Hash pin actions used on workflows and enable dependabot (#1387)

* Update scorecard.yml Signed-off-by: Joyce <[email protected]> * Update node.js.yml Signed-off-by: Joyce <[email protected]> * Update scorecard.yml Signed-off-by: Joyce <[email protected]> * Fix/hash pin and dependabot (#2) * [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot <[email protected]> * Update .github/dependabot.yml Signed-off-by: Joyce <[email protected]> --------- Signed-off-by: StepSecurity Bot <[email protected]> Signed-off-by: Joyce <[email protected]> Co-authored-by: StepSecurity Bot <[email protected]> * limit dependabot prs Signed-off-by: Joyce <[email protected]> * Update dependabot.yml Signed-off-by: Joyce <[email protected]> --------- Signed-off-by: Joyce <[email protected]> Signed-off-by: StepSecurity Bot <[email protected]> Co-authored-by: StepSecurity Bot <[email protected]>
JakeChampion · Sep 25, 2023 · ea77767 · ea77767
1 parent 873b079
commit ea77767
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 4 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    open-pull-requests-limit: 1
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -13,7 +13,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: dessant/lock-threads@v2
+      - uses: dessant/lock-threads@f1a42f0f44eb83361d617a014663e1a76cf282d2 # v2.1.2
         with:
           github-token: ${{ github.token }}
           issue-lock-inactive-days: '180'
diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml
@@ -22,9 +22,9 @@ jobs:
         node-version: [18.x, 20.x]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
       with:
         node-version: ${{ matrix.node-version }}
     - run: npm i

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: google-github-actions/release-please-action@v3
+      - uses: google-github-actions/release-please-action@ca6063f4ed81b55db15b8c42d1b6f7925866342d # v3.7.11
         with:
           release-type: node
           package-name: release-please-action