Dependabot hashes (#13)

* ci: pin labeler Turns out GHActions where `pull_request_target` is used are capable of pwning repositories: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ labeler doesn't check out the source code or build anything so it's safe in its current form but to avoid surprises let's just pin it to the latest version. It's annoying to manage dependencies like this manually so additionally dependabot.yml is introduced to make it easier to keep GHActions up to date more or less automatically: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot * make sure dependabot supports hashes
evverx · Nov 12, 2021 · 31a0d25 · 31a0d25
1 parent e7cef2a
commit 31a0d25
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every weekday
+      interval: "daily"
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
@@ -30,6 +30,6 @@ jobs:
     env: ${{ matrix.env }}
     steps:
       - name: Repository checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@af513c7a016048ae468971c52ed77d9562c7c819
       - name: Build check (${{ env.COMPILER }}-${{ env.COMPILER_VERSION }})
         run: sudo -E .github/workflows/build_test.sh
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -11,7 +11,7 @@ jobs:
   triage:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/labeler@main
+    - uses: actions/labeler@5f867a63be70efff62b767459b009290364495eb
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
         configuration-path: .github/labeler.yml