From 303ccbf66240ab6c9f0f42f1beb79b6fe14353c3 Mon Sep 17 00:00:00 2001
From: milosjovanovic <posao.milos@gmail.com>
Date: Mon, 22 Jun 2026 16:21:05 +0200
Subject: [PATCH] GROSS-1358: SHA-pin GitHub Actions and enable Dependabot

Pin all action references to a full commit SHA with a trailing version
comment, and add a github-actions Dependabot ecosystem so the pins are
kept current.

Ref: G-Research/gr-oss#1358
---
 .github/dependabot.yml   |  6 ++++++
 .github/workflows/ci.yml | 16 ++++++++--------
 2 files changed, 14 insertions(+), 8 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..5ace460
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 466c27b..ecc4589 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -20,19 +20,19 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Setup .NET SDK v9.0.x
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
         with:
           dotnet-version: 9.0.x
       - name: Setup .NET SDK v8.0.x (if needed)
         if: ${{ matrix.framework == 'net8.0' }}
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
         with:
           dotnet-version: 8.0.x
       - name: Setup .NET SDK v6.0.x (if needed)
         if: ${{ matrix.framework == 'net6.0' }}
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
         with:
           dotnet-version: 6.0.x    
       - name: Run tests
@@ -44,9 +44,9 @@ jobs:
     needs: [ Processor_Partial ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Setup .NET SDK v9.0.x
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
         with:
           dotnet-version: 9.0.x
       - name: Create NuGet packages
@@ -70,7 +70,7 @@ jobs:
               }
           }
       - name: Upload NuGet package artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: nuget-packages
           path: dist/*.nupkg
@@ -85,7 +85,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download NuGet package artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: nuget-packages
           path: dist