From 964cc626ca524fe6c80eb41fe6fdfa74974a81b5 Mon Sep 17 00:00:00 2001
From: Brian Shand <Brian.Shand@nhs.net>
Date: Tue, 14 Apr 2026 12:02:00 +0100
Subject: [PATCH] GitHub Actions: Pin actions to SHA hashes

GitHub Actions: Disable Slack notifications
Add dependabot checks for GitHub Actions
---
 .github/dependabot.yml     | 13 +++++++++
 .github/workflows/lint.yml |  4 +--
 .github/workflows/test.yml | 54 +++++++++++++++++++-------------------
 3 files changed, 42 insertions(+), 29 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..dcd4439
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,13 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7 # Wait 7 days after publication
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 4380a00..f133473 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -9,11 +9,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6 see https://github.com/actions/checkout/releases/tag/v6
       with:
         fetch-depth: 0 # fetch everything
     - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # ruby/setup-ruby@v1 see https://github.com/ruby/setup-ruby/tree/v1
       with:
         ruby-version: 3.4
     - name: Install dependencies
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 29a24c9..23e54bd 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,9 +17,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6 see https://github.com/actions/checkout/releases/tag/v6
     - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # ruby/setup-ruby@v1 see https://github.com/ruby/setup-ruby/tree/v1
       with:
         ruby-version: ${{ matrix.ruby-version }}
     - name: Install dependencies
@@ -39,28 +39,28 @@ jobs:
       if: ${{ needs.test.result != 'success' }}
       run: exit 1
 
-  notify:
-    # Run only on master, but regardless of whether tests past:
-    if: ${{ always() && github.ref == 'refs/heads/master' }}
-
-    needs: test_matrix
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: 8398a7/action-slack@v3
-      with:
-        status: custom
-        fields: workflow,commit,author
-        custom_payload: |
-          {
-            channel: 'C7FQWGDHP',
-            username: 'CI – ' + '${{ github.repository }}'.split('/')[1],
-            icon_emoji: ':hammer_and_wrench:',
-            attachments: [{
-              color: '${{ needs.test_matrix.result }}' === 'success' ? 'good' : '${{ needs.test_matrix.result }}' === 'failure' ? 'danger' : 'warning',
-              text: `${process.env.AS_WORKFLOW} against \`${{ github.ref }}\` (${process.env.AS_COMMIT}) for ${{ github.actor }} resulted in *${{ needs.test_matrix.result }}*.`
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+#  notify:
+#    # Run only on master, but regardless of whether tests past:
+#    if: ${{ always() && github.ref == 'refs/heads/master' }}
+#
+#    needs: test_matrix
+#
+#    runs-on: ubuntu-latest
+#
+#    steps:
+#    - uses: 8398a7/action-slack@v3
+#      with:
+#        status: custom
+#        fields: workflow,commit,author
+#        custom_payload: |
+#          {
+#            channel: 'C7FQWGDHP',
+#            username: 'CI – ' + '${{ github.repository }}'.split('/')[1],
+#            icon_emoji: ':hammer_and_wrench:',
+#            attachments: [{
+#              color: '${{ needs.test_matrix.result }}' === 'success' ? 'good' : '${{ needs.test_matrix.result }}' === 'failure' ? 'danger' : 'warning',
+#              text: `${process.env.AS_WORKFLOW} against \`${{ github.ref }}\` (${process.env.AS_COMMIT}) for ${{ github.actor }} resulted in *${{ needs.test_matrix.result }}*.`
+#            }]
+#          }
+#      env:
+#        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}