1bad3abcf0d6ec49a5857d124b0bfb52dc7bb081 # v9.1.3
      with:
          author_name: github-actions
          author_email: 41898282+github-actions[bot]@users.noreply.github.com
--- a/.github/workflows/release-files.yml
+++ b/.github/workflows/release-files.yml
@ -40,14 +40,14 @@ jobs:
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - name: Get Sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          fetch-depth: 0

      - run: |
          git checkout ${{ inputs.file_sha }}

-      - uses: rickstaa/action-create-tag@v1
+      - uses: rickstaa/action-create-tag@a1c7777fcb2fee4f19b0f283ba888afa11678b72 # v1.7.2
        id: "tag_create"
        with:
          commit_sha: ${{ inputs.file_sha }}
@ -75,7 +75,7 @@ jobs:

      # Get files created by tarball script
      - name: Get doxygen (Linux)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
              name: docs-doxygen
              path: ${{ github.workspace }}/${{ steps.get-file-base.outputs.FILE_BASE }}.doxygen
@ -84,32 +84,32 @@ jobs:
        run: zip -r ${{ steps.get-file-base.outputs.FILE_BASE }}.doxygen.zip ./${{ steps.get-file-base.outputs.FILE_BASE }}.doxygen

      - name: Get tgz-tarball (Linux)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
              name: tgz-tarball
              path: ${{ github.workspace }}

      - name: Get zip-tarball (Windows)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
              name: zip-tarball
              path: ${{ github.workspace }}

      # Get files created by cmake-ctest script
      - name: Get published binary (Windows)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
              name: zip-vs2022-binary
              path: ${{ github.workspace }}

      - name: Get published binary (MacOS)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
              name: tgz-osx12-binary
              path: ${{ github.workspace }}

      - name: Get published binary (Linux)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
              name: tgz-ubuntu-2204-binary
              path: ${{ github.workspace }}
@ -121,7 +121,7 @@ jobs:
      - name: PreRelease tag
        id: create_prerelease
        if: ${{ (inputs.use_environ == 'snapshots') }}
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
        with:
          tag_name: "${{ inputs.use_tag }}"
          prerelease: true
@ -138,7 +138,7 @@ jobs:
      - name: Release tag
        id: create_release
        if: ${{ (inputs.use_environ == 'release') }}
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
        with:
          tag_name: "${{ inputs.use_tag }}"
          prerelease: false
@ -158,7 +158,7 @@ jobs:
              ls ${{ runner.workspace }}

      - name: dev-only-docs
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ${{ github.workspace }}/${{ steps.get-file-base.outputs.FILE_BASE }}.doxygen